dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

30-10-2024 03:32

241030-d31jqawamd 3

29-10-2024 23:47

241029-3tde9sscld 10

Analysis

max time kernel
241s
max time network
243s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29-10-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (563) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe

Executes dropped EXE 8 IoCs

pid	Process
4760	CoronaVirus.exe
23684	msedge.exe
24144	msedge.exe
24288	msedge.exe
24448	msedge.exe
24632	WinNuke.98.exe
24816	WinNuke.98.exe
24900	WinNuke.98.exe

Loads dropped DLL 4 IoCs

pid	Process
23684	msedge.exe
24144	msedge.exe
24288	msedge.exe
24448	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-556537508-2730415644-482548075-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-556537508-2730415644-482548075-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
25	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Edge.dat.DATA.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\AppxManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudt.dll.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\ReceiveLimit.mht	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line_2x.png.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-process-l1-1-0.dll.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-16.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyFolder_160.svg.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected].[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\plugin.js.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\vccorlib140.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\ui-strings.js.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\TipsSmallTile.scale-200_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-40_altform-unplated_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\MSFT_PackageManagementSource.strings.psd1	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2021.427.138.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\GetHelpAppList.targetsize-36_altform-lightunplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\require.min.js.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\ui-strings.js.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdiracsys_plugin.dll.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\liblogo_plugin.dll.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Xbox_LargeTile.scale-100_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\vcruntime140_app.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-30_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\FloatingPicker.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sl_get.svg	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Res.dll.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-125_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_selectlist_checkmark_18.svg.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\it_get.svg.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.bundle.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif	CoronaVirus.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_kn.dll.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\libglspectrum_plugin.dll.id-D4FB4027.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fi.pak	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib\transforms\rtlifyRules.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\lt-LT\PAD.Console.Host.resources.dll	CoronaVirus.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
21600	vssadmin.exe
23444	vssadmin.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 598315.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 411949.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2704	msedge.exe
2704	msedge.exe
3504	msedge.exe
3504	msedge.exe
1956	msedge.exe
1956	msedge.exe
4944	identity_helper.exe
4944	identity_helper.exe
4252	msedge.exe
4252	msedge.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe
4760	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	21628	vssvc.exe
Token: SeRestorePrivilege	21628	vssvc.exe
Token: SeAuditPrivilege	21628	vssvc.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 3484	3504	msedge.exe	80
PID 3504 wrote to memory of 3484	3504	msedge.exe	80
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 4812	3504	msedge.exe	81
PID 3504 wrote to memory of 2704	3504	msedge.exe	82
PID 3504 wrote to memory of 2704	3504	msedge.exe	82
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83
PID 3504 wrote to memory of 2508	3504	msedge.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff977b3cb8,0x7fff977b3cc8,0x7fff977b3cd8
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2264
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:21580
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:21600
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:22716
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:23248
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:23444
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:23108
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:23208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6180 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:23684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:24144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6580 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:24288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1760,1964855552626741226,13474498193821501145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:24448
- C:\Users\Admin\Downloads\WinNuke.98.exe
  "C:\Users\Admin\Downloads\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:24632
- C:\Users\Admin\Downloads\WinNuke.98.exe
  "C:\Users\Admin\Downloads\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  PID:24816
- C:\Users\Admin\Downloads\WinNuke.98.exe
  "C:\Users\Admin\Downloads\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  PID:24900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:21628

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:25976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-D4FB4027.[[email protected]].ncov

Filesize
2.7MB

MD5
64e27e98f8a25c659128c4463a795705

SHA1
068f36d5738412789bf23daeab393fb3cdf7e4f5

SHA256
6d67dd3abcef882a0f2db9ed94792255cc8ed3d6e58f05493efda0c97e3deb48

SHA512
d4f58056c111f4f17d8ccb37f9918abe19ac78fd927caa6c7f2857a3c005b15c8cbdaa5dbe9cec5a5bb96b3c7637540cf67e8ed3bc0983359fe352fd9ff2a915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1f3f36b470e00046c1c1803155b62110

SHA1
8bf7426db8407c25659f59cfca7c6410997576ea

SHA256
14ddc4e91d1a4a8056d3885658728563e4eb174b7afda4188aebc3db90390cbd

SHA512
f97705d1040e22ca6022002967f006a8e2201299a43fd22c9eddaa6eaacda83e2afb1a5025d3f230c36c2a29328a4c9870e5e3ce23cb3937b0c42ef283e5f9a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fb7fa0252dd950647afa7c495c4a5520

SHA1
8e96bf83d1a98cdbf4bad8158684d19c5f279cc7

SHA256
421d81b3682730d55bda7fed252499c25f5d89e8314ca2a455c291b17bd0b6f1

SHA512
65851ee7cc941a253b42654ded152311f8c1512705ab5a045e94b676670ff11b04087c01006af6ab8422fbe725ce971bb63dd3f4ca924d6f92173996df2bb336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dd6969eae9d9f3bcc0e03423605a99bb

SHA1
f6224e5bbb5ae5e6932a2f6ec4190d8a8c692893

SHA256
47f7234f52f10b0cefd32c75213219cf81e95ff3f8fe8d0d7a9c35d94a4dcffe

SHA512
66e39496018372574b4085e5558bc489b96a959679d6cf7c19a1272d9fc857f8b4e28dcac3b6120b4d989ab59a01486a8c0d4ddf5c97947c91a4eb823e5cb13a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
67c203fe5d841a35489b2892e5c52f16

SHA1
8196f00288929514919f1394d5f1bbf4f0392e09

SHA256
1ec6c70cd361b214e812717f2bd5b3f78bfbc2b823b9bfe4e1209f2f0fbc2e3f

SHA512
578fba057d9474b6b63e2e30de5234d5dd21757ba4cb3761930d315c97dc094f87b8e609f965505435bd0783e9740a114d379f8e8f1d4cef040d3de68ded87a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
109995d740f276201c790f881031d5cd

SHA1
3849d86b7d135985230341cf64f39aa712a3a2bb

SHA256
48112e6f6c78a77c0431b2bd18553686729b20e2adec09d7e036c5fb28f6248a

SHA512
b4aa31c839661da7d69bfe77e866cd68eef49e3f57d519bcd69f2bed1cd1dd5e9030af72049c88c5d07c8454a31020e113340a6005a8be4e4edfbeced01925b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
5260ee69da2704a6834a433edd3ab40a

SHA1
0a1636c8aa4f0e1cd4a832d3474e87d8780eb792

SHA256
6be44b7e0168484dedcf7381423c68206a8fa829f07e393023a7a851f49cf839

SHA512
a456623a4d64730a58e081d2a3a91d08bea4fe932a3caa3e4f732dc062f74406e00f02d585211d4f095a6c34437c5e7d288e4c3b32e15656c0a33b09e8d60905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c13fce03d3593655aae31c7239e2ff30

SHA1
50de43afa7e43d5e9ab8099198388e71f5bd2555

SHA256
1101af8c1fed9ddb3826a353040f3f408bfe934a3c070c900ca1346971b83a50

SHA512
2fab0414168f2d70c075982568398f5d8597b6f9b2f7e12911fbd326121fcd25c21d1e91dfebd5af41f130d62b46a7213ef93e75d42802f479e0677fbacf9871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fdffa251f4339840b7366c1564a7ef4a

SHA1
394d17f5c3d87edbdb145c5114cdf2dc740afca8

SHA256
519dabcf61ff84e3d3af3bbebec782714acfb757caf17cae58ff432000ccb8a0

SHA512
a95018a0d1f44ee96dacd803a5c25bc4f8d77d1e3e138c5008670de5d7f94baca7733b82bf42f9642c83da542d28574a48773035019cb427f80b6d97ace8d7f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ad022fc7c720ae0044a42ffb727dc434

SHA1
ad6d961844641ca56aebf695abe0013413bd3b71

SHA256
93b2a045d0bd0acb13335d1ad3b5f5b0d1f20c4360621faff73507a9067cfa4b

SHA512
c1ad97734068dc454fee4f8c594ca28810e9d7714d99b9c27e84aeffa4677d41ba725fae13d9691884b2b9d904062af06454b88737b51768b4bcbf30a30cc411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8d7fadfa49edc3cda951434560dd5b7d

SHA1
11dccbf27961f974b812a8923a39b0e8c35220a8

SHA256
b19131f3eb304274876b95ecd6b0a5fcd208a84c40fce07e9d1430fd6f32bfc9

SHA512
f0a72238840b7d99ef45271af11e086d67d88018747626e9084724ef63371c7d59319b19f624b71d65b918087040fd5d095ad00dc70eb6ce28b75e56fdac2bdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c21508062d02ceb6d46b6f0692499f53

SHA1
e3f409d074252cc4a2a2b88df9bc0b9136fbd4f8

SHA256
0d36be1d8371fd049a9eab9230d7a05447556c8b5607a41a6bb65eb3bb3e6676

SHA512
af198d95c7ca55401da3fd4a4a5378782a70ef262b93d4c2c010d8ce1efd5f05cfba46e5894ee56032d7cd2768daf9545218851fa758bbd93501c1f031845695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f414.TMP

Filesize
874B

MD5
09bf3932a727ade0b09a258217d513d0

SHA1
a24be9276a2b04147c5bf59a9d719ad52bc54d8b

SHA256
442d833264309dcd9a6a377d16f635b7a4ad120e3a5823eb25cda37b0b88c28b

SHA512
e14178ef11d8f5dbb67a896d7b3b2117447279b6b04074f8efad0ad9e94e3943d04cbc3e00f5aca6239ec8417c24168cfa239dc32c5de5121aa9a2fd10e09a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59213a.TMP

Filesize
1KB

MD5
6b8ee036455cfa932cf36678116123d3

SHA1
78fb76115278b69c7470508de1a124510a5da6b0

SHA256
eed05e25adca6c623ed89fe3f937975581ccd757e62316224fb1c3ce87ed3306

SHA512
1ed8ae11381796b00ed091be400b01aa713b1ff916cb71fbb4868d34e807c3b96be4699fec84b9f592f464fae162658a4bbab4804d1afcf35e49ae1b366b4a4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c55bf8848f955d055101107f128a0d1b

SHA1
a8e61da845ac536db801f303039af5f5e365a941

SHA256
39b80b716a9f520405bf169fc6599e37439e118dd5f04a2775dbf92dee7cd1bb

SHA512
b7795018a3d9faf3a3839406e0a9a0e4b81f693818282026988d5ff0fb903da7d2cbc9f67188249bc74db3b37e60879ff5ff023549ff5b31e03d00eb298f57e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9f8831a04b3874c68ec09922df0c8cea

SHA1
0c0a90ffb7964229eb14362f08163a5ff36c74a3

SHA256
2ad80230ff17005f68d47c89838db34b8f2832b26e425dcac5d42fbc0bc1c013

SHA512
1520c728bea9f0dc8806378a5cdeb43857da7643e993e172cc07773f1955e0045dcba291c4b056a466cb92bf9785ac049923002d9f6f0ded11de26ca7c3125ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f0e5761028d8e7f960dcf874ebf6d4ad

SHA1
cab9f6b7e40e7a9f4c5d1bcf5009baaa5f923627

SHA256
4602719f4a9ce2669e9e26ea2946ffa69cd59deb3a9b259fabc2d18f12bd17da

SHA512
48e9dccd89f69bc142aa0e0e3608a8b445ffae37898601cb698222c2b7032ba3f2c89f94cdaebf9f721df88dd478af8cfedc9c6a488264c28f55b0d07aac2149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
89cf65240118428ac31a8472bb54ffc7

SHA1
a3b4095ffdcc914656824acc0484b6f3defde573

SHA256
2befb82f151fad7e468bc59648c7b2b69aaeb54ff39fd63acbb2a695179b6bc7

SHA512
c85901b778ca09b6cf79e19114b63689fa4a403dd70d67e2d8ba95bf808d8ec400de60deda26f147e98c73cd35649669068225aa9141237eeb7ecb765e81f20d

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\a75b6736-7706-4af8-9467-f41597643181.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 411949.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 598315.crdownload

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
memory/4760-4735-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4760-309-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4760-288-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download