Analysis Report Covid21 2.0.exe

Overview

General Information

Sample Name: Covid21 2.0.exe
Analysis ID: 377010
MD5: a7c7f5e792809db8653a75c958f82bc4
SHA1: 7ebe75db24af98efdcfebd970e7eea4b029f9f81
SHA256: 02fea9970500d498e602b22cea68ade9869aca40a5cdc79cf1798644ba2057ca
Infos:

Most interesting Screenshot:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Command shell drops VBS files
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Disables the Windows task manager (taskmgr)
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample or dropped binary is a compiled AutoHotkey binary
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes directly to the primary disk partition (DR0)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe Avira: detection malicious, Label: HEUR/AGEN.1133501
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe ReversingLabs: Detection: 12%
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Metadefender: Detection: 36% Perma Link
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe ReversingLabs: Detection: 62%
Multi AV Scanner detection for submitted file
Source: Covid21 2.0.exe Virustotal: Detection: 69% Perma Link
Source: Covid21 2.0.exe Metadefender: Detection: 29% Perma Link
Source: Covid21 2.0.exe ReversingLabs: Detection: 75%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Covid21 2.0.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.Covid21 2.0.exe.63145a.3.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Covid21 2.0.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0040850C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 6_2_0040850C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00408604 FindFirstFileA,GetLastError, 6_2_00408604
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00405210 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 6_2_00405210
Source: C:\covid21\Corona.exe Code function: 12_2_00404F24 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 12_2_00404F24
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_00404EB8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 13_2_00404EB8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0043892A _strlen,FindFirstFileA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,_strcat, 18_2_0043892A
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00424873 _strlen,_strcat,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,SetFileAttributesA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose, 18_2_00424873
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00423AD5 DeleteFileA,FindFirstFileA,_strcat,_strrchr,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,DeleteFileA,FindNextFileA,FindClose, 18_2_00423AD5
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0040A357 _strrchr,_strcat,_strlen,_strcat,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,_strlen,FindNextFileA,FindClose, 18_2_0040A357
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0042C368 FindFirstFileA,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,MoveFileA,DeleteFileA,MoveFileA,CopyFileA,FindNextFileA,FindClose, 18_2_0042C368
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00423D09 FindFirstFileA,FindClose, 18_2_00423D09
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00423DE4 FindFirstFileA,FindClose,FileTimeToLocalFileTime, 18_2_00423DE4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00424DBB _strlen,_strcat,LocalFileTimeToFileTime,GetSystemTimeAsFileTime,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,SetFileTime,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,CreateFileA,SetFileTime,CloseHandle,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose, 18_2_00424DBB
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0042C603 GetFileAttributesA,FindFirstFileA,FindClose, 18_2_0042C603
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00439FDC FindFirstFileA,FindClose,GetFileAttributesA, 18_2_00439FDC
Source: z.exe.0.dr String found in binary or memory: http://www.autohotkey.com
Source: Covid21 2.0.exe, 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp, z.exe, 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp, z.exe.0.dr String found in binary or memory: http://www.autohotkey.comCould
Source: screenscrew.exe, 0000001E.00000002.792044732.000000000043B000.00000004.00020000.sdmp String found in binary or memory: http://www.rjlsoftware.com
Source: screenscrew.exe, 0000001E.00000002.793881577.00000000022C0000.00000004.00000001.sdmp String found in binary or memory: http://www.rjlsoftware.com(
Source: screenscrew.exe String found in binary or memory: http://www.rjlsoftware.com/?screenscrew
Source: screenscrew.exe, 0000001E.00000003.729503063.00000000021D0000.00000004.00000001.sdmp String found in binary or memory: http://www.rjlsoftware.com/?screenscrewopenj

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00443AE3 GetTickCount,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard, 18_2_00443AE3
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_004218AC GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 6_2_004218AC
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00420B07 GetForegroundWindow,GetWindowRect,_strrchr,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,DeleteObject,SelectObject,DeleteDC,DeleteObject, 18_2_00420B07
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00435EB4 GetKeyboardState, 6_2_00435EB4
Creates a DirectInput object (often for capturing keystrokes)
Source: Covid21 2.0.exe, 00000000.00000002.754644021.000000000090A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_00405D3C GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetFocus,GetFocus,GetClassNameA,_strncoll,GetFocus,SendMessageA,GetPropA, 0_2_00405D3C

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0046CF80 RegOpenKeyExA,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegFlushKey,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA, 6_2_0046CF80

Operating System Destruction:

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe Process information set: 01 00 00 00

System Summary:

barindex
Sample or dropped binary is a compiled AutoHotkey binary
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Window found: window name: AutoHotkey Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_00404714 GetWindowLongA,CallWindowProcA,RemovePropA,RemovePropA,RemovePropA,RevokeDragDrop,SetWindowLongA,NtdllDefWindowProc_A, 0_2_00404714
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_00407E1A sprintf,GetPropA,HeapFree,HeapFree,HeapFree,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A, 0_2_00407E1A
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00439164 NtdllDefWindowProc_A,GetCapture, 6_2_00439164
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0045543C NtdllDefWindowProc_A, 6_2_0045543C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0042E49C NtdllDefWindowProc_A, 6_2_0042E49C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00449828 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 6_2_00449828
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00455BEC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 6_2_00455BEC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00455CB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 6_2_00455CB0
Source: C:\covid21\Corona.exe Code function: 12_2_00432908 NtdllDefWindowProc_A,GetCapture,KiUserCallbackDispatcher, 12_2_00432908
Source: C:\covid21\Corona.exe Code function: 12_2_0044CEA8 NtdllDefWindowProc_A, 12_2_0044CEA8
Source: C:\covid21\Corona.exe Code function: 12_2_004421FC GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 12_2_004421FC
Source: C:\covid21\Corona.exe Code function: 12_2_0042738C NtdllDefWindowProc_A, 12_2_0042738C
Source: C:\covid21\Corona.exe Code function: 12_2_0044D650 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 12_2_0044D650
Source: C:\covid21\Corona.exe Code function: 12_2_0044D700 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 12_2_0044D700
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_0044A410 NtdllDefWindowProc_A, 13_2_0044A410
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_00424BF0 NtdllDefWindowProc_A, 13_2_00424BF0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_0044ABB8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 13_2_0044ABB8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_0044AC68 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 13_2_0044AC68
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_0043F764 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 13_2_0043F764
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_0042FFB8 NtdllDefWindowProc_A,GetCapture, 13_2_0042FFB8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: 30_2_00428F5C NtdllDefWindowProc_A, 30_2_00428F5C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: 30_2_0042220A NtdllDefWindowProc_A, 30_2_0042220A
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: 30_2_00422218 NtdllDefWindowProc_A, 30_2_00422218
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: 30_2_0042E808 NtdllDefWindowProc_A, 30_2_0042E808
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_004234E7: CreateFileA,DeviceIoControl,CreateFileA,DeviceIoControl,CloseHandle, 18_2_004234E7
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0042CAA7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,EnumWindows,ExitWindowsEx, 18_2_0042CAA7
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe File created: C:\Windows\clwcp.bmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_00406960 0_2_00406960
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_00406C10 0_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00458A98 6_2_00458A98
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0044EE08 6_2_0044EE08
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00465050 6_2_00465050
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00449828 6_2_00449828
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00463A68 6_2_00463A68
Source: C:\covid21\Corona.exe Code function: 12_2_004421FC 12_2_004421FC
Source: C:\covid21\Corona.exe Code function: 12_2_004473A0 12_2_004473A0
Source: C:\covid21\Corona.exe Code function: 12_2_0041B3AA 12_2_0041B3AA
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_00444908 13_2_00444908
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_0043F764 13_2_0043F764
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_004075C4 18_2_004075C4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0040DE8C 18_2_0040DE8C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00458854 18_2_00458854
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00424873 18_2_00424873
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0044207B 18_2_0044207B
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00414803 18_2_00414803
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_004071FF 18_2_004071FF
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0044522E 18_2_0044522E
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0044B395 18_2_0044B395
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00421466 18_2_00421466
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00452C20 18_2_00452C20
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0042F514 18_2_0042F514
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00450529 18_2_00450529
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00449D8E 18_2_00449D8E
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0042963D 18_2_0042963D
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0040CF24 18_2_0040CF24
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0041B735 18_2_0041B735
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0044179A 18_2_0044179A
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: 30_2_0042E58C 30_2_0042E58C
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe 13B4EC59785A1B367EFB691A3D5C86EB5AAF1CA0062521C4782E1BAAC6633F8A
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe E40F57F6693F4B817BEB50DE68027AABBB0376CA94A774F86E3833BAF93DC4C0
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe 4172C6120F8F98685698365D6DD52C80EB2080203CDDE479009BF8F4FA770AF0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: String function: 0046AF31 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: String function: 00442502 appears 290 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: String function: 00439871 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: String function: 00458250 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: String function: 00442545 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: String function: 0044C37D appears 49 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: String function: 004036E8 appears 118 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: String function: 0040621C appears 62 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: String function: 0040411C appears 74 times
Source: C:\covid21\Corona.exe Code function: String function: 00403E4C appears 70 times
Source: C:\covid21\Corona.exe Code function: String function: 00405ED4 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: String function: 00403E10 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: String function: 00405E68 appears 61 times
PE file contains strange resources
Source: CLWCP.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Corona.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Corona.exe.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Covid21 2.0.exe, 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamescreenscrew.exe: vs Covid21 2.0.exe
Source: Covid21 2.0.exe, 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp Binary or memory string: OriginalFilename vs Covid21 2.0.exe
Source: Covid21 2.0.exe, 00000000.00000002.755160646.0000000000E50000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Covid21 2.0.exe
Source: Covid21 2.0.exe, 00000000.00000002.755160646.0000000000E50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Covid21 2.0.exe
Source: Covid21 2.0.exe, 00000000.00000002.754831474.0000000000D50000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Covid21 2.0.exe
Uses 32bit PE files
Source: Covid21 2.0.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: Covid21 2.0.exe Static PE information: Section: UPX1 ZLIB complexity 0.999160245797
Source: classification engine Classification label: mal84.rans.evad.winEXE@73/19@0/0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0041EC2C GetLastError,FormatMessageA, 6_2_0041EC2C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0042CAA7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,EnumWindows,ExitWindowsEx, 18_2_0042CAA7
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00408862 GetDiskFreeSpaceA, 6_2_00408862
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0042B61C CoInitialize,CoCreateInstance,GetKeyboardLayout,MultiByteToWideChar,CoUninitialize, 18_2_0042B61C
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_004020C9 FindResourceA,LoadResource,SizeofResource, 0_2_004020C9
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_01
Source: C:\Users\user\Desktop\Covid21 2.0.exe File created: C:\Users\user\AppData\Local\Temp\2526.tmp Jump to behavior
Source: C:\Users\user\Desktop\Covid21 2.0.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2526.tmp\Covid21.bat' '
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbs
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\covid21\Corona.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;explorer.exe&quot;)
Source: C:\Users\user\Desktop\Covid21 2.0.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Covid21 2.0.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Covid21 2.0.exe Virustotal: Detection: 69%
Source: Covid21 2.0.exe Metadefender: Detection: 29%
Source: Covid21 2.0.exe ReversingLabs: Detection: 75%
Source: unknown Process created: C:\Users\user\Desktop\Covid21 2.0.exe 'C:\Users\user\Desktop\Covid21 2.0.exe'
Source: C:\Users\user\Desktop\Covid21 2.0.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2526.tmp\Covid21.bat' '
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe clwcp c:\covid21\covid.jpg
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\x.vbs'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K coronaloop.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\covid21\Corona.exe c:\covid21\corona.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe inv.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe z.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exe mlt.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe icons.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe screenscrew.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\t.vbs'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe PayloadMBR.exe
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /TN 'Windows Update' /ru SYSTEM /SC ONSTART /TR 'C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Covid21 2.0.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2526.tmp\Covid21.bat' ' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbs Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe clwcp c:\covid21\covid.jpg Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\x.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K coronaloop.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe inv.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe z.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe clwcp c:\covid21\covid.jpg Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe icons.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe screenscrew.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe PayloadMBR.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\covid21\Corona.exe c:\covid21\corona.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /TN 'Windows Update' /ru SYSTEM /SC ONSTART /TR 'C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe'
Source: C:\Users\user\Desktop\Covid21 2.0.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\timeout.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Covid21 2.0.exe Static file information: File size 1210880 > 1048576

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_00405EB2 GetTempPathA,LoadLibraryA,GetProcAddress,GetLongPathNameA,FreeLibrary, 0_2_00405EB2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_00478069 push 004112A1h; ret 0_2_004780AE
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_004780BA push 004112D8h; ret 0_2_004780E5
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_004775D7 push 0041083Ah; ret 0_2_00477647
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_00477651 push 004108E4h; ret 0_2_004776F1
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_004776FB push 00410A14h; ret 0_2_00477821
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_0046DAD9 push 00406CF0h; ret 0_2_0046DAFD
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_0046CB59 push 00405D95h; ret 0_2_0046CBA2
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_00473B01 push ecx; mov dword ptr [esp], edx 0_2_00473B06
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_0046DB11 push 00407000h; ret 0_2_0046DE0D
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_0046CD7D push 00405F94h; ret 0_2_0046CDA1
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_00469DB9 push eax; ret 0_2_00469DF5
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_0046CE0D push 00406024h; ret 0_2_0046CE31
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00441090 push 0044111Dh; ret 6_2_00441115
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0040D62C push 0040D69Bh; ret 6_2_0040D693
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00405D44 push 00405D95h; ret 6_2_00405D8D
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00442080 push ecx; mov dword ptr [esp], edx 6_2_00442084
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_004162B8 push ecx; mov dword ptr [esp], edx 6_2_004162BA
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0044237C push 004423A8h; ret 6_2_004423A0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0044A328 push 0044A393h; ret 6_2_0044A38B
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00428488 push 004284CAh; ret 6_2_004284C2
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0042E5E8 push 0042E614h; ret 6_2_0042E60C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0042E63C push 0042E668h; ret 6_2_0042E660
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_004107C2 push 0041083Ah; ret 6_2_00410832
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_004107C4 push 0041083Ah; ret 6_2_00410832
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0042C844 push 0042C870h; ret 6_2_0042C868
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0042C87C push 0042C8A8h; ret 6_2_0042C8A0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0042C80C push 0042C838h; ret 6_2_0042C830
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0041083C push 004108E4h; ret 6_2_004108DC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_004108E6 push 00410A14h; ret 6_2_00410A0C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0042C8EC push 0042C918h; ret 6_2_0042C910
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0042C8B4 push 0042C8E0h; ret 6_2_0042C8D8
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Command shell drops VBS files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\2526.tmp\x.vbs Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\2526.tmp\t.vbs Jump to behavior
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Writes directly to the primary disk partition (DR0)
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe File written: \Device\Harddisk0\DR0 offset: unknown length: 12288
Drops PE files
Source: C:\Users\user\Desktop\Covid21 2.0.exe File created: C:\Users\user\AppData\Local\Temp\2526.tmp\Corona.exe Jump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exe File created: C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exe Jump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exe File created: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe Jump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exe File created: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Jump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exe File created: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Jump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exe File created: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Jump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exe File created: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\covid21\Corona.exe Jump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exe File created: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /TN 'Windows Update' /ru SYSTEM /SC ONSTART /TR 'C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe'
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_004554C4 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 6_2_004554C4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00452098 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow, 6_2_00452098
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0043AB48 IsIconic,GetCapture, 6_2_0043AB48
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0043B440 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 6_2_0043B440
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00425458 IsIconic,GetWindowPlacement,GetWindowRect, 6_2_00425458
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00455BEC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 6_2_00455BEC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00455CB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 6_2_00455CB0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0043BD64 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 6_2_0043BD64
Source: C:\covid21\Corona.exe Code function: 12_2_0044CF30 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 12_2_0044CF30
Source: C:\covid21\Corona.exe Code function: 12_2_00449F58 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 12_2_00449F58
Source: C:\covid21\Corona.exe Code function: 12_2_0043402C IsIconic,GetCapture, 12_2_0043402C
Source: C:\covid21\Corona.exe Code function: 12_2_004348E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 12_2_004348E0
Source: C:\covid21\Corona.exe Code function: 12_2_00435160 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 12_2_00435160
Source: C:\covid21\Corona.exe Code function: 12_2_0044D650 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 12_2_0044D650
Source: C:\covid21\Corona.exe Code function: 12_2_0044D700 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 12_2_0044D700
Source: C:\covid21\Corona.exe Code function: 12_2_0042397C MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect, 12_2_0042397C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_0044A498 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 13_2_0044A498
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_00432810 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 13_2_00432810
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_0044ABB8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 13_2_0044ABB8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_0044AC68 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 13_2_0044AC68
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_004474C0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 13_2_004474C0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_004316DC IsIconic,GetCapture, 13_2_004316DC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_00421D38 IsIconic,GetWindowPlacement,GetWindowRect, 13_2_00421D38
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_00431F90 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 13_2_00431F90
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0043A0D6 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongA,GetModuleHandleA,GetProcAddress, 18_2_0043A0D6
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_004360F9 SetWindowTextA,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongA,GetWindowLongA,GetWindowRect,MapWindowPoints,GetWindowLongA,GetWindowRect,GetWindowLongA,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongA,GetMenu,GetWindowLongA,AdjustWindowRectEx,SystemParametersInfoA,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetForegroundWindow,GetFocus,UpdateWindow,SetFocus, 18_2_004360F9
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_004360F9 SetWindowTextA,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongA,GetWindowLongA,GetWindowRect,MapWindowPoints,GetWindowLongA,GetWindowRect,GetWindowLongA,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongA,GetMenu,GetWindowLongA,AdjustWindowRectEx,SystemParametersInfoA,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetForegroundWindow,GetFocus,UpdateWindow,SetFocus, 18_2_004360F9
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0043536F GetWindowLongA,GetWindowLongA,GetWindowLongA,_strlen,SetWindowPos,EnableWindow,IsWindowVisible,IsIconic,SetWindowLongA,SetWindowLongA,SetWindowLongA,SetWindowPos,ShowWindow,ShowWindow,ShowWindow, 18_2_0043536F
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0043C3F2 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,FindWindowA,IsIconic,ShowWindow,AttachThreadInput,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop, 18_2_0043C3F2
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00439C0E GetAsyncKeyState,GetForegroundWindow,IsIconic,GetWindowRect, 18_2_00439C0E
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0044C66D SendMessageA,SendMessageA,SendMessageA,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageA, 18_2_0044C66D
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00431E81 SendMessageA,GetWindowLongA,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,SendMessageA,GetWindowLongA,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageA,SetFocus,MapWindowPoints,InvalidateRect, 18_2_00431E81
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0042CF3C GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,DrawTextA,GetSystemMetrics,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,IsWindowVisible,IsIconic,SendMessageA,GetWindowLongA,SendMessageA,CreateWindowExA,SetWindowLongA,SendMessageA,CreateWindowExA,GetWindowLongA,SendMessageA,SendMessageA,CreateWindowExA,CreateWindowExA,CreateWindowExA,SendMessageA,SendMessageA,CreateWindowExA,SendMessageA,SendMessageA,SendMessageA,GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageA,SelectObject,ReleaseDC,SendMessageA,SendMessageA,GetClientRect,SetWindowLongA,SendMessageA,SetWindowLongA,MoveWindow,GetWindowRect,SendMessageA,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos, 18_2_0042CF3C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: 30_2_00428FE4 PostMessageA,PostMessageA,SendMessageA,LoadLibraryA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 30_2_00428FE4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: 30_2_0041F210 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 30_2_0041F210
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: 30_2_0041E320 IsIconic,GetCapture, 30_2_0041E320
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: 30_2_0041EABA IsIconic,SetWindowPos, 30_2_0041EABA
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: 30_2_0041EABC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 30_2_0041EABC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: 30_2_004275F8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 30_2_004275F8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: 30_2_00429678 IsIconic,SetActiveWindow, 30_2_00429678
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: 30_2_004296C0 IsIconic,SetActiveWindow,SetFocus, 30_2_004296C0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00440A48 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 6_2_00440A48
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\cmd.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Covid21 2.0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Covid21 2.0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\covid21\Corona.exe Code function: 12_2_004294BC 12_2_004294BC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_00426D20 13_2_00426D20
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\cmd.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 6_2_0045478C
Source: C:\covid21\Corona.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 12_2_0044C4A0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 13_2_00449A08
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 30_2_00428764
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Covid21 2.0.exe Window / User API: threadDelayed 1518 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe API coverage: 8.1 %
Source: C:\covid21\Corona.exe API coverage: 7.1 %
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe API coverage: 4.1 %
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe API coverage: 2.9 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\covid21\Corona.exe Code function: 12_2_004294BC 12_2_004294BC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_00426D20 13_2_00426D20
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Covid21 2.0.exe TID: 6568 Thread sleep count: 1518 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Covid21 2.0.exe TID: 6568 Thread sleep time: -37950s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe TID: 6664 Thread sleep count: 111 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe TID: 7096 Thread sleep time: -46000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 7124 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 6428 Thread sleep count: 41 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6844 Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe TID: 6048 Thread sleep count: 281 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7056 Thread sleep count: 43 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5660 Thread sleep count: 42 > 30
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe File opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\Covid21 2.0.exe Thread sleep count: Count: 1518 delay: -25 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_0040850C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 6_2_0040850C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00408604 FindFirstFileA,GetLastError, 6_2_00408604
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00405210 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 6_2_00405210
Source: C:\covid21\Corona.exe Code function: 12_2_00404F24 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 12_2_00404F24
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: 13_2_00404EB8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 13_2_00404EB8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0043892A _strlen,FindFirstFileA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,_strcat, 18_2_0043892A
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00424873 _strlen,_strcat,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,SetFileAttributesA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose, 18_2_00424873
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00423AD5 DeleteFileA,FindFirstFileA,_strcat,_strrchr,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,DeleteFileA,FindNextFileA,FindClose, 18_2_00423AD5
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0040A357 _strrchr,_strcat,_strlen,_strcat,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,_strlen,FindNextFileA,FindClose, 18_2_0040A357
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0042C368 FindFirstFileA,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,MoveFileA,DeleteFileA,MoveFileA,CopyFileA,FindNextFileA,FindClose, 18_2_0042C368
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00423D09 FindFirstFileA,FindClose, 18_2_00423D09
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00423DE4 FindFirstFileA,FindClose,FileTimeToLocalFileTime, 18_2_00423DE4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00424DBB _strlen,_strcat,LocalFileTimeToFileTime,GetSystemTimeAsFileTime,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,SetFileTime,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,CreateFileA,SetFileTime,CloseHandle,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose, 18_2_00424DBB
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0042C603 GetFileAttributesA,FindFirstFileA,FindClose, 18_2_0042C603
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00439FDC FindFirstFileA,FindClose,GetFileAttributesA, 18_2_00439FDC
Source: C:\covid21\Corona.exe Code function: 12_2_0041DBAC GetSystemInfo, 12_2_0041DBAC
Source: reg.exe, 00000004.00000002.650947885.0000000003800000.00000002.00000001.sdmp, reg.exe, 00000005.00000002.652831555.0000000002F80000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.662228048.0000000002AA0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: reg.exe, 00000004.00000002.650947885.0000000003800000.00000002.00000001.sdmp, reg.exe, 00000005.00000002.652831555.0000000002F80000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.662228048.0000000002AA0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: reg.exe, 00000004.00000002.650947885.0000000003800000.00000002.00000001.sdmp, reg.exe, 00000005.00000002.652831555.0000000002F80000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.662228048.0000000002AA0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Covid21 2.0.exe, 00000000.00000002.754672702.000000000092B000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Covid21 2.0.exe, 00000000.00000002.754672702.000000000092B000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oy
Source: reg.exe, 00000004.00000002.650947885.0000000003800000.00000002.00000001.sdmp, reg.exe, 00000005.00000002.652831555.0000000002F80000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.662228048.0000000002AA0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe Process information queried: ProcessInformation

Anti Debugging:

barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe Process queried: DebugPort
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_00405EB2 GetTempPathA,LoadLibraryA,GetProcAddress,GetLongPathNameA,FreeLibrary, 0_2_00405EB2
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_00403B70 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter, 0_2_00403B70
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_00403CC0 SetUnhandledExceptionFilter, 0_2_00403CC0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exe Code function: 23_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,GetStartupInfoA, 23_2_004011B0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exe Code function: 23_2_00402C58 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,Sleep,TlsGetValue, 23_2_00402C58
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exe Code function: 23_2_00402290 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 23_2_00402290
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe Code function: 27_2_00401179 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit, 27_2_00401179
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe Code function: 27_2_0040201C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 27_2_0040201C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe Code function: 27_2_00402020 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 27_2_00402020

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0040EFDE _strlen,_strcat,_strlen,_strcat,CreateProcessA,CloseHandle,_strcat,ShellExecuteExA,CloseHandle,_strlen,_strlen, 18_2_0040EFDE
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_004132DA keybd_event,VkKeyScanExA, 18_2_004132DA
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_0041380D mouse_event, 18_2_0041380D
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Covid21 2.0.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2526.tmp\Covid21.bat' ' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbs Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe clwcp c:\covid21\covid.jpg Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\x.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K coronaloop.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe inv.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe z.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe clwcp c:\covid21\covid.jpg Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe icons.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe screenscrew.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 /nobreak Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe PayloadMBR.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\covid21\Corona.exe c:\covid21\corona.exe Jump to behavior
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im explorer.exe Jump to behavior
Source: Covid21 2.0.exe, 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp, z.exe, z.exe.0.dr Binary or memory string: Program Manager
Source: Covid21 2.0.exe, z.exe, PayloadMBR.exe, 00000024.00000002.791832292.0000000000401000.00000020.00020000.sdmp, z.exe.0.dr Binary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000008.00000002.793742315.00000000037C0000.00000002.00000001.sdmp, Corona.exe, 0000000C.00000002.793639619.0000000000CB0000.00000002.00000001.sdmp, inv.exe, 0000000D.00000002.792750728.0000000000D80000.00000002.00000001.sdmp, z.exe, 00000012.00000002.793392786.0000000001C00000.00000002.00000001.sdmp, mlt.exe, 00000017.00000002.792369674.0000000000E90000.00000002.00000001.sdmp, icons.exe, 0000001B.00000002.793032728.0000000001100000.00000002.00000001.sdmp, screenscrew.exe, 0000001E.00000002.793451174.0000000000DC0000.00000002.00000001.sdmp, PayloadMBR.exe, 00000024.00000002.793503258.0000000000E20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Covid21 2.0.exe, 00000000.00000002.754058059.000000000043D000.00000040.00020000.sdmp, PayloadMBR.exe, 00000024.00000002.791832292.0000000000401000.00000020.00020000.sdmp, PayloadMBR.exe.0.dr Binary or memory string: Windows UpdateShell_TrayWnd
Source: Covid21 2.0.exe, 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp, z.exe, 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp, z.exe.0.dr Binary or memory string: (preempted: they will resume when the current thread finishes)%s CreateWindoweditShell_TrayWndAutoHotkey2RegClass0x%%%s%s%s.fRequires 1/2/3/Slow/Fast The current thread will exit.msRelativeScreenPress OK to continue.wait
Source: Covid21 2.0.exe, 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp, z.exe, 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp, z.exe.0.dr Binary or memory string: ?IsHungAppWindowIsHungThreadThe maximum number of MsgBoxes has been reached.groupclasspididahk_%s%uProgram Manager
Source: wscript.exe, 00000008.00000002.793742315.00000000037C0000.00000002.00000001.sdmp, Corona.exe, 0000000C.00000002.793639619.0000000000CB0000.00000002.00000001.sdmp, inv.exe, 0000000D.00000002.792750728.0000000000D80000.00000002.00000001.sdmp, z.exe, 00000012.00000002.793392786.0000000001C00000.00000002.00000001.sdmp, mlt.exe, 00000017.00000002.792369674.0000000000E90000.00000002.00000001.sdmp, icons.exe, 0000001B.00000002.793032728.0000000001100000.00000002.00000001.sdmp, screenscrew.exe, 0000001E.00000002.793451174.0000000000DC0000.00000002.00000001.sdmp, PayloadMBR.exe, 00000024.00000002.793503258.0000000000E20000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 6_2_004053D4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: GetLocaleInfoA, 6_2_0040B068
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: GetLocaleInfoA, 6_2_0040B0B4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 6_2_004054E0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: GetLocaleInfoA, 6_2_00405CCE
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: GetLocaleInfoA, 6_2_00405CD0
Source: C:\covid21\Corona.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 12_2_004050DC
Source: C:\covid21\Corona.exe Code function: GetLocaleInfoA, 12_2_0040A9FC
Source: C:\covid21\Corona.exe Code function: GetLocaleInfoA, 12_2_0040AA48
Source: C:\covid21\Corona.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 12_2_004051E8
Source: C:\covid21\Corona.exe Code function: GetLocaleInfoA, 12_2_004059D2
Source: C:\covid21\Corona.exe Code function: GetLocaleInfoA, 12_2_004059D4
Source: C:\covid21\Corona.exe Code function: GetLocaleInfoA,GetACP, 12_2_0040BFE8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 13_2_00405070
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: GetLocaleInfoA, 13_2_0040A8B4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: GetLocaleInfoA, 13_2_0040A900
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 13_2_0040517C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: GetLocaleInfoA, 13_2_00405966
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: GetLocaleInfoA, 13_2_00405968
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe Code function: GetLocaleInfoA,GetACP, 13_2_0040BE14
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: GetLocaleInfoA, 18_2_0043DE27
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA, 30_2_004043C8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: GetLocaleInfoA, 30_2_004082D0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe Code function: GetLocaleInfoA, 30_2_0040831C
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe Code function: 6_2_00409B44 GetLocalTime, 6_2_00409B44
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe Code function: 18_2_00419AF0 GetComputerNameA,GetUserNameA,_strcat,_strlen, 18_2_00419AF0
Source: C:\Users\user\Desktop\Covid21 2.0.exe Code function: 0_2_00403CD7 GetVersionExA,GetVersionExA,GetVersionExA, 0_2_00403CD7
Source: C:\Windows\SysWOW64\cscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Disables the Windows task manager (taskmgr)
Source: C:\Windows\SysWOW64\reg.exe Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr Jump to behavior

Stealing of Sensitive Information:

barindex
OS version to string mapping found (often used in BOTs)
Source: z.exe.0.dr Binary or memory string: WIN_XP
Source: z.exe.0.dr Binary or memory string: stoppedplay AHK_PlayMeopen "%s" alias AHK_PlayMe%s\All Files (*.*)*.*Text Documents (*.txt)*.txt%s%c%s%cAll Files (*.*)%c*.*%c Select File - %s::{The maximum number of File Dialogs has been reached. The current thread will exit.A Goto/Gosub must not jump into a block that doesn't enclose it.MMMMMMM%02d%03dMSec%dmsSlowSingleLogoff1.0.48.05\AutoHotkey.exeWIN32_WINDOWSWIN32_NTWIN_MEWIN_98WIN_95WIN_NT4WIN_2000WIN_2003WIN_VISTAWIN_XP.DEFAULT\Control Panel\Desktop\ResourceLocaleSYSTEM\CurrentControlSet\Control\Nls\LanguageInstallLanguageSOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDirAppDataCommon AppDataSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersDesktopCommon DesktopStart MenuCommon Start MenuProgramsCommon ProgramsStartupCommon StartupPersonalUpArrowSizeWESizeNWSESizeNSSizeNESWSizeAllSizeNoIBeamCrossArrowAppStartingUnknownGetCursorInfoColClickDoubleClickNormalGetLastInputInfo
Source: z.exe.0.dr Binary or memory string: WIN_VISTA
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377010 Sample: Covid21 2.0.exe Startdate: 28/03/2021 Architecture: WINDOWS Score: 84 75 Multi AV Scanner detection for submitted file 2->75 77 Machine Learning detection for sample 2->77 9 Covid21 2.0.exe 15 2->9         started        process3 file4 39 C:\Users\user\AppData\Local\Temp\...\z.exe, PE32 9->39 dropped 41 C:\Users\user\AppData\...\screenscrew.exe, PE32 9->41 dropped 43 C:\Users\user\AppData\Local\Temp\...\mlt.exe, PE32+ 9->43 dropped 45 5 other files (4 malicious) 9->45 dropped 12 cmd.exe 3 8 9->12         started        process5 file6 47 C:\covid21\Corona.exe, PE32 12->47 dropped 49 C:\Users\user\AppData\Local\Temp\...\y.vbs, ASCII 12->49 dropped 51 C:\Users\user\AppData\Local\Temp\...\x.vbs, ASCII 12->51 dropped 53 C:\Users\user\AppData\Local\Temp\...\t.vbs, ASCII 12->53 dropped 79 Command shell drops VBS files 12->79 81 Uses cmd line tools excessively to alter registry or file data 12->81 16 PayloadMBR.exe 12->16         started        20 icons.exe 12->20         started        22 inv.exe 12->22         started        24 25 other processes 12->24 signatures7 process8 file9 37 \Device\Harddisk0\DR0, DOS/MBR 16->37 dropped 55 Antivirus detection for dropped file 16->55 57 Multi AV Scanner detection for dropped file 16->57 59 Protects its processes via BreakOnTermination flag 16->59 73 2 other signatures 16->73 26 schtasks.exe 16->26         started        61 Machine Learning detection for dropped file 20->61 63 Found API chain indicative of debugger detection 20->63 28 conhost.exe 20->28         started        65 Contains functionality to detect sleep reduction / modifications 22->65 67 Contains functionalty to change the wallpaper 24->67 69 Sample or dropped binary is a compiled AutoHotkey binary 24->69 71 Disables the Windows task manager (taskmgr) 24->71 30 Corona.exe 24->30         started        33 conhost.exe 24->33         started        signatures10 process11 signatures12 35 conhost.exe 26->35         started        83 Contains functionality to detect sleep reduction / modifications 30->83 process13
No contacted IP infos