dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

max time kernel
104s
max time network
99s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-07-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (440) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe

Executes dropped EXE 1 IoCs

Processes:

CoronaVirus.exe

pid process

3404 CoronaVirus.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3404	CoronaVirus.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-873560699-1074803302-2326074425-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-873560699-1074803302-2326074425-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

35 raw.githubusercontent.com
36 raw.githubusercontent.com
Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe
File created C:\Windows\System32\Info.hta CoronaVirus.exe

flow	ioc
35	raw.githubusercontent.com
36	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-200_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpResL.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-140.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\blushing.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\PlaneCut.scale-100.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnsc_plugin.dll.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.HTM.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Spider\spiderassets.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2_24x24x32.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ar_get.svg.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\ui-strings.js.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10191_24x24x32.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ec_16x11.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.tree.dat	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3416_32x32x32.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7656_24x24x32.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.ONENOTE.16.1033.hxn.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Hud\NumberGrid.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\angry.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\ui-strings.js.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\bin\kinit.exe.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen.svg.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.resources.dll.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-selector.js	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-environment-l1-1-0.dll.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTree.v11.1.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png.id-7762CB42.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpsychedelic_plugin.dll	CoronaVirus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

CoronaVirus.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

22464 vssadmin.exe
22108 vssadmin.exe

pid	process
22464	vssadmin.exe
22108	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133662301606578030"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeCoronaVirus.exe

pid	process
2660	chrome.exe
2660	chrome.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe
3404	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

2660 chrome.exe
2660 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

chrome.exe

pid	process
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2660 wrote to memory of 2996	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 2996	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 3020	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 2116	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 2116	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe
PID 2660 wrote to memory of 1420	2660	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd724f9758,0x7ffd724f9768,0x7ffd724f9778
2⤵
PID:2996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:2
2⤵
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:8
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:8
2⤵
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2816 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:1
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2824 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:1
2⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:8
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:8
2⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5316 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:8
2⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5060 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:8
2⤵
PID:3376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:8
2⤵
PID:732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:8
2⤵
PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5032 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:8
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5044 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:8
2⤵
PID:2008

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3404

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:2416

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:20396

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:22464

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:22988

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:22516

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:22108

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:22908

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:22860

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:22240

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\d600d0ff0b6642368521d1d735e02dd7 /t 22852 /p 22860
1⤵
PID:21540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-7762CB42.[[email protected]].ncov

Filesize
2.7MB

MD5
26a402aa8c7d763c285212e66cc5f2db

SHA1
20efe0a0dd35fc7b584c65b8f8bd27c25bd3791c

SHA256
a1d9d47105a60a7153c0969473155f2862fcd2d483a33b73835ede2ea96a410e

SHA512
5e9a226de615ffa316dcb8f0e8ad356f32ad1b96a3496a0084d2efac6f67908fdf0c5d963f85a985714596241609b2f53d722280f7bb4cbc221f621e0c8f9a77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.8MB

MD5
35c6cc1ca6d58b2e9490b623ea89a484

SHA1
c3a335e7d5781ea6cce4885ea17e7fdff02b45ff

SHA256
5f7bf29d2e537246f681da2cad7668d08c0625eb890de869c509d1a4306cd9b3

SHA512
c0124b44a662f2160d10bb8d086a19ec6615be4dc93ceb994d007aea2cee3e1fa47aa47c3a44f50ec495e95292f6d8d2fc0670645c88ada1b93f4539875b1142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5b05269d569e8862f05b56135eab967c

SHA1
67b138c0f5fdc4e7bd989df3a5d4db6252ddde61

SHA256
376f8f6dba9dd8f67571e90125032f9de7859c8d54e54a474f560ba9cc6d8380

SHA512
b5ae99c881a4945f1801e4a8d85e024ef1f74f3b63226c30dd0ee32e07eadfd9a1c61eda5584082f916dd13a3e89053f08eab72ad9a701182959d7f8568d1177

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
184B

MD5
71042d18652543ff029197f7e1b3c5b0

SHA1
bad330fed5a0f129586077a3a5066192f67d1a19

SHA256
3801b2a4b45dc50e5628286eac23203279dee142cf6811d5bac0320157e764d6

SHA512
6566d0d708096303369ef7e18d4fdec2bda333a178faf08366608085acefc1d90c3153ee5a174bae7a69b144dd57ade4380d9c93acb10899055b79bfa06fd752

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8da46ccd-da27-4500-a70d-e40ade4ce768.tmp

Filesize
1KB

MD5
e85429085eb35477851a8e3bd221fc73

SHA1
0fbd94bdbef40e42a61a19896686538ca1e5b7f6

SHA256
f7a0b5caa37067140ae6a23a5293d24e1c85fd4e1b008834c99d0338a574f827

SHA512
17ec0204cd26bf25c05e6ccd16cf53d787d185be71699dce58f05dfda4a21463b69a64e6ccbd12298fdd343c772a07d7f9952211cbc5615289bc35c58503b680

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
95ea431b03f30360f0a60eee1b641f8c

SHA1
cccf8b912e9f325dc9c7bed9c0055688073d4ad7

SHA256
ae506677c17212d0931300c258b2a7ca4216b15336e9b156a9d00b00cbcbd6cb

SHA512
c3109acbc743ad25c7beb536b1467002aac271018b01244bb62866639c5cd58f1af70af468f46ea319392412a3086337277c353f82d5c405635c95ea2950e72a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
31a7f4471e8a10c477933bf5266808c3

SHA1
f1a5281437f3b131c3b7f304a8026b0a1325bfb7

SHA256
6500d0529633071b3e308ada59b03691ce839002080f49a1b7d304355b9a1e11

SHA512
53da556a7277308c7b7456944632c209a87adecca351fd1afc7afb135cfde79b2b62d3ecdf25a5f2b61ee85a1047689db2c221a9e8abd371f1596d55ce69c761

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
50d0c819f3e37e1171c6304582a93b2a

SHA1
64c1bef4a08b81f2798c6474b46ddfe5f9fcc65b

SHA256
f503a900cb6f8b63f841f72624d32bd867982e96c533637fbe9543f4ab19bcc1

SHA512
b85dccc48c3872faa9d5caa15875ba62d82280bc258b77b8bfdfa6fddf39840e5e764b0ea78b60df12ab346bfae57f6d734368a39073d220abc2b955e764b6d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1f1fa77995d375b15814a2f355421976

SHA1
7c42fe253f45623158ce5a29496e7c64b4f70654

SHA256
7443c31966a917ed2120d58898d71fd4105df4cc072f5fb82ed27e4c1e88f214

SHA512
cef95a8893a3fff6823b447fd5330362ba29526f1285800bcef66034f2b44c8ad6045856b2537eb3c80105396dc070674ea860685665c39d4f3c3c0d6491e0af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
86628cebceda3f92d1c0f35923352568

SHA1
fd4807446d4935f802d32907293e763be00ddec4

SHA256
9699fd8c32ea8dbfed07716504d7f8839019d359feb01ddfa68956fd10955c57

SHA512
00638718483ccbe7f9e3ba9d5052e2f45e7d5933726218d89ff69f3470bbd27c4faf8322d8eecc39219cc7e0d6f9fb19ddeac850922ba7b503b95d9254ff9fec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
52960f96ddb2b7407e9e23e875cd490c

SHA1
082e5418ae53cf9325fc38a2840e71d5937174bf

SHA256
f32fd88974a939958645deb8df23d628d3848a53e7265142b6bc010cf1943736

SHA512
d9f27b8e62fb05a3092bb258db5d48c62c37cc338c8ee3d479712c227ed898bf9ab333d9ae3b7c20fe970c67b738a0f33a37d642c359c2fdb2fefea10fa5e1bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6069782852ab15f8db76c7421202e973

SHA1
f6a3b7e9c8b07ce30dae95462da65c8998c6658f

SHA256
59a47d683a3ffe8a98ffeac8e2de643f7a2857b920c1c81a80b7a16f203e616d

SHA512
467e907d4ec6544534e30a8a408b4ecfddb09a8ad3679ca5ba7d8c5b951e5bb4adc71ce4df7c8a9cf8e1fdcb97adda439905275bccddb5eec8655f843d591bcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
543B

MD5
8d4b8747d4bc03b401b6dedd643656b9

SHA1
3738b75726cd2c8688a38f448bae67a6c6f674bd

SHA256
85618ac1b74bef204e49571e189547e473bd9fc4a63cfb11ff9aab3d949b2ba1

SHA512
5db5e29d021f78698fbc71db8b9c38d8ad5aa376192608672eb41538a5c39d120a2c49b3bbff312faa12eece2e24be6b9b266cb995d5adb004344534fcb6d298

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
27cb1d40622ff5a880622d8a6c6f1fbe

SHA1
de3a54cc895e21273a13bc8b416240ca1bbd65fe

SHA256
5b2142b22c2339ca1e23cbfcde890936863fad148a204be161c34a9e4331611c

SHA512
ffaab088193eb743e413055b23c2dd97dc5d226682f9be9697a24f9d6e7cd055df9aa552b057f3b58944078f75c2c7794ed0dba948dfe46065aacdb84283bfa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
1fccec61359fa736b9cbc94ad2a29d24

SHA1
bc10e8814ebd2854ecb10a7450d3adb452e54347

SHA256
97bfc5aa8227dcdc7b2b569761165c4d879c40e6d57a9808975612527d119db1

SHA512
2020daa0a7e7f9059ec2e43d1cdf02382ab373fd88d0d233c677774763181b43b7931ba8e98ef16168c5e8ab2538b12ecead5e639f692e53a3d9a6a6044f0f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
7303fddaab149963b94d7a9d55553b43

SHA1
f334219f4c5276e9678ae3ed62b2809b2c9c9c8f

SHA256
8438f3ac26a41941538b6b27ccda4c36647ba8f01fdc3e89038773978b6bf438

SHA512
67311f0e5f02429b8fb2d6378bc28c0775e55d6bdf1ef15996124414c155940b5c9b3f06cf448fe76d49b00d11162ef6a2479f41dbd6f5857e5b7f14a350c4e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe585908.TMP

Filesize
98KB

MD5
1889060dd2c3833dae0d79ca4e322154

SHA1
81f13759325bfc9e92c15fddadf908a0a8d918ec

SHA256
ec77a058f3148a1430f0b3e052788231c6d2d3ea9244ce4dc50b2608a3712333

SHA512
da83562e5f1df52cbb04b4511fcdfac7b036b367b1fde5a61ccbad3af673f28af5f777b4037fc0dd7955ed1854517c4954d2408c450e581c3da33f17f80aad41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
7282f191d0497ac10f934d4eb5c884f2

SHA1
b7ace45cc6fc83b5405126c8994d0b356372de38

SHA256
f7ec56341b32a356a3e047a385db3a4435205649b552ca0e062a68fc5a3826c1

SHA512
325b3c13889e5b0e1247a290c0ff89362c8b9c6467485162fa406146bf00531a35ba7d081ac10fe9b2a6a496e73b33d15ed3f4e14b163d46c88f9b71ea0fa28f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
\??\pipe\crashpad_2660_JBTERJLGQLDQUBHL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3404-281-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3404-280-0x00007FFD7E370000-0x00007FFD7E54B000-memory.dmp

Filesize
1.9MB

Download
memory/3404-254-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3404-22587-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download