URL:

https://github.com/pankoza2-pl/malwaredatabase-old

Full analysis: https://app.any.run/tasks/54ee757f-c59d-4de3-83ac-cdae7972d69b
Verdict: Malicious activity
Analysis date: June 23, 2024, 01:57:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
covid19
upx
aspack
Indicators:
MD5:

89EF704FE9FCD9DEC53369122D727921

SHA1:

D7A8E3B1E57F5AFCD06E7C58F7FAFC0D303E0F52

SHA256:

F1917B1442611BC18DF396D71113C5BA1D83BB84899D5071668670CB6F21C758

SSDEEP:

3:N8tEdlELlf3VJIcKR0y:2uoLFlSxb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Covid21 2.0.exe (PID: 348)
      • Covid21 2.0.exe (PID: 3792)
      • cmd.exe (PID: 832)

    • Disables Windows Defender

      • reg.exe (PID: 1392)

    • Changes the autorun value in the registry

      • PayloadMBR.exe (PID: 2736)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Covid21 2.0.exe (PID: 348)
      • Covid21 2.0.exe (PID: 3792)
      • cmd.exe (PID: 832)

    • Reads the Internet Settings

      • Covid21 2.0.exe (PID: 348)
      • Covid21 2.0.exe (PID: 3792)
      • cmd.exe (PID: 832)

    • Starts CMD.EXE for commands execution

      • Covid21 2.0.exe (PID: 348)
      • Covid21 2.0.exe (PID: 3792)
      • cmd.exe (PID: 832)

    • Reads security settings of Internet Explorer

      • Covid21 2.0.exe (PID: 348)
      • Covid21 2.0.exe (PID: 3792)

    • Executing commands from a ".bat" file

      • Covid21 2.0.exe (PID: 348)
      • Covid21 2.0.exe (PID: 3792)
      • cmd.exe (PID: 832)

    • The process executes VB scripts

      • cmd.exe (PID: 832)
      • cmd.exe (PID: 3784)

    • Application launched itself

      • cmd.exe (PID: 832)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 832)

    • The executable file from the user directory is run by the CMD process

      • inv.exe (PID: 2672)
      • z.exe (PID: 3568)
      • CLWCP.exe (PID: 2708)
      • icons.exe (PID: 1680)
      • screenscrew.exe (PID: 660)
      • PayloadMBR.exe (PID: 2736)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 832)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 832)

  • INFO

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 2940)
      • msedge.exe (PID: 3392)

    • Application launched itself

      • msedge.exe (PID: 3392)

    • Drops a (possible) Coronavirus decoy

      • msedge.exe (PID: 3392)
      • Covid21 2.0.exe (PID: 348)
      • Covid21 2.0.exe (PID: 3792)
      • cmd.exe (PID: 832)

    • Checks supported languages

      • Covid21 2.0.exe (PID: 348)
      • Covid21 2.0.exe (PID: 3792)
      • Corona.exe (PID: 2268)
      • inv.exe (PID: 2672)
      • z.exe (PID: 3568)
      • CLWCP.exe (PID: 2708)
      • icons.exe (PID: 1680)
      • screenscrew.exe (PID: 660)
      • PayloadMBR.exe (PID: 2736)

    • The process uses the downloaded file

      • msedge.exe (PID: 3392)
      • msedge.exe (PID: 3140)

    • Drops the executable file immediately after the start

      • msedge.exe (PID: 2940)
      • msedge.exe (PID: 3392)

    • Create files in a temporary directory

      • Covid21 2.0.exe (PID: 348)
      • Covid21 2.0.exe (PID: 3792)

    • Reads the computer name

      • Covid21 2.0.exe (PID: 348)
      • Covid21 2.0.exe (PID: 3792)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 2828)
      • cscript.exe (PID: 2412)

    • UPX packer has been detected

      • Covid21 2.0.exe (PID: 348)
      • Covid21 2.0.exe (PID: 3792)

    • Aspack has been detected

      • Covid21 2.0.exe (PID: 348)
      • Covid21 2.0.exe (PID: 3792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
100
Monitored processes
54
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs covid21 2.0.exe no specs covid21 2.0.exe no specs THREAT covid21 2.0.exe THREAT covid21 2.0.exe cmd.exe no specs cmd.exe cscript.exe no specs cscript.exe no specs reg.exe no specs reg.exe no specs clwcp.exe no specs reg.exe no specs wscript.exe no specs bcdedit.exe no specs cmd.exe no specs timeout.exe no specs corona.exe no specs msedge.exe no specs msedge.exe no specs inv.exe no specs wscript.exe no specs timeout.exe no specs z.exe no specs wscript.exe no specs timeout.exe no specs wscript.exe no specs timeout.exe no specs wscript.exe no specs icons.exe no specs timeout.exe no specs screenscrew.exe no specs wscript.exe no specs timeout.exe no specs wscript.exe no specs timeout.exe no specs taskkill.exe no specs payloadmbr.exe

Process information

PID
CMD
Path
Indicators
Parent process
268timeout 5 /nobreakC:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
348"C:\Users\admin\Downloads\Covid21 2.0.exe" C:\Users\admin\Downloads\Covid21 2.0.exe
msedge.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\downloads\covid21 2.0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
660screenscrew.exe C:\Users\admin\AppData\Local\Temp\3B99.tmp\screenscrew.execmd.exe
User:
admin
Company:
RJL Software, Inc.
Integrity Level:
HIGH
Description:
Screws with your screen :)
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\3b99.tmp\screenscrew.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
724bcdedit /delete {current}C:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
832C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\3B99.tmp\Covid21.bat" "C:\Windows\System32\cmd.exe
Covid21 2.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1164"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\3B99.tmp\y.vbs" C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1196"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\3B99.tmp\t.vbs" C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1324"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\3B99.tmp\y.vbs" C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1392Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1596"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\3B99.tmp\y.vbs" C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
27 928
Read events
27 746
Write events
140
Delete events
42

Modification events

(PID) Process:(3392) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3392) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3392) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(3392) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(3392) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3392) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:dr
Value:
1
(PID) Process:(3392) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(3392) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1302019708-1500728564-335382590-1000
Value:
AA3FB6451B7A2F00
(PID) Process:(3392) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\FirstNotDefault
Operation:delete valueName:S-1-5-21-1302019708-1500728564-335382590-1000
Value:
(PID) Process:(3392) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge
Operation:writeName:UsageStatsInSample
Value:
1
Executable files
21
Suspicious files
167
Text files
37
Unknown types
0

Dropped files

PID
Process
Filename
Type
3392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF4e4de.TMP
MD5:
SHA256:
3392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF4e4ee.TMP
MD5:
SHA256:
3392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
3392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF4e55b.TMP
MD5:
SHA256:
3392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
3392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:CE3AC3673EB3498DDF7BEC3328D23765
SHA256:D2304AEDC7D32192364DCDECAF7A17972F3ABF909A79646A47B66917ECA30E9A
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics.pmabinary
MD5:886E82F2CA62ECCCE64601B30592078A
SHA256:E5E13D53601100FF3D6BB71514CBCCC4C73FE9B7EF5E930100E644187B42948E
3392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Last Versiontext
MD5:61FE7896F9494DCDF53480A325F4FB85
SHA256:ACFD3CD36E0DFCF1DCB67C7F31F2A5B9BA0815528A0C604D4330DFAA9E683E51
3392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF4e4de.TMPtext
MD5:646FEFDB4D82709E3056F5C71953783C
SHA256:7B83D8689750F64D31016F1E8AC2A4EB9D7DB406E4C9C66211D4ED17DEBFEAD9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
33
DNS requests
33
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
unknown
1372
svchost.exe
GET
200
23.72.36.98:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
2.22.57.219:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3392
msedge.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
2940
msedge.exe
140.82.121.3:443
github.com
GITHUB
US
unknown
2940
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2940
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
2940
msedge.exe
185.199.110.154:443
github.githubassets.com
FASTLY
US
unknown
2940
msedge.exe
185.199.108.133:443
avatars.githubusercontent.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
github.com
  • 140.82.121.3
shared
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
github.githubassets.com
  • 185.199.110.154
  • 185.199.108.154
  • 185.199.109.154
  • 185.199.111.154
whitelisted
avatars.githubusercontent.com
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.111.133
whitelisted
github-cloud.s3.amazonaws.com
  • 3.5.7.141
  • 3.5.28.127
  • 52.216.245.212
  • 3.5.27.252
  • 52.216.44.217
  • 52.216.40.1
  • 52.216.212.241
  • 52.217.161.105
shared
user-images.githubusercontent.com
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.111.133
whitelisted
www.bing.com
  • 2.19.193.50
  • 2.19.193.42
  • 2.19.193.41
  • 2.19.193.43
  • 2.19.193.73
  • 2.19.193.58
  • 2.19.193.64
  • 2.19.193.67
  • 2.19.193.51
whitelisted
collector.github.com
  • 140.82.113.22
whitelisted
api.github.com
  • 140.82.121.5
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/pankoza2-pl/malwaredatabase-old