Analysis

  • max time kernel
    9s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 10:22

General

  • Target

    CoronaVirus.exe

  • Size

    1.0MB

  • MD5

    055d1462f66a350d9886542d4d79bc2b

  • SHA1

    f1086d2f667d807dbb1aa362a7a809ea119f2565

  • SHA256

    dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

  • SHA512

    2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

  • SSDEEP

    24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2

Malware Config

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe
    "C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:2352
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2452
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:1916

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-15D36FFA.[coronavirus@qq.com].ncov

        Filesize

        15.9MB

        MD5

        475195caddd02866b4a9d7b5a3e8c7c3

        SHA1

        2cbdac62b673869479c4ce1962f4db9df9bfa506

        SHA256

        651098010b21015e6342c7df44a944173bcfdade9eb573091a36cbfe3ad8721a

        SHA512

        488ad18e5902c0a6d602db4bbfad97cfc1a7dd22a48a63a0a763d23d24dffbe106ab22dfeb1e0e73545fe57e715cc33e80287cf56d063dacfaccb3d1b91c6c4f

      • memory/840-0-0x0000000000400000-0x000000000056F000-memory.dmp

        Filesize

        1.4MB

      • memory/840-1-0x000000000A8C0000-0x000000000A8F4000-memory.dmp

        Filesize

        208KB

      • memory/840-2-0x0000000000400000-0x000000000056F000-memory.dmp

        Filesize

        1.4MB

      • memory/840-837-0x0000000000400000-0x000000000056F000-memory.dmp

        Filesize

        1.4MB

      • memory/840-4777-0x000000000A8C0000-0x000000000A8F4000-memory.dmp

        Filesize

        208KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.