flash

Covid21 2.0.exe

Status: finished
Submission Time: 28.03.2021 15:34:33
Malicious
Ransomware
Evader

Comments

Tags

Details

  • Analysis ID:
    377010
  • API (Web) ID:
    656151
  • Analysis Started:
    28.03.2021 15:34:33
  • Analysis Finished:
    28.03.2021 16:09:51
  • MD5:
    a7c7f5e792809db8653a75c958f82bc4
  • SHA1:
    7ebe75db24af98efdcfebd970e7eea4b029f9f81
  • SHA256:
    02fea9970500d498e602b22cea68ade9869aca40a5cdc79cf1798644ba2057ca
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
75/100

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run Condition: Run with higher sleep bypass

malicious
84/100

malicious
48/69

malicious
13/36

malicious
23/28

malicious

URLs

Name Detection
http://www.rjlsoftware.com/?screenscrewopenj
http://www.rjlsoftware.com/?screenscrew
http://www.autohotkey.com
Click to see the 3 hidden entries
http://www.autohotkey.comCould
http://www.rjlsoftware.com
http://www.rjlsoftware.com(

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exe
PE32 executable (console) Intel 80386, for MS Windows
#
Click to see the 16 hidden entries
C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2526.tmp\mlt.exe
PE32+ executable (GUI) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2526.tmp\t.vbs
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\2526.tmp\x.vbs
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\2526.tmp\z.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\covid21\Corona.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
\Device\Harddisk0\DR0
DOS/MBR boot sector
#
C:\Users\user\AppData\Local\Temp\2526.tmp\Corona.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2526.tmp\Covid21.bat
DOS batch file, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\2526.tmp\coronaloop.bat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\2526.tmp\covid.jpg
JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 1920x1080, frames 3
#
C:\Users\user\AppData\Local\Temp\2526.tmp\prompt.vbs
ASCII text, with CRLF line terminators
#
C:\Windows\clwcp.bmp
PC bitmap, Windows 3.x format, 1920 x 1080 x 24
#
C:\covid21\covid.jpg
JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 1920x1080, frames 3
#