Overview
overview
10Static
static
10TrojanRans...29.exe
windows7-x64
10TrojanRans...29.exe
windows10-2004-x64
10source/Bat...er.exe
windows7-x64
5source/Bat...er.exe
windows10-2004-x64
5source/Bat...lp.chm
windows7-x64
1source/Bat...lp.chm
windows10-2004-x64
1source/Cov29Cry.exe
windows7-x64
10source/Cov29Cry.exe
windows10-2004-x64
10source/Cov...v4.exe
windows7-x64
10source/Cov...v4.exe
windows10-2004-x64
10source/Cov...ry.exe
windows7-x64
10source/Cov...ry.exe
windows10-2004-x64
10source/Cov...en.exe
windows7-x64
3source/Cov...en.exe
windows10-2004-x64
3source/Cov...en.exe
windows7-x64
3source/Cov...en.exe
windows10-2004-x64
3source/Tro...29.bat
windows7-x64
10source/Tro...29.bat
windows10-2004-x64
10source/mbr.exe
windows7-x64
6source/mbr.exe
windows10-2004-x64
6General
-
Target
Covid29 Ransomware.zip
-
Size
1.7MB
-
Sample
241106-pqnvya1apm
-
MD5
272d3e458250acd2ea839eb24b427ce5
-
SHA1
fae7194da5c969f2d8220ed9250aa1de7bf56609
-
SHA256
bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3
-
SHA512
d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c
-
SSDEEP
49152:dSrGy+kXRl9cIXjRG8OzbgFSXACZ4UL238tvVZkKNDN0AaFlkUSan:OZlyIzRXOfZv4UrtvVZRW6i
Behavioral task
behavioral1
Sample
TrojanRansomCovid29.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
TrojanRansomCovid29.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
source/Bat To Exe Converter/Bat_To_Exe_Converter.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
source/Bat To Exe Converter/Bat_To_Exe_Converter.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
source/Bat To Exe Converter/help.chm
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
source/Bat To Exe Converter/help.chm
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
source/Cov29Cry.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
source/Cov29Cry.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
source/Cov29Cry/Chaos Ransomware Builder v4.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
source/Cov29Cry/Chaos Ransomware Builder v4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
source/Cov29Cry/Cov29Cry.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
source/Cov29Cry/Cov29Cry.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
source/Cov29LockScreen.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
source/Cov29LockScreen.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
source/Cov29LockScreen/Cov29LockScreen.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
source/Cov29LockScreen/Cov29LockScreen.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
source/TrojanRansomCovid29.bat
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
source/TrojanRansomCovid29.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
source/mbr.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
source/mbr.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
TrojanRansomCovid29.exe
-
Size
542KB
-
MD5
9f0563f2faaf6b9a0f7b3cf058ac80b6
-
SHA1
244e0ff0a5366c1607f104e7e7af4949510226ec
-
SHA256
a8054338891db7231f9885ca0d3bc90a651c63878ff603ede5c3efafa7e25254
-
SHA512
40cdf4c754977e60c233417e42a62be02f9b5bfe239c0378664c28757ce6ce1fc3b91b83d6ef6bb184c4d831761f57a07255526d12a3a955c3b473bddb97f4c9
-
SSDEEP
12288:xBv407Pg09KyclZbmoYsp8L/0C7Cvb3p62STTzfGGz9oSzrfI:xh5rgjycXbm0K/EzQl/xDrfI
-
Chaos Ransomware
-
Chaos family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Sets desktop wallpaper using registry
-
-
-
Target
source/Bat To Exe Converter/Bat_To_Exe_Converter.exe
-
Size
444KB
-
MD5
76d5900a4adf4c1f2ab8dbfd0a450c4a
-
SHA1
6177a27416519564ecb5d38093d61c9a81d3c290
-
SHA256
7adc1f7ff040628a600f99465bd70e71ad83fecfe60b0f1dadc84b5d262ff350
-
SHA512
286b05ff09d4e85856c251d56902486738d9b2457d9a56ea8a449195b349f2718816099f4602efba88dad592dd6cecefcd0748382888c3026dd585b3e46f0c6e
-
SSDEEP
12288:iYicHMPMDp8WrZtzlqQMB/FS/CiUF7RAfoSBjF:viuMPMDp8mtzbMFFS/CzKF
-
-
-
Target
source/Bat To Exe Converter/help.chm
-
Size
14KB
-
MD5
ffa8c49b21b077b0dc4b51a1f6f9a753
-
SHA1
5fe5b4d96b266b29bd7aaf41b32394f58e7416e2
-
SHA256
00037bfc41afacf262afda160e17d3cca33606276324e99bbd93ad1207e9a7c0
-
SHA512
751eeaef0828ec4416569291ebf3f434208ff43405221339688ec2535cd5947d58ad4d2fd8ea073aa0554f712783f5ec8d5f42dfc4ee935d2905bc541ccd0a9b
-
SSDEEP
192:TQ3bVqwNUWqaGA9yb6OmVbelnchhvm2I2S1O:TQLbNJqHA9YYVbCahvm280
Score1/10 -
-
-
Target
source/Cov29Cry.exe.death
-
Size
103KB
-
MD5
8bcd083e16af6c15e14520d5a0bd7e6a
-
SHA1
c4d2f35d1fdb295db887f31bbc9237ac9263d782
-
SHA256
b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
-
SHA512
35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a
-
SSDEEP
3072:H3kyzZr9SE9RmXjSPjXvyT2cQf8WhjTRqvM:N1r9SELZDv25iVly
-
Chaos Ransomware
-
Chaos family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
source/Cov29Cry/Chaos Ransomware Builder v4.exe
-
Size
550KB
-
MD5
8b855e56e41a6e10d28522a20c1e0341
-
SHA1
17ea75272cfe3749c6727388fd444d2c970f9d01
-
SHA256
f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
-
SHA512
eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
-
SSDEEP
3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168
Score10/10-
Chaos Ransomware
-
Chaos family
-
-
-
Target
source/Cov29Cry/Cov29Cry.exe.death
-
Size
103KB
-
MD5
8bcd083e16af6c15e14520d5a0bd7e6a
-
SHA1
c4d2f35d1fdb295db887f31bbc9237ac9263d782
-
SHA256
b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
-
SHA512
35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a
-
SSDEEP
3072:H3kyzZr9SE9RmXjSPjXvyT2cQf8WhjTRqvM:N1r9SELZDv25iVly
-
Chaos Ransomware
-
Chaos family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
source/Cov29LockScreen.exe
-
Size
48KB
-
MD5
f724c6da46dc54e6737db821f9b62d77
-
SHA1
e35d5587326c61f4d7abd75f2f0fc1251b961977
-
SHA256
6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c
-
SHA512
6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc
-
SSDEEP
768:/PjjisU9FR4GNO9OCo0/E9bx0MpO5oO4A2K8iYBo:/Pjjiz9FCrTGfmoOTrD
Score3/10 -
-
-
Target
source/Cov29LockScreen/Cov29LockScreen.exe
-
Size
48KB
-
MD5
f724c6da46dc54e6737db821f9b62d77
-
SHA1
e35d5587326c61f4d7abd75f2f0fc1251b961977
-
SHA256
6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c
-
SHA512
6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc
-
SSDEEP
768:/PjjisU9FR4GNO9OCo0/E9bx0MpO5oO4A2K8iYBo:/Pjjiz9FCrTGfmoOTrD
Score3/10 -
-
-
Target
source/TrojanRansomCovid29.bat
-
Size
1KB
-
MD5
57f0432c8e31d4ff4da7962db27ef4e8
-
SHA1
d5023b3123c0b7fae683588ac0480cd2731a0c5e
-
SHA256
b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc
-
SHA512
bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf
-
Chaos Ransomware
-
Chaos family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Sets desktop wallpaper using registry
-
-
-
Target
source/mbr.exe.danger
-
Size
1.3MB
-
MD5
35af6068d91ba1cc6ce21b461f242f94
-
SHA1
cb054789ff03aa1617a6f5741ad53e4598184ffa
-
SHA256
9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e
-
SHA512
136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169
-
SSDEEP
24576:LT3LlvRiQNGYXCI+b1w30WgvZef6YhuQ5O3h3JMtbu:7XNGDIu8NyMtbu
Score6/10-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
4Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1