Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
7s -
max time network
27s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 08:30
Static task
static1
Behavioral task
behavioral1
Sample
CoronaVirus.exe
Resource
win10v2004-20240508-en
General
-
Target
CoronaVirus.exe
-
Size
1.0MB
-
MD5
055d1462f66a350d9886542d4d79bc2b
-
SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565
-
SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
-
SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
SSDEEP
24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2984 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1264 CoronaVirus.exe 1264 CoronaVirus.exe 1264 CoronaVirus.exe 1264 CoronaVirus.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1264 wrote to memory of 1360 1264 CoronaVirus.exe 87 PID 1264 wrote to memory of 1360 1264 CoronaVirus.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:1360
-
C:\Windows\system32\mode.commode con cp select=12513⤵PID:30716
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2984
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-040817F2.[[email protected]].ncov
Filesize3.2MB
MD50720f70a77af8990f9680fb50ae12a18
SHA1b6b988e490ef245180df10a2fea27d3a5348521f
SHA256fa25216a42f48329634799f40924bb9af745917f58681f90d244108de285cf69
SHA512f8a2620feafa401d7dbc6885465a7f3fe90251df1606864a48a3653a6611c69161aa28e88830adf9089011f78e42e27d0d4521581de59b55ee1a30ab8a9c4a26