chaos | debc291862357db9a51237f838d5b27c8e8bbae4c25e23f2b629e5824db43a58

Analysis

max time kernel
431s
max time network
438s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
17-02-2024 05:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Sin título.png
Size

28KB
MD5

37e9f24b247bed8f268acf8ec1f08f69
SHA1

879b786dea7be46f8da94afae496d340312da128
SHA256

debc291862357db9a51237f838d5b27c8e8bbae4c25e23f2b629e5824db43a58
SHA512

edaa59a6dd07cb25c969428450a54b3d8aac9a4a6610e495210f0d24ff05682ede373b520952bb0b0477a3b8b7019002512da8b768eecc81145dfd2a7eee2755
SSDEEP

384:Qs0a4H9r5yTunEzgJUiLwwftlBRbfqkqyvHd:Qs0V1oTuES3ll/7Zl

Score

10^/10

chaos bootkit evasion persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 4 IoCs

resource	yara_rule
behavioral1/files/0x000600000001acc2-534.dat	family_chaos
behavioral1/memory/4700-543-0x00000000008C0000-0x00000000008E0000-memory.dmp	family_chaos
behavioral1/memory/3320-614-0x0000000000400000-0x00000000005D5000-memory.dmp	family_chaos
behavioral1/memory/3320-624-0x0000000000400000-0x00000000005D5000-memory.dmp	family_chaos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3356	bcdedit.exe
4876	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4644	wbadmin.exe

Disables Task Manager via registry modification
evasion

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1436	mbr.exe
4700	Cov29Cry.exe
2448	svchost.exe
4180	Cov29LockScreen.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3320-501-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/3320-614-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/3320-624-0x0000000000400000-0x00000000005D5000-memory.dmp	upx

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2826985972-2069816429-388129859-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
45	raw.githubusercontent.com
46	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2826985972-2069816429-388129859-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvypwm1y1.jpg"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
5024	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1400	taskkill.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133526214833827778"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2826985972-2069816429-388129859-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2826985972-2069816429-388129859-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2826985972-2069816429-388129859-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
4152	reg.exe
3328	reg.exe
1552	reg.exe
3828	reg.exe
4532	reg.exe
4696	reg.exe
3064	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2116	PING.EXE
1956	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2448	svchost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
5116	chrome.exe
5116	chrome.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
4700	Cov29Cry.exe
2448	svchost.exe
3332	chrome.exe
3332	chrome.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4180	Cov29LockScreen.exe
2156	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 4512	5116	chrome.exe	76
PID 5116 wrote to memory of 4512	5116	chrome.exe	76
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 3760	5116	chrome.exe	79
PID 5116 wrote to memory of 1296	5116	chrome.exe	78
PID 5116 wrote to memory of 1296	5116	chrome.exe	78
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80
PID 5116 wrote to memory of 944	5116	chrome.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Sin título.png"
1⤵
PID:808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbb39a9758,0x7ffbb39a9768,0x7ffbb39a9778
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=1784,i,17106894254631892509,6818451694901080596,131072 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1784,i,17106894254631892509,6818451694901080596,131072 /prefetch:2
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1784,i,17106894254631892509,6818451694901080596,131072 /prefetch:8
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1784,i,17106894254631892509,6818451694901080596,131072 /prefetch:1
  2⤵
  PID:204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1784,i,17106894254631892509,6818451694901080596,131072 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4488 --field-trial-handle=1784,i,17106894254631892509,6818451694901080596,131072 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1784,i,17106894254631892509,6818451694901080596,131072 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1784,i,17106894254631892509,6818451694901080596,131072 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4816 --field-trial-handle=1784,i,17106894254631892509,6818451694901080596,131072 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3364 --field-trial-handle=1784,i,17106894254631892509,6818451694901080596,131072 /prefetch:8
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1784,i,17106894254631892509,6818451694901080596,131072 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1632 --field-trial-handle=1784,i,17106894254631892509,6818451694901080596,131072 /prefetch:8
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1784,i,17106894254631892509,6818451694901080596,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3332

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe"
1⤵
PID:3320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BD7A.tmp\TrojanRansomCovid29.bat" "
  2⤵
  - Modifies registry class
  PID:4636
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BD7A.tmp\fakeerror.vbs"
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - Runs ping.exe
    PID:2116
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3064
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4152
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3328
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3828
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4532
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4696
- - C:\Users\Admin\AppData\Local\Temp\BD7A.tmp\mbr.exe
    mbr.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:1436
- - C:\Users\Admin\AppData\Local\Temp\BD7A.tmp\Cov29Cry.exe
    Cov29Cry.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4700
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      PID:2448
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        5⤵
        
        PID:4160
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:5024
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        
        PID:4976
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        5⤵
        
        PID:2288
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3356
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:4876
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        5⤵
        
        PID:4664
      - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        6⤵
        Deletes backup catalog
        
        PID:4644
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt
        5⤵
        
        PID:2004
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 9
    3⤵
    - Runs ping.exe
    PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:1400
- - C:\Users\Admin\AppData\Local\Temp\BD7A.tmp\Cov29LockScreen.exe
    Cov29LockScreen.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4796

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:4744

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4252

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3328

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af5855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\948aa7a4-f8e3-4a4f-b996-0be8d592049f.tmp

Filesize
6KB

MD5
a07f07453832d22b30cdd38e7ba860e3

SHA1
7e8472bdfb38822d2ebbb7b61b6632632d5748c2

SHA256
d938a32bcd2ed47650c1f60e394917364d50830cc19a8d71952167e52da22900

SHA512
fe8a17f98225577e1d62ec25dd626eb3b7a05dcbdd9fbbeb10ecf0cd33e4527d39de9bb65063dfab2435e08ac190bd87f9305208bf7c19a1461fd78d0fe16b51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6d795e1e45c26bd98d3bff62bdebeb15

SHA1
6959ccada32057da4c33fcacb25ddd33807a93c1

SHA256
04baa5022bd55d21289d5685d79d8867ba3d4ab497a23e18ccbab8dcbdcd8933

SHA512
d257f7d536b6b18fe717787e0f0332d4d9fb98bbf906f38c5c16d9c2cc7b4b5f42f103b31a97d807b3b68bdd656dd557f9b4e479add4e661a3d0977af74e002e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
908e5f1d92361caf9931e146cba74dfe

SHA1
01bca1994d7bb8970313f61664bac14a31c40da9

SHA256
181d864fab415460330b910caf99f1ef34b197255100f8cd7d002d9b92b85235

SHA512
b64b8a4cc58bd130eb471ddf50c367f879f959cbd695f3df643d5a3a532821dc59c959566804938dfbfd44d68bf018e0c462eafcae63a503af54d23b54bbd1a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2824744f8dfe34d9ae3d6d03ce6dcbfc

SHA1
dcc147f372ddecea7eda89f2e60b274af6ab0860

SHA256
aef7ed03630083aa63df1deb3106b4543efcc421b65ad57dac79036a39b88a01

SHA512
ab212ead80ec65b82e37d533fd05d451d4af305985602ebf426d3284296326eb4bd073e4cc8f0c89085ec0df3527e5e9218186218b3eb2c2258757c518aceb76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
eba6d40dc921c99fc767024166f273f9

SHA1
e028ba07b1068857b8bf249c1e5c8f98244e9c1b

SHA256
fe8bc31d334d84e6a0db7d206487ed3658e31d2cbba565e56957de480bb4a653

SHA512
d31cd3e26b6c92049be3956d0ff9ebd40e1f06641834ffd2773d9c8ed940500b502fef30fefc23d0c97bcb88550a9044e8ee3262a35695718006b8797500162b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
22ff75704faef2d416a9bbe95b7c00d6

SHA1
a7067e76fd5cc2b5434027eb31fb838617dc3c0c

SHA256
63cb474bb4157372979dac08124e0b77a261afb609e16fc9f38cca09b30e2034

SHA512
213243d6d29e80645f7efdf8fd6a9b2fb9673e256a82b912cf288277d48598dec2a6546bcc4dafafc9ad75d617569140070784bbde207a9073441a36bef04544

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
496fd3bb945f916a6b15ce434f89a873

SHA1
6095a2971e78890be79f2427729b935195a5c321

SHA256
669a18fdfe2832cff9b4902d714ff6c0153f198d4dae45e058707e7fc2ab3f60

SHA512
07d9073dcb0356259cfc868d40beee452afef30c0be5518e7bddd567fdd8f5c4723115675e1854677236f938a3817d4708feb4ce66002249b5dca97a9e65a3ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
8f581b59f5a76bb257562ab053de9faa

SHA1
4d05eb4e865d659cec94fd2ee6ed28fbdc217595

SHA256
7abd31f5bfdfcf0a5ff97f1c2c258ec0cc09b096f4560a958863babd4595505f

SHA512
403bd692c614a3083f24a8b265b2c9435403ae21a7488c9782d53cad1d841e566f14de6d601a16a461beacf423a25f635d872ad12c2f4f9b761e68773e98dfa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b330f8235a666ea7c61c378ab921697e

SHA1
ecddbe6bb190bbe8e20719440a53c3481b88c20c

SHA256
993768545dcafb0d8648054a54f9e4360bb93b725e5dfdde089ca9d7e394da3f

SHA512
b45151757189332e87f3a69cde4c0408f15d8513baa91659af5ed6ca0e734479828d3d38bba1fa3d3d204541e16a59bd48d92dccf92f8a4ead644c88f1857174

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
da2ddc7aba13d1781fec281d73e8e7e2

SHA1
a7331aeba61ecae12ed7dfb1c44838606023b510

SHA256
edce387f50a396f3df0601a9f118f8c2cbc5cf529200ccc48d885bd9796fc7cd

SHA512
25fe94fa0c675ea2fae9ed53840467b9d641a0a4eb86a25a8644f3064d66d1d8168c947f6dd2af287deb19b131a4377e946891a1d8befefd86f2edb692a166fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c286608e5ac0ad37fded54a08e92779c

SHA1
bab4900bc9c4106f661473f443b3958c20be0ceb

SHA256
06502e83bd377956a8ed8f7e174328e138a312e649c621d479a3f712dcb861b3

SHA512
278db3434110c8dcf96c2a5c1576b386d4bd62d29056b81d0053c5b3ea9e960f0b79d4f3159c36a7fa925cfa95cd4002833e415343d96dff15dc3f64a5c98216

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d642b2f51d16111006e8fdc618b0a413

SHA1
5ca8886ed97458ac2464a0acf48747b1e1be62d5

SHA256
dc1de0fd954309325c1602b0701b67b8040cb12d89981d6eb3c045d7e3f0c89c

SHA512
b70720919f501d6c74a13b4612ff515693f2f93dac71e39ea9198938290d4746bf82f59852726c81bebfe67e0706f126431309a494f4511453f11047b0487da6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7495cc345c9faa9bcfa35d8ac53772fe

SHA1
4a736db9e57c5be05f4682845d9ebb25226893e7

SHA256
59e707f3d3798cd6295a1d815ea0e4467ad6a69dfaf02b4f940fe07f71844992

SHA512
84e619946381e2987ae986d4ecda090981570f6715f45ab78e66fb2b8e639b42ed18f0694039b4242f3ceaec94ab17db6ff08992fb56c6e6657a85485be26e32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
49b3fd642844ac37121a7f424f2a5515

SHA1
50de1289a9ded1c1023f01b738e18389b6400078

SHA256
9d5f72310a9c60ffbaf9717f7d709e8645cdb0fdd8a3415f9954338fc21ed236

SHA512
1d34375a0a45e3757e9bc6e112a2c99fa0861dce943253789aabe407125889312f5c0145bbf085d92d96d19a2da73bf9a0ae359dbd814390f6afbba912025836

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9a811fe4b0b0267569f44b3cbe136dc5

SHA1
9981d6cdb7bbd86f3e7047285550c779c86fde2a

SHA256
eab47ec57d9e926b14cd8cd99bca4146488040f5a1914e99646db11b53af476f

SHA512
d1345eeda6b90ef4df9f082faddafe94ef684b3aeb47fb9a03501595d00e066171de37372928992aacb29fe827965815eac54d2656e8eff86722f0e5f9c24b10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
efd051884fbcdce7dca13f73730dde6a

SHA1
17f8986c973c33cc4dcf69451b025ad17c61c3ca

SHA256
785fc148403eeaee29504391522c040391c71ae335abe93b2823d917cfcdb40e

SHA512
121d1f0d06b5a443f9f5d36c4bb5d6db5fb832a8333b93529b90dca073da793d0e6b9beb2d307700db2b9a4d2ac0bd5112aeda307b01ddc7e0f58e0c303e6475

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dff13fe69954f72391b7599948f8952c

SHA1
76a563eb3b4f3a14b49c3adac5865e9af7ea9cae

SHA256
40fd9121a2f912ad08001774596737acea26ff950e73e862c0902ac20eee81ed

SHA512
6662f58cb31a7caf0484177bcfd10c080b0110a867e530e27652363b3ac56ad9fb017fd8d4956b33e3c539460cc5d7e8baf87b88823efa23e6197dc5ad7da26f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e0cf4e41fccf94982656b96516102706

SHA1
36a22bf791eabdd35e9d265eb7003d92852acaaf

SHA256
9a1e6b49e5afe81e8fdf75bd83bc5b983ba1d40cb9d8003bc7cd53325cb1f0e7

SHA512
529175f4bc36ae9705b5ebf17ab24342ca20d7b299b0b15607e05881b43bfbdc973ee54e530051cbea7c06aa8f4594a847fcbd86e2d10c31751e34e5c10b2677

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7ca878f025252dba157b8e052b7f6670

SHA1
37d6aeb3846df6c9ca6784a411ae2481179f3edd

SHA256
883add0a8a2d5aceb548fd81ad4eb71e2cdad1069170ce2a776a4b7f7f766d6b

SHA512
cd233b252cdfbbd9d98cf02346e83bed0980d40c485d54601fe1f9b68bae0b84b5e1b21558fcb2849f189f693a656a6257361b9cdbf7ef9409eb90a96bdffc6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8c0b45184dd8ba047a78ddf941e48e73

SHA1
81ca658d4b2476a06c454b41fb8ac3f0bc7010ad

SHA256
aacc5be64dbd8c5718832395826f12aa2b5528fb39109ac13c9c5a63bac1ab45

SHA512
af5572b5a826a678f14af79f169ed8ae17b341b9565d5d6335cecf4f92677c6b30dc9401741920e293e3292f53d15447df613ef37a7b2c1b09851267fbcfe968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9a420402d06f5bf2da11e573dddab48e

SHA1
7c10ef7bb678275279f44c42d4d3bbeb1c0073dd

SHA256
3fceeed22586cf46cc85b1c6f3937e484471f81f588828f6dc502f9f2ecd91f7

SHA512
f88721b893fdfbbdf67a0617db5d33a274bbeb8570e49db082f67e4d907115cdc5c5efb860792412ce6eeec723e49c16ef04231381ccc17ac079fbc7173ceae3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
5c2ea85912579911ab06f99bade798e3

SHA1
cdd840c9d6481b5cf49b42e4c33da2e3fae15c09

SHA256
f034ee397748aa046e976e0e20fac4bf67331b0128b2ca254f2d1a6162c3c845

SHA512
f47f177fbeb8c1196cedf61eff2f4b85c6c5c6fd4fa6caca362ad8ac82bc960e9474b48738db017bb3a067ddd82463b5d94c1ecbb723b818bbd9f2cd36520d99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
bccd9e33fa2f35866f370ce5dc8ab077

SHA1
77bb471e8e3a49f80e5069db5cb7fc522f0f960c

SHA256
8de2c183b2ca0048fdeff1a8b896ada6be1a2829bf1dc91202a2a6d69b783f09

SHA512
ada2eb935d9fe6e95edb2965a7e1c6d407e7bafddebb02d385a9e546df383172377852103ab32eceb3a92b3bfad112e9830610af5db95c367f2336f333f6f870

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
d250c07475a8873b7508d36099904206

SHA1
5c4f05243399b2e222ff11df69d5b4b2cf38b6ec

SHA256
fd0b69f1e56c4a5424c0cef7efc5b98b5127c0187b12020dd627358fe814ca80

SHA512
d732136f1496a910dcedbf1d65586aa359c56730805ca144213b90e9e080389b7a3063de4990a0094b283eaeea0f796d594bad5bc544e520a871190859001e67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59bed2.TMP

Filesize
93KB

MD5
4a6a6ab3a8cac11e4b38c1391b6ddebf

SHA1
809f5923345c33c0e1980c902aa091e0fcf455bf

SHA256
49d63c49efbfe67c001695f7b5e44c627061edb086a4509e0abb8c5d5307b9f2

SHA512
5188504f67e0a6da6c109a25c27be50d1a09b9a83977e5298de70b57c4bcbefa0733e48a7f8bf55045c24f3e1ecce48514d7935b5f7e2365bf8cd95faaa9ef4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD7A.tmp\Cov29Cry.exe.death

Filesize
103KB

MD5
8bcd083e16af6c15e14520d5a0bd7e6a

SHA1
c4d2f35d1fdb295db887f31bbc9237ac9263d782

SHA256
b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a

SHA512
35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD7A.tmp\Cov29LockScreen.exe

Filesize
48KB

MD5
f724c6da46dc54e6737db821f9b62d77

SHA1
e35d5587326c61f4d7abd75f2f0fc1251b961977

SHA256
6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c

SHA512
6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD7A.tmp\TrojanRansomCovid29.bat

Filesize
1KB

MD5
57f0432c8e31d4ff4da7962db27ef4e8

SHA1
d5023b3123c0b7fae683588ac0480cd2731a0c5e

SHA256
b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc

SHA512
bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD7A.tmp\fakeerror.vbs

Filesize
144B

MD5
c0437fe3a53e181c5e904f2d13431718

SHA1
44f9547e7259a7fb4fe718e42e499371aa188ab6

SHA256
f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22

SHA512
a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD7A.tmp\mbr.exe.danger

Filesize
1.3MB

MD5
35af6068d91ba1cc6ce21b461f242f94

SHA1
cb054789ff03aa1617a6f5741ad53e4598184ffa

SHA256
9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e

SHA512
136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

Download Submit
C:\Users\Admin\Desktop\covid29-is-here.txt

Filesize
861B

MD5
c53dee51c26d1d759667c25918d3ed10

SHA1
da194c2de15b232811ba9d43a46194d9729507f0

SHA256
dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52

SHA512
da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c

Download Submit
C:\Users\Admin\Downloads\Covid29 Ransomware.zip

Filesize
1.7MB

MD5
272d3e458250acd2ea839eb24b427ce5

SHA1
fae7194da5c969f2d8220ed9250aa1de7bf56609

SHA256
bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3

SHA512
d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

Download Submit
C:\Users\Admin\Downloads\Covid29 Ransomware.zip

Filesize
162KB

MD5
6a17eb59c38c0fe93b4b602cdd71b9d6

SHA1
a480ddefe8eea5ec9d9f083f4018f2857dd5fd5d

SHA256
f203599ab929614407be6487e94bd916dcfb02e3fe85c7a1abf6f70b1d8c0a89

SHA512
cef17731eed36eea4f6138aa3c5626408d863d4c2eeac72d65a17309213d499fae08b181f19b69d128d97178fb2d2ae021b69cb0f442f24462a0f5629b50d9e5

Download Submit
memory/1436-542-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2448-560-0x00007FFB9FB30000-0x00007FFBA051C000-memory.dmp

Filesize
9.9MB

Download
memory/2448-620-0x000000001BF00000-0x000000001C000000-memory.dmp

Filesize
1024KB

Download
memory/2448-638-0x000000001BF00000-0x000000001C000000-memory.dmp

Filesize
1024KB

Download
memory/2448-668-0x00007FFB9FB30000-0x00007FFBA051C000-memory.dmp

Filesize
9.9MB

Download
memory/2448-636-0x00007FFB9FB30000-0x00007FFBA051C000-memory.dmp

Filesize
9.9MB

Download
memory/3320-624-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3320-614-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3320-501-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4700-561-0x00007FFB9FB30000-0x00007FFBA051C000-memory.dmp

Filesize
9.9MB

Download
memory/4700-544-0x00007FFB9FB30000-0x00007FFBA051C000-memory.dmp

Filesize
9.9MB

Download
memory/4700-543-0x00000000008C0000-0x00000000008E0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads