File name:

Trojan.Ransom.Covid-666.zip

Full analysis: https://app.any.run/tasks/f26b862f-ae27-4810-8e7c-69a6fa095e6e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: January 07, 2024, 17:04:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
covid19
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

6913991E03E8224A3119F595408D3F29

SHA1:

088EA3A0809E5655232C3ED659EEE097FD5864E7

SHA256:

E7EF23AF9ADEDDD5D43C3E6A736EA4FC3EB31CF6E08609DA01AC2CCC516216FB

SSDEEP:

98304:osNpUCfurixyMeYBz4hKPdmkLmYIWECmSnSurc8t1+4KvwJjXOAQSKHrXWeIxa2W:6W7BiV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 2880)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Trojan.Ransom.Covid-666.exe (PID: 1900)

    • Starts CMD.EXE for commands execution

      • Trojan.Ransom.Covid-666.exe (PID: 1900)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 2880)

    • Executing commands from a ".bat" file

      • Trojan.Ransom.Covid-666.exe (PID: 1900)

    • Changes the desktop background image

      • reg.exe (PID: 2692)
      • reg.exe (PID: 2568)
      • reg.exe (PID: 1408)
      • reg.exe (PID: 3136)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 2880)

    • The system shut down or reboot

      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 2508)
      • cmd.exe (PID: 2880)

  • INFO

    • Drops a (possible) Coronavirus decoy

      • WinRAR.exe (PID: 128)
      • Trojan.Ransom.Covid-666.exe (PID: 1900)
      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 2880)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 128)
      • Bat_To_Exe_Converter.exe (PID: 2000)
      • Trojan.Ransom.Covid-666.exe (PID: 1900)
      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 2880)

    • Checks supported languages

      • Bat_To_Exe_Converter.exe (PID: 2000)
      • Trojan.Ransom.Covid-666.exe (PID: 1900)
      • mbr.exe (PID: 2028)
      • MainWindow.exe (PID: 2428)
      • mbr.exe (PID: 2944)
      • mbr.exe (PID: 2148)
      • MainWindow.exe (PID: 3652)
      • mbr.exe (PID: 4036)
      • mbr.exe (PID: 4028)
      • MainWindow.exe (PID: 3144)

    • Manual execution by a user

      • Trojan.Ransom.Covid-666.exe (PID: 1784)
      • Trojan.Ransom.Covid-666.exe (PID: 1900)
      • notepad.exe (PID: 548)
      • Bat_To_Exe_Converter.exe (PID: 2000)
      • cmd.exe (PID: 2508)
      • rundll32.exe (PID: 3068)
      • cmd.exe (PID: 2880)
      • shutdown.exe (PID: 3088)
      • MainWindow.exe (PID: 3652)
      • mbr.exe (PID: 2148)
      • mbr.exe (PID: 4036)
      • mbr.exe (PID: 4028)

    • Create files in a temporary directory

      • Trojan.Ransom.Covid-666.exe (PID: 1900)
      • Bat_To_Exe_Converter.exe (PID: 2000)

    • Reads the computer name

      • Trojan.Ransom.Covid-666.exe (PID: 1900)

    • The executable file from the user directory is run by the CMD process

      • mbr.exe (PID: 2028)
      • MainWindow.exe (PID: 2428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2021:12:28 19:35:14
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: source code/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
66
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs notepad.exe no specs bat_to_exe_converter.exe no specs trojan.ransom.covid-666.exe no specs trojan.ransom.covid-666.exe cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs mbr.exe no specs reg.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs reg.exe no specs mainwindow.exe no specs shutdown.exe no specs rundll32.exe no specs reg.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs cmd.exe no specs shutdown.exe no specs rundll32.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs mbr.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs reg.exe no specs mainwindow.exe no specs shutdown.exe no specs reg.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs shutdown.exe no specs mainwindow.exe no specs PhotoViewer.dll no specs mbr.exe no specs mbr.exe no specs mbr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Trojan.Ransom.Covid-666.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
548"C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\source code\Covid666.batC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
568RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
604RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
680RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
980RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
984RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
996RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1384RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1408reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
2 237
Read events
2 204
Write events
33
Delete events
0

Modification events

(PID) Process:(128) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
12
Suspicious files
7
Text files
38
Unknown types
1

Dropped files

PID
Process
Filename
Type
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.7375\source code\Bat To Exe Converter\settings.iniini
MD5:D3BE6C4EDEA45F5A9A766DD235E4C23A
SHA256:236D6136A9EA4241FACB7C459BF0BAD6D1FA572D436E6E73C44884D6126E5AB4
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.7375\source code\Bat To Exe Converter\Bat_To_Exe_Converter.exeexecutable
MD5:76D5900A4ADF4C1F2AB8DBFD0A450C4A
SHA256:7ADC1F7FF040628A600F99465BD70E71AD83FECFE60B0F1DADC84B5D262FF350
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.7375\source code\MainWindow\Project1.vbptext
MD5:E44813FA0901185CD22316301241B5B6
SHA256:4770CAE7A368E7A0551BC3A3804DCF633703A19321D4C51CB1FCC8936615C3C1
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.7375\source code\MainWindow\MainWindow.exeexecutable
MD5:23AB00DEB47223BA73B700EB371FB0FE
SHA256:D42807867BD69D5DB2605E4E6F39E5F70E0CC9DB0CAC9216FD6A9CD8CC324E0D
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.7375\source code\MainWindow\Project1.vbwtext
MD5:B98376894DD9A9CB0BF4C437DA937EE3
SHA256:FBA675F2D84F967ACD69A008A3855DCAADAA9BDD17FC0C543673355593662503
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.7375\source code\23311_lores.jpgimage
MD5:108FC794E7171419CF881B4058F88D20
SHA256:741D2576009640A47733A6C724D56ED1A9CEE1014CDE047B9384181A1758CD34
2028mbr.exe\Device\Harddisk0\DR0
MD5:
SHA256:
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.7375\source code\1485282157-adobe-photoshop-raster-graphics-editor-cc-creative-cloud_78285.icoimage
MD5:B62F092C597D5AE1AD773B96969F2155
SHA256:67220FE3C4F4BD4686D536C4422C23B02D4CB7F59643283A2D83385C4CE944FB
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.7375\source code\Bat To Exe Converter\help.chmchm
MD5:FFA8C49B21B077B0DC4B51A1F6F9A753
SHA256:00037BFC41AFACF262AFDA160E17D3CCA33606276324E99BBD93AD1207E9A7C0
2000Bat_To_Exe_Converter.exeC:\Users\admin\AppData\Local\Temp\B0AE.tmp\GoLink.exeexecutable
MD5:CAFC4EEC8A4F05B8DFEE4067FB5B9076
SHA256:1FA554D18490CB5E56D624CD97069F42E63800688136C6CF3C521E4EF6E83E28
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Trojan.Ransom.Covid-666.zip