Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

CoronaVirus Ransomware (coronaVi2022@protonmail.ch___<Original Filename>.<Original Extension>)

  • Distribution Method : Unknown
  • MD5 : ec517204fbcf7a980d137b116afa946d
  • Major Detection Name : TR/Ransom.MBRlock.nwhir (Avira), Trojan-Ransom.Win32.Coronavi.a (Kaspersky)
  • Encrypted File Pattern : coronaVi2022@protonmail.ch___<Original Filename>.<Original Extension>
  • Malicious File Creation Location :
     - C:\Users\%UserName%\AppData\Local\Temp\<Random>.exe
     - C:\Users\%UserName%\AppData\Local\Temp\CoronaVirus.txt
  • Payment Instruction File : CoronaVirus.txt
  • Major Characteristics :
     - Offline Encryption
     - Change a disk name (CoronaVirus)
     - Modifying the MBR & Automatically reboot Windows after file encryption is complete.
     - Disable system restore (VSSADMIN.EXE Delete Shadows /All /Quiet, wbadmin.exe delete backup -keepVersions:0 -quiet, wbadmin.exe delete systemstatebackup -keepVersions:0 -quiet)
     - Creating boot message by modifying the default values of the registry entry "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute"