File name:

Trojan.Ransom.Covid-666.zip

Full analysis: https://app.any.run/tasks/f26b862f-ae27-4810-8e7c-69a6fa095e6e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: January 07, 2024, 17:04:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
covid19
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

6913991E03E8224A3119F595408D3F29

SHA1:

088EA3A0809E5655232C3ED659EEE097FD5864E7

SHA256:

E7EF23AF9ADEDDD5D43C3E6A736EA4FC3EB31CF6E08609DA01AC2CCC516216FB

SSDEEP:

98304:osNpUCfurixyMeYBz4hKPdmkLmYIWECmSnSurc8t1+4KvwJjXOAQSKHrXWeIxa2W:6W7BiV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 2880)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Trojan.Ransom.Covid-666.exe (PID: 1900)

    • Starts CMD.EXE for commands execution

      • Trojan.Ransom.Covid-666.exe (PID: 1900)

    • Executing commands from a ".bat" file

      • Trojan.Ransom.Covid-666.exe (PID: 1900)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 2880)

    • Changes the desktop background image

      • reg.exe (PID: 2692)
      • reg.exe (PID: 2568)
      • reg.exe (PID: 3136)
      • reg.exe (PID: 1408)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 2880)

    • The system shut down or reboot

      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 2508)
      • cmd.exe (PID: 2880)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 128)
      • Bat_To_Exe_Converter.exe (PID: 2000)
      • Trojan.Ransom.Covid-666.exe (PID: 1900)
      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 2880)

    • Checks supported languages

      • Bat_To_Exe_Converter.exe (PID: 2000)
      • Trojan.Ransom.Covid-666.exe (PID: 1900)
      • mbr.exe (PID: 2028)
      • MainWindow.exe (PID: 2428)
      • mbr.exe (PID: 2944)
      • MainWindow.exe (PID: 3652)
      • mbr.exe (PID: 4028)
      • mbr.exe (PID: 4036)
      • MainWindow.exe (PID: 3144)
      • mbr.exe (PID: 2148)

    • Drops a (possible) Coronavirus decoy

      • WinRAR.exe (PID: 128)
      • Trojan.Ransom.Covid-666.exe (PID: 1900)
      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 2880)

    • Reads the computer name

      • Trojan.Ransom.Covid-666.exe (PID: 1900)

    • Create files in a temporary directory

      • Trojan.Ransom.Covid-666.exe (PID: 1900)
      • Bat_To_Exe_Converter.exe (PID: 2000)

    • Manual execution by a user

      • Bat_To_Exe_Converter.exe (PID: 2000)
      • Trojan.Ransom.Covid-666.exe (PID: 1900)
      • Trojan.Ransom.Covid-666.exe (PID: 1784)
      • notepad.exe (PID: 548)
      • cmd.exe (PID: 2880)
      • cmd.exe (PID: 2508)
      • rundll32.exe (PID: 3068)
      • shutdown.exe (PID: 3088)
      • mbr.exe (PID: 2148)
      • mbr.exe (PID: 4036)
      • mbr.exe (PID: 4028)
      • MainWindow.exe (PID: 3652)

    • The executable file from the user directory is run by the CMD process

      • mbr.exe (PID: 2028)
      • MainWindow.exe (PID: 2428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2021:12:28 19:35:14
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: source code/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
66
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs notepad.exe no specs bat_to_exe_converter.exe no specs trojan.ransom.covid-666.exe no specs trojan.ransom.covid-666.exe cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs mbr.exe no specs reg.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs reg.exe no specs mainwindow.exe no specs shutdown.exe no specs rundll32.exe no specs reg.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs cmd.exe no specs shutdown.exe no specs rundll32.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs mbr.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs reg.exe no specs mainwindow.exe no specs shutdown.exe no specs reg.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs shutdown.exe no specs mainwindow.exe no specs PhotoViewer.dll no specs mbr.exe no specs mbr.exe no specs mbr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Trojan.Ransom.Covid-666.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
548"C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\source code\Covid666.batC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
568RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
604RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
680RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
980RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
984RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
996RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1384RUNDLL32.EXE user32.dll,UpdatePerUserSystemParametersC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1408reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
2 237
Read events
2 204
Write events
33
Delete events
0

Modification events

(PID) Process:(128) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
12
Suspicious files
7
Text files
38
Unknown types
1

Dropped files

PID
Process
Filename
Type
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.7375\source code\MainWindow\Form1.frmtext
MD5:702765B2EA5BA8282B89B355205AB82C
SHA256:DD6EE40D2B7CF959BBF407270923A8BA074BACB9F93AE8751D7E109C9FA5E957
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.7375\source code\Bat To Exe Converter\help.chmchm
MD5:FFA8C49B21B077B0DC4B51A1F6F9A753
SHA256:00037BFC41AFACF262AFDA160E17D3CCA33606276324E99BBD93AD1207E9A7C0
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.7375\Trojan.Ransom.Covid-666.exeexecutable
MD5:0C303AE1347C0395A96F3EB38D26D7ED
SHA256:1EEFAEB98524277D1AEB459B6E4A31472CE2F4FF15F8F45B051E1C8A021C8FA7
128WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa128.7375\source code\1485282157-adobe-photoshop-raster-graphics-editor-cc-creative-cloud_78285.icoimage
MD5:B62F092C597D5AE1AD773B96969F2155
SHA256:67220FE3C4F4BD4686D536C4422C23B02D4CB7F59643283A2D83385C4CE944FB
2000Bat_To_Exe_Converter.exeC:\Users\admin\AppData\Local\Temp\B0AE.tmp\upx.exeexecutable
MD5:308F709A8F01371A6DD088A793E65A5F
SHA256:C0F9FAFFDF14AB2C853880457BE19A237B10F8986755F184ECFE21670076CB35
2000Bat_To_Exe_Converter.exeC:\Users\admin\AppData\Local\Temp\B0AE.tmp\GoLink.exeexecutable
MD5:CAFC4EEC8A4F05B8DFEE4067FB5B9076
SHA256:1FA554D18490CB5E56D624CD97069F42E63800688136C6CF3C521E4EF6E83E28
2028mbr.exe\Device\Harddisk0\DR0
MD5:
SHA256:
2000Bat_To_Exe_Converter.exeC:\Users\admin\AppData\Local\Temp\B0AE.tmp\GoRC.exeexecutable
MD5:F69B0E5F35B5DAE1B11B950CFF157FB3
SHA256:ED010C50A7CEB43B9666E7FBCA13D8377D30B79203207BAD77004A890ADEEA17
2000Bat_To_Exe_Converter.exeC:\Users\admin\AppData\Local\Temp\B0AE.tmp\icon.icoimage
MD5:0E93F7C16FA761762C996946F1D2C164
SHA256:1B42FD6576E07141084FDC8232C8581A7D2309737ED0D219A88AACDDE7C36876
1900Trojan.Ransom.Covid-666.exeC:\Users\admin\AppData\Local\Temp\C947.tmp\Covid666.battext
MD5:5E19B2EEB24514E87AA6039BD012FA6E
SHA256:0CABBE47E3A8799502084B4C691634D16DC3BF317FC17D9D898ED336A476C778
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Trojan.Ransom.Covid-666.zip