analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Covid29 Ransomware.zip

Full analysis: https://app.any.run/tasks/e983ca32-432d-4826-84f3-b85547afb8b4
Verdict: Malicious activity
Analysis date: May 26, 2024, 11:00:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
covid19
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

272D3E458250ACD2EA839EB24B427CE5

SHA1:

FAE7194DA5C969F2D8220ED9250AA1DE7BF56609

SHA256:

BBB5C6B4F85C81A323D11D34629776E99CA40E983C5CE0D0A3D540ADDB1C2FE3

SSDEEP:

49152:dSrGy+kXRl9cIXjRG8OzbgFSXACZ4UL238tvVZkKNDN0AaFlkUSan:OZlyIzRXOfZv4UrtvVZRW6i

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3976)
      • TrojanRansomCovid29.exe (PID: 2108)
      • cmd.exe (PID: 752)
      • Cov29Cry.exe (PID: 1060)

    • UAC/LUA settings modification

      • reg.exe (PID: 316)

    • Disables the LogOff the Start menu

      • reg.exe (PID: 1580)

    • Create files in the Startup directory

      • svchost.exe (PID: 2008)

    • Deletes shadow copies

      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 2684)

    • Actions looks like stealing of personal data

      • svchost.exe (PID: 2008)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 2324)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3976)
      • TrojanRansomCovid29.exe (PID: 2108)
      • Cov29Cry.exe (PID: 1060)
      • svchost.exe (PID: 2008)

    • Executable content was dropped or overwritten

      • TrojanRansomCovid29.exe (PID: 2108)
      • cmd.exe (PID: 752)
      • Cov29Cry.exe (PID: 1060)

    • Reads the Internet Settings

      • TrojanRansomCovid29.exe (PID: 2108)
      • cmd.exe (PID: 752)
      • Cov29Cry.exe (PID: 1060)
      • svchost.exe (PID: 2008)
      • WMIC.exe (PID: 1520)

    • Executing commands from a ".bat" file

      • TrojanRansomCovid29.exe (PID: 2108)

    • Starts CMD.EXE for commands execution

      • TrojanRansomCovid29.exe (PID: 2108)
      • svchost.exe (PID: 2008)

    • The process executes VB scripts

      • cmd.exe (PID: 752)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 752)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 752)

    • The executable file from the user directory is run by the CMD process

      • mbr.exe (PID: 764)
      • Cov29Cry.exe (PID: 1060)
      • Cov29LockScreen.exe (PID: 2456)

    • The system shut down or reboot

      • cmd.exe (PID: 752)

    • Starts itself from another location

      • Cov29Cry.exe (PID: 1060)

    • The process creates files with name similar to system file names

      • Cov29Cry.exe (PID: 1060)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 752)

    • Executes as Windows Service

      • VSSVC.exe (PID: 736)
      • wbengine.exe (PID: 2428)
      • vds.exe (PID: 2816)

    • Start notepad (likely ransomware note)

      • svchost.exe (PID: 2008)

  • INFO

    • Drops a (possible) Coronavirus decoy

      • WinRAR.exe (PID: 3976)
      • TrojanRansomCovid29.exe (PID: 2108)
      • svchost.exe (PID: 2008)

    • Checks supported languages

      • TrojanRansomCovid29.exe (PID: 2108)
      • mbr.exe (PID: 764)
      • Cov29Cry.exe (PID: 1060)
      • svchost.exe (PID: 2008)
      • Cov29LockScreen.exe (PID: 2456)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3976)

    • Reads the computer name

      • TrojanRansomCovid29.exe (PID: 2108)
      • Cov29Cry.exe (PID: 1060)
      • svchost.exe (PID: 2008)

    • Create files in a temporary directory

      • TrojanRansomCovid29.exe (PID: 2108)
      • svchost.exe (PID: 2008)

    • Creates files or folders in the user directory

      • Cov29Cry.exe (PID: 1060)
      • svchost.exe (PID: 2008)

    • Reads the machine GUID from the registry

      • svchost.exe (PID: 2008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: TrojanRansomCovid29.exe
ZipUncompressedSize: 555520
ZipCompressedSize: 465636
ZipCRC: 0x24cf6d3f
ZipModifyDate: 2022:03:06 16:11:02
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
33
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe trojanransomcovid29.exe no specs trojanransomcovid29.exe cmd.exe wscript.exe no specs ping.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs mbr.exe no specs cov29cry.exe shutdown.exe no specs ping.exe no specs svchost.exe cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs taskkill.exe no specs cov29lockscreen.exe no specs wmic.exe no specs cmd.exe no specs bcdedit.exe no specs bcdedit.exe no specs cmd.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3976"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Covid29 Ransomware.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4016"C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\TrojanRansomCovid29.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\TrojanRansomCovid29.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3976.5177\trojanransomcovid29.exe
c:\windows\system32\ntdll.dll
2108"C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\TrojanRansomCovid29.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\TrojanRansomCovid29.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3976.5177\trojanransomcovid29.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
752C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\4CDA.tmp\TrojanRansomCovid29.bat" "C:\Windows\System32\cmd.exe
TrojanRansomCovid29.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2028"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\4CDA.tmp\fakeerror.vbs" C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1872ping localhost -n 2C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1112reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2204reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2312reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1764reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
15 542
Read events
15 470
Write events
72
Delete events
0

Modification events

(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Covid29 Ransomware.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
14
Suspicious files
1
Text files
130
Unknown types
1

Dropped files

PID
Process
Filename
Type
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\readme.txttext
MD5:F4F557DB9C615C87E524802AF8A9992F
SHA256:17976E8A6952B0123B729B50B3AD981CBE97083DB9DE66A37EB6F8DECC39B76E
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Cov29Cry\bg.jpgimage
MD5:108FC794E7171419CF881B4058F88D20
SHA256:741D2576009640A47733A6C724D56ED1A9CEE1014CDE047B9384181A1758CD34
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Bat To Exe Converter\help.chmchm
MD5:FFA8C49B21B077B0DC4B51A1F6F9A753
SHA256:00037BFC41AFACF262AFDA160E17D3CCA33606276324E99BBD93AD1207E9A7C0
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Bat To Exe Converter\settings.iniini
MD5:D3BE6C4EDEA45F5A9A766DD235E4C23A
SHA256:236D6136A9EA4241FACB7C459BF0BAD6D1FA572D436E6E73C44884D6126E5AB4
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Cov29Cry\Cov29Cry.exe.deathexecutable
MD5:8BCD083E16AF6C15E14520D5A0BD7E6A
SHA256:B4F78FF66DC3F5F8DDD694166E6B596D533830792F9B5F1634D3F5F17D6A884A
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Cov29LockScreen.exeexecutable
MD5:F724C6DA46DC54E6737DB821F9B62D77
SHA256:6CDE4A9F109AE5473703C4F5962F43024D71D2138CBD889223283E7B71E5911C
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Cov29Cry\Chaos Ransomware Builder v4.exeexecutable
MD5:8B855E56E41A6E10D28522A20C1E0341
SHA256:F2665F89BA53ABD3DEB81988C0D5194992214053E77FC89B98B64A31A7504D77
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Cov29LockScreen\23311_lores.jpgimage
MD5:108FC794E7171419CF881B4058F88D20
SHA256:741D2576009640A47733A6C724D56ED1A9CEE1014CDE047B9384181A1758CD34
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Cov29LockScreen\Cov29LockScreen.vbptext
MD5:420983DAADCF363DEE597DA26732659D
SHA256:7008899F61B246889060A2032DBF812EA579F147880AB8F0AE7DB67729D61090
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.5177\source\Cov29Cry\AdvancedOptions.PNGimage
MD5:C5F0F9AB684461C635F551D045E6CAA5
SHA256:6C9EB2DA924DF69BCEE50C50F51A67C66321EAF1F453E4C864F037D31E08CF93
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Covid29 Ransomware.zip