Analysis
-
max time kernel
78s -
max time network
80s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
21-07-2024 09:31
General
-
Target
CoronaVirus.exe
-
Size
1.0MB
-
MD5
055d1462f66a350d9886542d4d79bc2b
-
SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565
-
SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
-
SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
SSDEEP
24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (448) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 41 IoCs
-
Suspicious use of SendNotifyMessage 41 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
2File Deletion
2Modify Registry
1Direct Volume Access
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-D3F2E91F.[[email protected]].ncovFilesize
3.2MB
MD5cb7db889fb65253a6b50568274e25b08
SHA12be76de4364e86433276c2f1ebc3c5110f7c0468
SHA2566468a1766bc69ad97682fd9ec208ccf2af5879a0c00bd7ca1f13b197f16f2af8
SHA512e8dd0479152ff3098bcd937f69ef8b8967fc6ecf4de34555b0f9b55ead474cc31fe89cf8d24e04e0ebebe877ded779f7c3792397a4441f23c3a7ab6b90b77f5d
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exeFilesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
13KB
MD5a2829c0096b1a86ea72dd7c29c224eb9
SHA13b35c5bcffaf58869a80347b2205e2702d8ffc6c
SHA25624dadac6109ae3bcd5b49b55fdb5cb0e1f2de076e5ff289234e549b5659610ed
SHA512c33f2234a18e97292d013cfbcf024e8f89df9c5b9a3267403da5a00420e522b42af7210340c1731c506f59c1cc2bc6a735861516efbd8901ad74e7f374233d8d
-
memory/3120-0-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/3120-1-0x00007FFBD08B0000-0x00007FFBD0A8B000-memory.dmpFilesize
1.9MB
-
memory/3120-2-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/3120-8980-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB