dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus[.]exe

Analysis

max time kernel
30s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe

Score

10^/10

dharma defense_evasion discovery execution impact persistence ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe

Executes dropped EXE 2 IoCs

pid	Process
4792	CoronaVirus.exe
1512	CoronaVirus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
55	raw.githubusercontent.com
56	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif	CoronaVirus.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Csp.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll	CoronaVirus.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected].[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\SLERROR.XML	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\HideDeny.xsl	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\Welcome.html.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.runtimeconfig.json.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\SLERROR.XML.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcjavas.inc	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.id-CB4621AE.[[email protected]].ncov	CoronaVirus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
6204	vssadmin.exe
32396	vssadmin.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 814797.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4684	msedge.exe
4684	msedge.exe
1972	msedge.exe
1972	msedge.exe
2616	identity_helper.exe
2616	identity_helper.exe
2312	msedge.exe
2312	msedge.exe
4792	CoronaVirus.exe
4792	CoronaVirus.exe
4792	CoronaVirus.exe
4792	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1020	1972	msedge.exe	83
PID 1972 wrote to memory of 1020	1972	msedge.exe	83
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 3132	1972	msedge.exe	84
PID 1972 wrote to memory of 4684	1972	msedge.exe	85
PID 1972 wrote to memory of 4684	1972	msedge.exe	85
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86
PID 1972 wrote to memory of 4460	1972	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd42d46f8,0x7ffbd42d4708,0x7ffbd42d4718
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,10644083527790217072,12098528453989850170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4792
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:5088
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:32308
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:6204
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:29580
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:28640
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:32396
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:28624
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:6076
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  PID:6724
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  PID:844
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  PID:5280
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  PID:32284
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  PID:11768
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  PID:14156
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  PID:8628
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  PID:8796
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  PID:8944
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  PID:8968
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  PID:9012
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  PID:19668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:23268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id-CB4621AE.[[email protected]].ncov

Filesize
2.7MB

MD5
f9ec39d5718e192891ba35a8e2c8a1eb

SHA1
8574ec478eb58e585d163bd9a3d2070cc1a46f11

SHA256
c05580b8dec8659cec5e592364cdce9e7b4f0b58c0e7484ab14b855e65004b7b

SHA512
95555d06a8da7d086fc5cb187d2c3346d0838685551444d00ac3f5fab48e3c30b8f0481847c49a220d806c47f75e107da91e239d08fb1587f81ab1febe0060c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7deac0090129099d0bdb25cd1b2bbe82

SHA1
820bfa6721ad20578107d6a53b7931a9b48ef8fa

SHA256
b5850bef417957547f18edc71e2257262ad5341cb1997eab605f68bd869b1dda

SHA512
0a538f852be3c43cc179e09f93b0fc89641f2d951d9ff7412d4e4d982be833dfdbf7babe1f46c9724e8257af6dd727904555fbab3afe95e21719164c2c070103

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
291ee4a5babfa7ce8f40f7ec77da1f46

SHA1
86eb16e24a1fdf84fdb00fe480135209b668996c

SHA256
d558e7654fda0547cf635051b0024cd26bb4c209d29032657f16c9b55f57e0ee

SHA512
e657a37652e2634f343886541fe416973de03d57c86556bd1531394fb9129ce9c2e723c17870d07de87b46e9877ed631b3c783ca446ddbd4ceccc6ab74ef4f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a16d958b3d8824b988656b054dca4e1b

SHA1
9e13d4889bf4b8f65a67273aa5fba7a70e540a25

SHA256
0cac70b04473d3e18b99ce69950da8f8985721ff1147e9c8c9aa89eeb5a64eb6

SHA512
0d3657e766a11f3d93ea7c0710b6c917a61fc7157d6677e5f5f8c1dd88d597f046ecc81d2c8a24ad8da8c3a9b65d48d128c101a0f6993606ad3c0f7b4d40d5c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e89ee88ba49cca138589ddcf5b7e4a81

SHA1
79188668aebbcdac4ddaa2cc945f634a389ff014

SHA256
dd2d783a0d2a4456fc15825820d5d01daedb05b227ec57443c50effd269bb317

SHA512
f305c0ee2018187231eb8a68853f56e0e475dbdba3c9ca60b86e140b5bdda5ca9239443f38ae801bebf3c80782ec9a5e2d1153b9cd79b0d3f6eeeef8dcde5238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e5d216b1e4eddb46e2eabb42720b6dcc

SHA1
0283aa0307acca45b0978e5ec38762d7efc22314

SHA256
4273b069eabaaea464d711857cacc1b83935ed6b92592a6e3d2735f1a2522d27

SHA512
44e691ba368fa728dfb2f0697a9e8163a0aee3af6d2c7e8b2f12d410ba2a89221a8c723bfa9c4ab8a1e498b8d5a47c817b54a7b9cf7dec5a1f0be00d7b2490a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b7c7.TMP

Filesize
874B

MD5
4631b925581c41359359bab0c6ca17b8

SHA1
2d0359ae9954fe700cf37f5b28cd5e712bd5eaac

SHA256
7ef6d4a0e04bab0092231b57ae8c63b281d9f76cef903b2ce0da37f5cb5a63d4

SHA512
fa2bff38784ffe2d914d35477abab7bbf22197ccd22c7b833b9ccdc9b9949ce4ca42968d7777b8bc49e12857221557ae358bf640e3fc5f2c62bf377c234dc6f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0f1c3bcb2d6e7d5e01b41532cd0ef2c8

SHA1
0b7882c6117fd8fa398b3513fe913ce74ea94d93

SHA256
7730c9313070d82b4bafc37263071c1e9305a8483d1e430f1777fe5ad4bb727e

SHA512
772668346090d24c246aab853e63530b17d7ca5b3346ef4a4602e8dda92d740fd37f0ba0bb2bf57f0ac5944d1e7a8aa8a8fd2f18e0ecefede261d651a07dd343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2e019887d9a68010a090925d7ff8470f

SHA1
94626e8fb46294b1902432c0f5e3fcba51f3d8f6

SHA256
9067cffddad08a54f9fe3e50b92d303bfe3a384b1c6a8f703ea1371328716d0a

SHA512
e9aa32bd6f8119299f5b4272b743f4a4f4a77310d063040261f930afd6086bd0a8592fad4dc5c05efdc673c56b6b5e1903c4049836621d5a8bd8813e8d28ed7a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 814797.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
memory/844-17960-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/844-17954-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/844-5009-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-234-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-9221-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-6337-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4792-5006-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4792-235-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4792-208-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5280-17843-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5280-5371-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5280-17961-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6724-17971-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6724-5007-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6724-17840-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/8628-17972-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/8796-18521-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/8944-18522-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/8968-18523-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/9012-18200-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/11768-13713-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/11768-22982-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/11768-22863-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/14156-17962-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/19668-22983-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/32284-13628-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/32284-22872-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/32284-22981-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download