Loading ...

Play interactive tourEdit tour

Analysis Report covid19.exe

Overview

General Information

Sample Name:covid19.exe
MD5:d0a7273fc33b37a38336213b86def543
SHA1:401279da57773a148fde2886308f568c9901054a
SHA256:27725450780b19dd823f2ad601a6038442d3da4d9bbade3f16ee5e037b28f452

Most interesting Screenshot:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Checks if the current process is being debugged
Creates files inside the system directory
Enables debug privileges
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • covid19.exe (PID: 1096 cmdline: 'C:\Users\user\Desktop\covid19.exe' MD5: D0A7273FC33B37A38336213B86DEF543)
    • WerFault.exe (PID: 1624 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1040 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: covid19.exe, 00000000.00000002.786586090.0000000002E00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: covid19.exeString found in binary or memory: https://dimonvideo.ru/0/name/c1cl0n
Source: covid19.exeString found in binary or memory: https://dimonvideo.ru/uploader/488459
Source: covid19.exeString found in binary or memory: https://dimonvideo.ru/uploader/488459)Microsoft
Source: covid19.exeString found in binary or memory: https://html-agility-pack.net
Source: covid19.exeString found in binary or memory: https://newtonsoft.com/json
Source: covid19.exeString found in binary or memory: https://worldometers.info/coronavirus
Source: covid19.exeString found in binary or memory: https://worldometers.info/coronavirusa//

Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1040
Source: covid19.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: covid19.exeBinary or memory string: OriginalFilename vs covid19.exe
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: covid19.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: covid19.exe, Form1.csSuspicious URL: 'https://yandex.ru/web-maps/covid19', 'https://yandex.ru/web-maps/covid19/isolation', 'https://dimonvideo.ru/uploader/488459', 'https://yandex.ru/web-maps/covid19/isolation', 'https://yandex.ru/web-maps/covid19', 'https://dimonvideo.ru/0/name/c1cl0n'
Source: 0.0.covid19.exe.9f0000.0.unpack, Form1.csSuspicious URL: 'https://yandex.ru/web-maps/covid19', 'https://yandex.ru/web-maps/covid19/isolation', 'https://dimonvideo.ru/uploader/488459', 'https://yandex.ru/web-maps/covid19/isolation', 'https://yandex.ru/web-maps/covid19', 'https://dimonvideo.ru/0/name/c1cl0n'
Source: 0.2.covid19.exe.9f0000.0.unpack, Form1.csSuspicious URL: 'https://yandex.ru/web-maps/covid19', 'https://yandex.ru/web-maps/covid19/isolation', 'https://dimonvideo.ru/uploader/488459', 'https://yandex.ru/web-maps/covid19/isolation', 'https://yandex.ru/web-maps/covid19', 'https://dimonvideo.ru/0/name/c1cl0n'
Source: covid19.exe, 00000000.00000002.785395922.0000000000EF8000.00000004.00000010.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb/
Source: covid19.exe, 00000000.00000002.785395922.0000000000EF8000.00000004.00000010.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb
Source: covid19.exe, 00000000.00000002.786203759.00000000011DC000.00000004.00000020.sdmpBinary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: covid19.exe, 00000000.00000002.785395922.0000000000EF8000.00000004.00000010.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: classification engineClassification label: clean5.winEXE@2/4@0/0
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1096
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER627D.tmpJump to behavior
Source: covid19.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\covid19.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\covid19.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\covid19.exeFile read: C:\Users\user\Desktop\covid19.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\covid19.exe 'C:\Users\user\Desktop\covid19.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1040
Source: C:\Users\user\Desktop\covid19.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\covid19.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: covid19.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: covid19.exeStatic file information: File size 1151488 > 1048576
Source: covid19.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: covid19.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: 2C:\Users\user\Desktop\covid19.PDBXT source: covid19.exe, 00000000.00000002.785395922.0000000000EF8000.00000004.00000010.sdmp
Source: Binary string: System.Xml.ni.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\covid19.pdbbH source: covid19.exe, 00000000.00000002.786203759.00000000011DC000.00000004.00000020.sdmp
Source: Binary string: Accessibility.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: System.ni.pdbRSDS source: WER627D.tmp.dmp.4.dr
Source: Binary string: System.Drawing.pdb\ source: WER627D.tmp.dmp.4.dr
Source: Binary string: System.Core.pdb 2 source: WER627D.tmp.dmp.4.dr
Source: Binary string: Microsoft.VisualBasic.pdbq source: WER627D.tmp.dmp.4.dr
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbCo;}i source: covid19.exe, 00000000.00000002.786203759.00000000011DC000.00000004.00000020.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb/ source: covid19.exe, 00000000.00000002.785395922.0000000000EF8000.00000004.00000010.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: symbols\dll\Microsoft.VisualBasic.pdb source: covid19.exe, 00000000.00000002.785395922.0000000000EF8000.00000004.00000010.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER627D.tmp.dmp.4.dr
Source: Binary string: C:\Windows\dll\Microsoft.VisualBasic.pdbsic source: covid19.exe, 00000000.00000002.786203759.00000000011DC000.00000004.00000020.sdmp
Source: Binary string: System.Runtime.Remoting.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: System.Configuration.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: F:\Projects\VS14\covid19\covid19\obj\Release\covid19.pdb source: covid19.exe
Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: covid19.exe, 00000000.00000002.786203759.00000000011DC000.00000004.00000020.sdmp
Source: Binary string: (PPjLC:\Windows\Microsoft.VisualBasic.pdb source: covid19.exe, 00000000.00000002.785395922.0000000000EF8000.00000004.00000010.sdmp
Source: Binary string: System.Xml.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: System.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: .pdb" source: covid19.exe, 00000000.00000002.785395922.0000000000EF8000.00000004.00000010.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: covid19.exe, 00000000.00000002.785395922.0000000000EF8000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: covid19.exe, 00000000.00000002.786203759.00000000011DC000.00000004.00000020.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\symbols\exe\covid19.pdbB~ source: covid19.exe, 00000000.00000002.786203759.00000000011DC000.00000004.00000020.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\exe\covid19.pdb source: covid19.exe, 00000000.00000002.786203759.00000000011DC000.00000004.00000020.sdmp
Source: Binary string: mscorlib.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\symbols\exe\covid19.pdb source: covid19.exe, 00000000.00000002.786203759.00000000011DC000.00000004.00000020.sdmp
Source: Binary string: System.Configuration.pdb@ source: WER627D.tmp.dmp.4.dr
Source: Binary string: System.Drawing.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: System.Runtime.Remoting.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: System.pdb4 source: WER627D.tmp.dmp.4.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER627D.tmp.dmp.4.dr
Source: Binary string: System.Core.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb source: covid19.exe, 00000000.00000002.785395922.0000000000EF8000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\covid19.pdbpdbd19.pdbE source: covid19.exe, 00000000.00000002.786203759.00000000011DC000.00000004.00000020.sdmp
Source: Binary string: Accessibility.pdb8 source: WER627D.tmp.dmp.4.dr
Source: Binary string: System.Xml.ni.pdbRSDS source: WER627D.tmp.dmp.4.dr
Source: Binary string: covid19.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: System.ni.pdb source: WER627D.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER627D.tmp.dmp.4.dr

Source: C:\Users\user\Desktop\covid19.exeCode function: 0_2_009FC018 push es; ret 0_2_009FC01C
Source: C:\Users\user\Desktop\covid19.exeCode function: 0_2_009FC020 push es; ret 0_2_009FC022
Source: initial sampleStatic PE information: section name: .text entropy: 7.43476856318

Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformationJump to behavior

Source: C:\Users\user\Desktop\covid19.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\covid19.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\covid19.exeMemory allocated: page read and write | page guardJump to behavior

Source: C:\Users\user\Desktop\covid19.exeQueries volume information: C:\Users\user\Desktop\covid19.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\covid19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\covid19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\covid19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\covid19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\covid19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\covid19.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection1Masquerading1Credential DumpingVirtualization/Sandbox Evasion2Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing2Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureSecurity Software Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion2Credentials in FilesSystem Information Discovery22Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection1Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 231872 Sample: covid19.exe Startdate: 20/05/2020 Architecture: WINDOWS Score: 5 5 covid19.exe 2 2->5         started        process3 7 WerFault.exe 25 10 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.