Analysis
-
max time kernel
292s -
max time network
282s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-11-2024 14:13
Behavioral task
behavioral1
Sample
Dest/HorrorBob2.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Dest/HorrorRansom 1.0 Final.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
Dest/HorrorTrojan Ultimate Edition.exe
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
Dest/HorrorTrojan123.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
Dest/Start.bat
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
Dest/covid20.exe
Resource
win11-20241007-en
General
-
Target
Dest/covid20.exe
-
Size
4.8MB
-
MD5
fde53eb92140afb22152cfa283ef26cc
-
SHA1
b975f240e69307f809e54fabf6ea547183edf130
-
SHA256
56c6b80e9f525e9010b47112f8085751e8e3fb744e111df3330b481df6a7e954
-
SHA512
df5eaa0e429e618d7c94eab0dd6021d774abe50ad2d200d3608d1d1c50b70e65eccff564baa2fd2b86a5dad999ff7edb04152ac5cbff209fae7d93c329dff771
-
SSDEEP
98304:i1EB4Av3kOW561R4+8QxEmKDxUmEhc0R2lIP9W0uJPg4dWzN/ODIw9AtVje7gQ:EEi4z1R4+LKDPEK0RBFduJ44dWpiHAtM
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\9347.tmp\flasher.exe aspack_v212_v242 -
Executes dropped EXE 2 IoCs
Processes:
CLWCP.exeflasher.exepid process 2464 CLWCP.exe 2876 flasher.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
CLWCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\Wallpaper = "c:\\covid20\\bg.bmp" CLWCP.exe -
Processes:
resource yara_rule behavioral6/memory/1976-0-0x0000000000400000-0x0000000001A7B000-memory.dmp upx behavioral6/memory/1976-33-0x0000000000400000-0x0000000001A7B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
covid20.execmd.exeCLWCP.exeflasher.exeWScript.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language covid20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CLWCP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flasher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
covid20.execmd.exedescription pid process target process PID 1976 wrote to memory of 3860 1976 covid20.exe cmd.exe PID 1976 wrote to memory of 3860 1976 covid20.exe cmd.exe PID 1976 wrote to memory of 3860 1976 covid20.exe cmd.exe PID 3860 wrote to memory of 2464 3860 cmd.exe CLWCP.exe PID 3860 wrote to memory of 2464 3860 cmd.exe CLWCP.exe PID 3860 wrote to memory of 2464 3860 cmd.exe CLWCP.exe PID 3860 wrote to memory of 2876 3860 cmd.exe flasher.exe PID 3860 wrote to memory of 2876 3860 cmd.exe flasher.exe PID 3860 wrote to memory of 2876 3860 cmd.exe flasher.exe PID 3860 wrote to memory of 3356 3860 cmd.exe WScript.exe PID 3860 wrote to memory of 3356 3860 cmd.exe WScript.exe PID 3860 wrote to memory of 3356 3860 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe"C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9347.tmp\covid.bat" "2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\9347.tmp\CLWCP.execlwcp c:\covid20\bg.bmp3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\9347.tmp\flasher.exeflasher 5 c:\covid20\covid.bmp3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9347.tmp\corona.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:3356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
505KB
MD5e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
Filesize
21.5MB
MD5cb065726febf9c1a581f3008e678f524
SHA1f9a0058a57213cf7ce72eddf0616a938c8f4f4b1
SHA256d8f864128f2a79e2ff8179255ebfd06619325fec86103722b6418c3cbb41823f
SHA512b54a81cff5951b34478e777bc27cc4fd4a292b548f38162602c01e2594848e40fcfea5becfd789153c9a4fa75c354834a3a37cf3032c9857e9246bf850d24880
-
Filesize
130B
MD5e61624dced063c4ba5352bf487f12410
SHA140bd08928900cd97f444ffaa78d93dcaf913b274
SHA25682ac48c4f7edbab182aa0a8c320d5616ccdd2f0e83dc733b91e45521f85462a3
SHA5122a27db12d2af35e7b51a307eb8860800075867922d3d63a69da608c96bec045f3c64ac757674d2a40d7f4d9e55179fc2bddc17691919e18e109a5d4669c607ac
-
Filesize
445B
MD5b08e02e536917f897acb2d21f42f0a97
SHA1a078f1addfd3eeb0f0cb5fd206ff78e9dc0f3e45
SHA2562c68caeada2c251c5fc12694b7288a5790114ced4142867179e75d313efaa50c
SHA5121d1901c3c676bb6d99a39d1a0bab1a6ee378090390bb5e7fe66cf754b8dd772ac0b79ba1215fa758445db1deac200afcc5e1e1e32b2562df946c82b530ca95ab
-
Filesize
147KB
MD5738bbd119d8877f8342e1ff00fe60dff
SHA1fc11d85e3c5b46bd877e06985fec1a601ce396ed
SHA256548c9e22a04650efec06a0414d205d24600e08e0fac1beed7e8b4c03730962bb
SHA512f7a12c9a1403c9a1953387c5871d6e7865ba80c405f37c51f5c3e093bab9235b8a8ba62ad8b27f2079407e9672d47ac365c9cb08033ef349bd8c9906a30fefad
-
Filesize
246KB
MD59254ca1da9ff8ad492ca5fa06ca181c6
SHA170fa62e6232eae52467d29cf1c1dacb8a7aeab90
SHA25630676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
SHA512a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a