Analysis

  • max time kernel
    292s
  • max time network
    282s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-11-2024 14:13

General

  • Target

    Dest/covid20.exe

  • Size

    4.8MB

  • MD5

    fde53eb92140afb22152cfa283ef26cc

  • SHA1

    b975f240e69307f809e54fabf6ea547183edf130

  • SHA256

    56c6b80e9f525e9010b47112f8085751e8e3fb744e111df3330b481df6a7e954

  • SHA512

    df5eaa0e429e618d7c94eab0dd6021d774abe50ad2d200d3608d1d1c50b70e65eccff564baa2fd2b86a5dad999ff7edb04152ac5cbff209fae7d93c329dff771

  • SSDEEP

    98304:i1EB4Av3kOW561R4+8QxEmKDxUmEhc0R2lIP9W0uJPg4dWzN/ODIw9AtVje7gQ:EEi4z1R4+LKDPEK0RBFduJ44dWpiHAtM

Malware Config

Signatures

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe
    "C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9347.tmp\covid.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3860
      • C:\Users\Admin\AppData\Local\Temp\9347.tmp\CLWCP.exe
        clwcp c:\covid20\bg.bmp
        3⤵
        • Executes dropped EXE
        • Sets desktop wallpaper using registry
        • System Location Discovery: System Language Discovery
        PID:2464
      • C:\Users\Admin\AppData\Local\Temp\9347.tmp\flasher.exe
        flasher 5 c:\covid20\covid.bmp
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2876
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9347.tmp\corona.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9347.tmp\CLWCP.exe

    Filesize

    505KB

    MD5

    e62ee6f1efc85cb36d62ab779db6e4ec

    SHA1

    da07ec94cf2cb2b430e15bd0c5084996a47ee649

    SHA256

    13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

    SHA512

    8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

  • C:\Users\Admin\AppData\Local\Temp\9347.tmp\bg.bmp

    Filesize

    21.5MB

    MD5

    cb065726febf9c1a581f3008e678f524

    SHA1

    f9a0058a57213cf7ce72eddf0616a938c8f4f4b1

    SHA256

    d8f864128f2a79e2ff8179255ebfd06619325fec86103722b6418c3cbb41823f

    SHA512

    b54a81cff5951b34478e777bc27cc4fd4a292b548f38162602c01e2594848e40fcfea5becfd789153c9a4fa75c354834a3a37cf3032c9857e9246bf850d24880

  • C:\Users\Admin\AppData\Local\Temp\9347.tmp\corona.vbs

    Filesize

    130B

    MD5

    e61624dced063c4ba5352bf487f12410

    SHA1

    40bd08928900cd97f444ffaa78d93dcaf913b274

    SHA256

    82ac48c4f7edbab182aa0a8c320d5616ccdd2f0e83dc733b91e45521f85462a3

    SHA512

    2a27db12d2af35e7b51a307eb8860800075867922d3d63a69da608c96bec045f3c64ac757674d2a40d7f4d9e55179fc2bddc17691919e18e109a5d4669c607ac

  • C:\Users\Admin\AppData\Local\Temp\9347.tmp\covid.bat

    Filesize

    445B

    MD5

    b08e02e536917f897acb2d21f42f0a97

    SHA1

    a078f1addfd3eeb0f0cb5fd206ff78e9dc0f3e45

    SHA256

    2c68caeada2c251c5fc12694b7288a5790114ced4142867179e75d313efaa50c

    SHA512

    1d1901c3c676bb6d99a39d1a0bab1a6ee378090390bb5e7fe66cf754b8dd772ac0b79ba1215fa758445db1deac200afcc5e1e1e32b2562df946c82b530ca95ab

  • C:\Users\Admin\AppData\Local\Temp\9347.tmp\covid.bmp

    Filesize

    147KB

    MD5

    738bbd119d8877f8342e1ff00fe60dff

    SHA1

    fc11d85e3c5b46bd877e06985fec1a601ce396ed

    SHA256

    548c9e22a04650efec06a0414d205d24600e08e0fac1beed7e8b4c03730962bb

    SHA512

    f7a12c9a1403c9a1953387c5871d6e7865ba80c405f37c51f5c3e093bab9235b8a8ba62ad8b27f2079407e9672d47ac365c9cb08033ef349bd8c9906a30fefad

  • C:\Users\Admin\AppData\Local\Temp\9347.tmp\flasher.exe

    Filesize

    246KB

    MD5

    9254ca1da9ff8ad492ca5fa06ca181c6

    SHA1

    70fa62e6232eae52467d29cf1c1dacb8a7aeab90

    SHA256

    30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

    SHA512

    a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

  • memory/1976-0-0x0000000000400000-0x0000000001A7B000-memory.dmp

    Filesize

    22.5MB

  • memory/1976-33-0x0000000000400000-0x0000000001A7B000-memory.dmp

    Filesize

    22.5MB

  • memory/2464-34-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

  • memory/2876-35-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

  • memory/2876-36-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

  • memory/2876-37-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

  • memory/2876-48-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB