File name:

Trojan.Ransom.Covid-666.zip

Full analysis: https://app.any.run/tasks/3cee203e-7172-47e7-97a5-807b42ac3467
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 21, 2025, 06:19:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

17DD47A5EDD00F044D521D35FA20EB38

SHA1:

952DAD38C73C2A1C68BD7CDB0FD0DBFBF8FEC484

SHA256:

89D3882D17E6D7ACBBC931D8DF5A53E70C2DE3E5DF5AAEA0CA4CA3A99930C8E7

SSDEEP:

24576:iJZak12EsCVcjs6V7/QzAH95xGwfXrHrX4hWsXEHB1xX1:iJZak12EsCGjsi7/QzAH95xG6XrHrX4A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7308)

    • Renames files like ransomware

      • cmd.exe (PID: 8160)

    • Disables task manager

      • reg.exe (PID: 5072)

    • Disables the LogOff the Start menu

      • reg.exe (PID: 1116)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Trojan.Ransom.Covid-666.exe (PID: 8112)
      • cmd.exe (PID: 8160)

    • Reads security settings of Internet Explorer

      • Trojan.Ransom.Covid-666.exe (PID: 8112)

    • Starts CMD.EXE for commands execution

      • Trojan.Ransom.Covid-666.exe (PID: 8112)

    • Working with threads in the GNU C Compiler (GCC) libraries related mutex has been found

      • mbr.exe (PID: 7172)

    • Creates file in the systems drive root

      • cmd.exe (PID: 8160)

    • The system shut down or reboot

      • cmd.exe (PID: 8160)

    • Changes the desktop background image

      • reg.exe (PID: 4628)
      • reg.exe (PID: 5324)
      • reg.exe (PID: 1628)

    • The executable file from the user directory is run by the CMD process

      • MainWindow.exe (PID: 7180)
      • mbr.exe (PID: 7172)

    • Executing commands from a ".bat" file

      • Trojan.Ransom.Covid-666.exe (PID: 8112)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 8160)

  • INFO

    • Manual execution by a user

      • Trojan.Ransom.Covid-666.exe (PID: 8004)
      • Trojan.Ransom.Covid-666.exe (PID: 8112)

    • Drops a (possible) Coronavirus decoy

      • WinRAR.exe (PID: 7308)
      • Trojan.Ransom.Covid-666.exe (PID: 8112)
      • cmd.exe (PID: 8160)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7308)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 7308)
      • Trojan.Ransom.Covid-666.exe (PID: 8112)
      • cmd.exe (PID: 8160)

    • Create files in a temporary directory

      • Trojan.Ransom.Covid-666.exe (PID: 8112)

    • Checks supported languages

      • Trojan.Ransom.Covid-666.exe (PID: 8112)
      • mbr.exe (PID: 7172)
      • MainWindow.exe (PID: 7180)

    • Reads the computer name

      • Trojan.Ransom.Covid-666.exe (PID: 8112)
      • MainWindow.exe (PID: 7180)

    • Process checks computer location settings

      • Trojan.Ransom.Covid-666.exe (PID: 8112)

    • Reads the software policy settings

      • slui.exe (PID: 7568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:04:20 23:08:40
ZipCRC: 0x8c886287
ZipCompressedSize: 638390
ZipUncompressedSize: 704000
ZipFileName: Trojan.Ransom.Covid-666.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
33
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe trojan.ransom.covid-666.exe no specs trojan.ransom.covid-666.exe cmd.exe conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs mbr.exe no specs reg.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs reg.exe no specs mainwindow.exe no specs shutdown.exe no specs reg.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
720RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\SysWOW64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1116reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1532shutdown /r /t 240 /c "You have only 4 minutes to complete the payment or all your data is lost forever"C:\Windows\SysWOW64\shutdown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Shutdown and Annotation Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\shutdown.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1628reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2148RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\SysWOW64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2236RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\SysWOW64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2384reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2692RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\SysWOW64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3676reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4628reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 177
Read events
3 151
Write events
26
Delete events
0

Modification events

(PID) Process:(7308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Trojan.Ransom.Covid-666.zip
(PID) Process:(7308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(7308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
4
Suspicious files
14
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
7172mbr.exe\Device\Harddisk0\DR0
MD5:
SHA256:
8112Trojan.Ransom.Covid-666.exeC:\Users\admin\AppData\Local\Temp\1886.tmp\mbr.cpptext
MD5:D20EDDECB5625B60D61D80C067537188
SHA256:45EAA30A90C739FD9FB32D59B29D3E7CD8871431670A3E64D6C34FD53A08F979
8112Trojan.Ransom.Covid-666.exeC:\Users\admin\AppData\Local\Temp\1886.tmp\MainWindow.exeexecutable
MD5:23AB00DEB47223BA73B700EB371FB0FE
SHA256:D42807867BD69D5DB2605E4E6F39E5F70E0CC9DB0CAC9216FD6A9CD8CC324E0D
8160cmd.exeC:\Users\admin\Desktop\nafemale.jpg.covid666binary
MD5:4FBEDCEA2B16D0E115D70A58C141DF11
SHA256:1DB5B440457A0D8333F71806BF4915307FF9F7A9F124F67C5983B8B4CD33569F
8112Trojan.Ransom.Covid-666.exeC:\Users\admin\AppData\Local\Temp\1886.tmp\Covid666.battext
MD5:5E19B2EEB24514E87AA6039BD012FA6E
SHA256:0CABBE47E3A8799502084B4C691634D16DC3BF317FC17D9D898ED336A476C778
8160cmd.exeC:\note.bmpimage
MD5:4A43A8B397043B6EB9C5359CF45DA6F8
SHA256:3AABD4300D36CAC3E85DEE2274351B0E58C2F19B59B607751127F5AE0C2BC8A1
8160cmd.exeC:\Users\admin\Desktop\alongsense.png.covid666binary
MD5:236DE2B6596611F4240095A9B51E20D2
SHA256:75A9F6DCE19F23C8CD7B3F23C386D594EE69A48868910CD780A0EA268CB2A197
8112Trojan.Ransom.Covid-666.exeC:\Users\admin\AppData\Local\Temp\1886.tmp\note.bmpimage
MD5:4A43A8B397043B6EB9C5359CF45DA6F8
SHA256:3AABD4300D36CAC3E85DEE2274351B0E58C2F19B59B607751127F5AE0C2BC8A1
8160cmd.exeC:\Users\admin\Desktop\acouple.png.covid666binary
MD5:D98AD743D7D2C0F93B0654D8DC576227
SHA256:BF700F53135A5AD420DCDE678FF8E64EA3CC47998966F0DBABAE572B3DDDFAFB
8160cmd.exeC:\Users\admin\Desktop\Trojan.Ransom.Covid-666.exe.covid666executable
MD5:0C303AE1347C0395A96F3EB38D26D7ED
SHA256:1EEFAEB98524277D1AEB459B6E4A31472CE2F4FF15F8F45B051E1C8A021C8FA7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
22
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.200.189.225:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.200.189.225:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1760
SIHClient.exe
GET
200
23.200.189.225:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1760
SIHClient.exe
GET
200
23.200.189.225:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
5496
MoUsoCoreWorker.exe
23.200.189.225:80
www.microsoft.com
Moratelindo Internet Exchange Point
ID
whitelisted
23.200.189.225:80
www.microsoft.com
Moratelindo Internet Exchange Point
ID
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.18.121.147
whitelisted
google.com
  • 172.217.23.206
whitelisted
www.microsoft.com
  • 23.200.189.225
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.129
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Trojan.Ransom.Covid-666.zip