File name: | Covid29 Ransomware.zip |
Full analysis: | https://app.any.run/tasks/e983ca32-432d-4826-84f3-b85547afb8b4 |
Verdict: | Malicious activity |
Analysis date: | May 26, 2024, 11:00:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
MD5: | 272D3E458250ACD2EA839EB24B427CE5 |
SHA1: | FAE7194DA5C969F2D8220ED9250AA1DE7BF56609 |
SHA256: | BBB5C6B4F85C81A323D11D34629776E99CA40E983C5CE0D0A3D540ADDB1C2FE3 |
SSDEEP: | 49152:dSrGy+kXRl9cIXjRG8OzbgFSXACZ4UL238tvVZkKNDN0AaFlkUSan:OZlyIzRXOfZv4UrtvVZRW6i |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | TrojanRansomCovid29.exe |
---|---|
ZipUncompressedSize: | 555520 |
ZipCompressedSize: | 465636 |
ZipCRC: | 0x24cf6d3f |
ZipModifyDate: | 2022:03:06 16:11:02 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3976 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Covid29 Ransomware.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
4016 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\TrojanRansomCovid29.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\TrojanRansomCovid29.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
2108 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\TrojanRansomCovid29.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\TrojanRansomCovid29.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
752 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\4CDA.tmp\TrojanRansomCovid29.bat" " | C:\Windows\System32\cmd.exe | TrojanRansomCovid29.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2028 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\4CDA.tmp\fakeerror.vbs" | C:\Windows\System32\wscript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
1872 | ping localhost -n 2 | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1112 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2204 | reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2312 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1764 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
(PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
(PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Covid29 Ransomware.zip | |||
(PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3976 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\readme.txt | text | |
MD5:F4F557DB9C615C87E524802AF8A9992F | SHA256:17976E8A6952B0123B729B50B3AD981CBE97083DB9DE66A37EB6F8DECC39B76E | |||
3976 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Cov29Cry\bg.jpg | image | |
MD5:108FC794E7171419CF881B4058F88D20 | SHA256:741D2576009640A47733A6C724D56ED1A9CEE1014CDE047B9384181A1758CD34 | |||
3976 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Bat To Exe Converter\help.chm | chm | |
MD5:FFA8C49B21B077B0DC4B51A1F6F9A753 | SHA256:00037BFC41AFACF262AFDA160E17D3CCA33606276324E99BBD93AD1207E9A7C0 | |||
3976 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Bat To Exe Converter\settings.ini | ini | |
MD5:D3BE6C4EDEA45F5A9A766DD235E4C23A | SHA256:236D6136A9EA4241FACB7C459BF0BAD6D1FA572D436E6E73C44884D6126E5AB4 | |||
3976 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Cov29Cry\Cov29Cry.exe.death | executable | |
MD5:8BCD083E16AF6C15E14520D5A0BD7E6A | SHA256:B4F78FF66DC3F5F8DDD694166E6B596D533830792F9B5F1634D3F5F17D6A884A | |||
3976 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Cov29LockScreen.exe | executable | |
MD5:F724C6DA46DC54E6737DB821F9B62D77 | SHA256:6CDE4A9F109AE5473703C4F5962F43024D71D2138CBD889223283E7B71E5911C | |||
3976 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Cov29Cry\Chaos Ransomware Builder v4.exe | executable | |
MD5:8B855E56E41A6E10D28522A20C1E0341 | SHA256:F2665F89BA53ABD3DEB81988C0D5194992214053E77FC89B98B64A31A7504D77 | |||
3976 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Cov29LockScreen\23311_lores.jpg | image | |
MD5:108FC794E7171419CF881B4058F88D20 | SHA256:741D2576009640A47733A6C724D56ED1A9CEE1014CDE047B9384181A1758CD34 | |||
3976 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Cov29LockScreen\Cov29LockScreen.vbp | text | |
MD5:420983DAADCF363DEE597DA26732659D | SHA256:7008899F61B246889060A2032DBF812EA579F147880AB8F0AE7DB67729D61090 | |||
3976 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Cov29Cry\AdvancedOptions.PNG | image | |
MD5:C5F0F9AB684461C635F551D045E6CAA5 | SHA256:6C9EB2DA924DF69BCEE50C50F51A67C66321EAF1F453E4C864F037D31E08CF93 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |