dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
137s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-08-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (440) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe

Executes dropped EXE 3 IoCs

pid	Process
4312	CoronaVirus.exe
3288	CoronaVirus.exe
14848	chrome.exe

Loads dropped DLL 2 IoCs

pid	Process
14848	chrome.exe
14848	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3968772205-1713802336-1776639840-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3968772205-1713802336-1776639840-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
38	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Delete.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-125.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\ui-strings.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\ui-strings.js.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\_Resources\0.rsrc	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10290_40x40x32.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-72_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-125.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\ui-strings.js.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\ui-strings.js.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Deal\Deal.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bj_60x42.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-default_32.svg.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEODBCI.DLL	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\RichEdit.Native.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\verify.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected].[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\msmdsrvi_xl.rll.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\ui-strings.js.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\mobile\en-US\doc_offline_getconnected.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6449_48x48x32.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\skins\default.vlt.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleWideTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPG.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\ui-strings.js.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\ui-strings.js.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFramework.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RenderingControl_DMP.xml	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoSearchResults_180x160.svg	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fil_get.svg.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Defender\ProtectionManagement.mof	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-24_altform-unplated.png	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Popups\PerfectEarned.jpg	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\TryAgain\TryAgain-over.mobile.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cu_60x42.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\ui-strings.js.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Set-TestInconclusive.ps1	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libheadphone_channel_mixer_plugin.dll.id-4F685E3A.[[email protected]].ncov	CoronaVirus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1948	vssadmin.exe
5472	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133676775568207630"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe
4312	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2304	chrome.exe
2304	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 5012	2304	chrome.exe	74
PID 2304 wrote to memory of 5012	2304	chrome.exe	74
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 3000	2304	chrome.exe	76
PID 2304 wrote to memory of 224	2304	chrome.exe	77
PID 2304 wrote to memory of 224	2304	chrome.exe	77
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78
PID 2304 wrote to memory of 1016	2304	chrome.exe	78

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd2cd69758,0x7ffd2cd69768,0x7ffd2cd69778
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:2
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:8
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3808 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1512 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:8
  2⤵
  PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5088 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1492 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4712 --field-trial-handle=1824,i,7441872892922960790,1199050050684891454,131072 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:14848

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5104

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4312
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:5020
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:8928
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1948
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:20028
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:6724
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5472
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:19600
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:19288

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:18884

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
1⤵
PID:13764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-4F685E3A.[[email protected]].ncov

Filesize
2.7MB

MD5
e6ad6d4bdcfd05243bd78738c7ee80a3

SHA1
091b12909f4952b3b1b6413ffbc90a8440a10763

SHA256
d96cbbb558ad5d3e816ebc3d291e8ea1326b44be9a7c1bd2866678efc3d7235d

SHA512
b37cd30fd9920b8668284325e8013709981400d73997fa6f513d77518ff765a4a91cae0b819cb284c001861d4f77673589a982a2bdb898f71a0db491268cdf16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
c806c4473f82ec409d0d01281513adc3

SHA1
a2a0d2dea8fb5429c8eb339d7504936db8b7ed95

SHA256
92cd61a571d3eb9dbff4319c293faf68a9a0960bd7efac19cd413df10d0b325a

SHA512
febbaad04eaa215c13f624905fa79c93f04057432895a67e93a41343fcbd02da3424713c62b068429d75a6833981c54f1dfa2df81d9d5ec891ab40fdd5bb2895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
09588c45efb5de9d51d0a06c0f0b6c0b

SHA1
1274a146502a497f958b8c6619f6d2f48ec25456

SHA256
8f0beb6f9550a74f63814d785dd90db5b9dff92921d1298a042013c799fe761c

SHA512
c9f4e3a839c2e228f356b15f5c27326821f8a056e6100c7a55a244f800c2fed6190f0302ba32723425ef2dba6b8984a5779b4998f16bbf9665c5284d2d2c5234

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
05c6ab9e5333a62c32091cdc58456613

SHA1
43f3cd0d5e44a48adce246f97971611615b2fa21

SHA256
72beb72bcc1de8c07032527716100d2900b753d55bf1715a91bf3e4760c941fc

SHA512
27e441f6dab02c219e8488526b4b5b0c734a35bba89e9628a75364db1c25f4d54365e150e17ae7cc70b6324c1de73c2b12712b66723fca330c6fa73565f0d2e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
62e3b40f2bc3dc2d33710dc635aaef56

SHA1
0d86c72330703ceb205fdf59d72c59bf1eba8e5e

SHA256
91dc5bb368bf800898cf004b0c168eb12ccebaa624aadcf77f01ca526f4f8e8b

SHA512
22c99b614288eafd5cd50857f38db8692ca775953399c0ed973b1ed3e64aefeaddf01b05c6211721876f84bf55be3ad075e6b3176c39267299d89b6556bcabad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
05c947a7cc60f7f453737885ac70734f

SHA1
2e564318bb90cb648bc37cbbdcf55cfa9a9a5022

SHA256
9a8f0018c4061f469d395fba27ecc94093977838772284002248fa32ea4ace56

SHA512
08b00f633f0a5a72d40b0b8791550a258ead9ae92e50d02787e900019052853775ee6fefc2dec1a4aa1da6277a08f347f8a45d41409e84305b906ddc0852e17d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b295245884a1e53cf442b4e3a8cc0417

SHA1
346755a3c79cb7448edb4f3bd8c71a46cf97cb01

SHA256
3590c648797e2f043e27b808503ddbeb20d2ce07fc9be80037bc1698f48c8948

SHA512
dd9034ba2d37d19851288d93f86b666fbda6dda7095fa2f85689e3ec9d975de6b2b248f03f7f1f4a7ac0993577cfb746aa7f84078db8aca9584711b69f3d123d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
396881a72cb555c430061f2eabf4252f

SHA1
df40423daefcf7e8cdcc9cef09c20d05861690fa

SHA256
639086484b6f7f4d84aaf70105c3ef9f8e838f3468551cd5f149468b2c9f0297

SHA512
a8bf701cafec6d5dfa965e6f085337e0c95e7310546221dab3395d37a5fa8a05744d7501255ee95d683ef8e7e9734d199ccdad10196744adf5f29490a6d6a966

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0310c57fae1a2d93977a2334e88f2fba

SHA1
d974d95ae06251ece35fc075d8459d64510e9e05

SHA256
43285d2690b71a1227d19bd62f667e677c6b25d05768e2429e45614d0bd5a61e

SHA512
3afaf8834feec3b254826f071638811c30d026df78e48f02bcc094a4dc38e1827109bc4cdd7f3d7632a9b71908085cfd02a0e4f2dae4e95704557b61d7a0fa0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity~RFe592d7f.TMP

Filesize
1KB

MD5
a761e03dfb50e667c2667049d862a4fc

SHA1
6dc188f97300a21fd3ea4282a82b3168d8df49e7

SHA256
ca8d3d87f62dd31d615486a61cf390ef434edff3d9d3d49e9a835b46a8932024

SHA512
8cdd04367493f84326bba722c5e817928523beadde0fc0a76721d8dc266ffe57675e24c741e0925c872fa231af223bb123d5c9d9469db37fd6ea0b1e21746562

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
02af1d22d13472eba6af78717efab38c

SHA1
a64d04573e0ebf2bbb194c77c3f7666a2c7dba89

SHA256
c32aa3dbaa56476e0620dfb16881efa44206e752f6903fddefc5fb7959e42a08

SHA512
ddc8e3e7e80fb8b609f0b12e2ae106238a4fe98ba75bc63702cd61283ecf0c29ca89f2388d71e0fa7a4a676848954985dc76febaf6f08b74404209e785798e0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
019e389d30ccab21a61ef8dfd6d03b96

SHA1
ba87f167062d0b566529b1ed16899de219628f9f

SHA256
ec934a62dfd08e5c14ccb9e58d41bf5f34996596e2a97d36406a045e8ea509ea

SHA512
2bfb27b694d6351f2881db5ac0a8494a02e9c4655666db4e616b9de8e8aa04254b62b32eef9221751fc20a4b347c01e4942a94253c74e64493e8dee121a9f627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dbb1bc1df285a6ba5b2486b65bed0a50

SHA1
7478746c174ba05799c29949d8d48197fac0a199

SHA256
4361100b21bfe0e55322c45c0f1406975cc2bafe2648a814d1e8d82a621bd397

SHA512
2e9b53073448fa94a9efcf06606fbbd41ff3c82641bd9b097e66efbac74a16d24576d182654f04bf01fa4ef73103afff18ebbcdb6a78db8bedee13408fef2ba1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
9bd38629eb51fb5baeddb6facb03877f

SHA1
9ac4e70ac9cd3ce70a0105074d2db09d81a16240

SHA256
d5d7301373a1e17ca95a55606a84f897ff65388645239432f0eccb170fba508e

SHA512
423bb1dc0d435fe31fb068b866aef81c85d9261e38d0d79b2a00d66df6a07b4c75245f6d59da9da12e70885d95e1cfe715e7ea6d540d21aa35f5be82382d00b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
29d4bc8b2f97d0ba5c55d977f53fd91b

SHA1
eb6fa789e75dc96433722a676dcf04bf1efcee15

SHA256
29e960816bb648befa37e46c3aa9e616c8587526286e5111ee23938d65dded32

SHA512
c1255ce8e42cc1f49d5d473d4942666476f9c44d6b868ec10d199125b29149677c23bb3ec946afcd52447f206fc066c4536e89d187069b51fbc2a9923af54bbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
836b5019397d0f36055ed5690fdc885e

SHA1
4123dda61444046ac8e45aa139ddc85132e1afbf

SHA256
a5446a5e132381a666bd309fb2ce33c643d9468ac5f79bd6604e9770ed6c6085

SHA512
e8cc0977c63a9c81e3f96702fb2202156cd20fa100a10a407622074a1c7dc5674df750f75ad0a7c86f46b867c51f6c8ef6c36e8c238ce3b43014aa595deec5c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
94aaea33334f657e4c846cc9179536b5

SHA1
9b8f15e1b6c847f3a29f75f975e55fbeca5e61de

SHA256
d90389e47fe269c5c124e04503dc4a379c5346ead096e30c4dc3b056eb7c66af

SHA512
c2d0109d6d32c8ef4666a2918002b470e04f7d7c13ab687085dde1bd9e92dc266dd6c02ccb165ee48de379425087f8b840e97be1e0f06a2352efb876efab1f0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
93357b2315e1e6b1e677178908c53b01

SHA1
07720242ea88ecd89c7ff828ead022134c2a1248

SHA256
1278593cea23fc642e8bbdca65f470c7d649db7e93021075c161e5038f218128

SHA512
4a3056cd7988ee9db30ec6a16e2b5e714c5886f1eca74209c826a794178e94c63631e7b234277054406500a2fc1ec9e57c9b56af32aebc984df41b3ef001855c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe582054.TMP

Filesize
98KB

MD5
b67545ee736755ef78a91a62b86ec364

SHA1
01602fba564fa8483d3f2c561c37557c7b8cd9af

SHA256
b91a29654d1e5992f13bb2f82fa4a34827e4a373d925be15fc157eb121ce9559

SHA512
b2ea4ae03d3124c560974e8e41be008062da16097fc0d9f9549a82f2118eb5c371003d790312f589afd8706b653081a662a91cb0ed6e01d4806224fb2a78203b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
memory/3288-366-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3288-10083-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3288-11749-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4312-328-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4312-367-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4312-22741-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download