General

  • Target

    Covid29 Ransomware.zip

  • Size

    1.7MB

  • Sample

    241106-pqnvya1apm

  • MD5

    272d3e458250acd2ea839eb24b427ce5

  • SHA1

    fae7194da5c969f2d8220ed9250aa1de7bf56609

  • SHA256

    bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3

  • SHA512

    d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

  • SSDEEP

    49152:dSrGy+kXRl9cIXjRG8OzbgFSXACZ4UL238tvVZkKNDN0AaFlkUSan:OZlyIzRXOfZv4UrtvVZRW6i

Malware Config

Targets

    • Target

      TrojanRansomCovid29.exe

    • Size

      542KB

    • MD5

      9f0563f2faaf6b9a0f7b3cf058ac80b6

    • SHA1

      244e0ff0a5366c1607f104e7e7af4949510226ec

    • SHA256

      a8054338891db7231f9885ca0d3bc90a651c63878ff603ede5c3efafa7e25254

    • SHA512

      40cdf4c754977e60c233417e42a62be02f9b5bfe239c0378664c28757ce6ce1fc3b91b83d6ef6bb184c4d831761f57a07255526d12a3a955c3b473bddb97f4c9

    • SSDEEP

      12288:xBv407Pg09KyclZbmoYsp8L/0C7Cvb3p62STTzfGGz9oSzrfI:xh5rgjycXbm0K/EzQl/xDrfI

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Sets desktop wallpaper using registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      source/Bat To Exe Converter/Bat_To_Exe_Converter.exe

    • Size

      444KB

    • MD5

      76d5900a4adf4c1f2ab8dbfd0a450c4a

    • SHA1

      6177a27416519564ecb5d38093d61c9a81d3c290

    • SHA256

      7adc1f7ff040628a600f99465bd70e71ad83fecfe60b0f1dadc84b5d262ff350

    • SHA512

      286b05ff09d4e85856c251d56902486738d9b2457d9a56ea8a449195b349f2718816099f4602efba88dad592dd6cecefcd0748382888c3026dd585b3e46f0c6e

    • SSDEEP

      12288:iYicHMPMDp8WrZtzlqQMB/FS/CiUF7RAfoSBjF:viuMPMDp8mtzbMFFS/CzKF

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      source/Bat To Exe Converter/help.chm

    • Size

      14KB

    • MD5

      ffa8c49b21b077b0dc4b51a1f6f9a753

    • SHA1

      5fe5b4d96b266b29bd7aaf41b32394f58e7416e2

    • SHA256

      00037bfc41afacf262afda160e17d3cca33606276324e99bbd93ad1207e9a7c0

    • SHA512

      751eeaef0828ec4416569291ebf3f434208ff43405221339688ec2535cd5947d58ad4d2fd8ea073aa0554f712783f5ec8d5f42dfc4ee935d2905bc541ccd0a9b

    • SSDEEP

      192:TQ3bVqwNUWqaGA9yb6OmVbelnchhvm2I2S1O:TQLbNJqHA9YYVbCahvm280

    Score
    1/10
    • Target

      source/Cov29Cry.exe.death

    • Size

      103KB

    • MD5

      8bcd083e16af6c15e14520d5a0bd7e6a

    • SHA1

      c4d2f35d1fdb295db887f31bbc9237ac9263d782

    • SHA256

      b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a

    • SHA512

      35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

    • SSDEEP

      3072:H3kyzZr9SE9RmXjSPjXvyT2cQf8WhjTRqvM:N1r9SELZDv25iVly

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      source/Cov29Cry/Chaos Ransomware Builder v4.exe

    • Size

      550KB

    • MD5

      8b855e56e41a6e10d28522a20c1e0341

    • SHA1

      17ea75272cfe3749c6727388fd444d2c970f9d01

    • SHA256

      f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

    • SHA512

      eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

    • SSDEEP

      3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

    Score
    10/10
    • Target

      source/Cov29Cry/Cov29Cry.exe.death

    • Size

      103KB

    • MD5

      8bcd083e16af6c15e14520d5a0bd7e6a

    • SHA1

      c4d2f35d1fdb295db887f31bbc9237ac9263d782

    • SHA256

      b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a

    • SHA512

      35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

    • SSDEEP

      3072:H3kyzZr9SE9RmXjSPjXvyT2cQf8WhjTRqvM:N1r9SELZDv25iVly

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      source/Cov29LockScreen.exe

    • Size

      48KB

    • MD5

      f724c6da46dc54e6737db821f9b62d77

    • SHA1

      e35d5587326c61f4d7abd75f2f0fc1251b961977

    • SHA256

      6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c

    • SHA512

      6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

    • SSDEEP

      768:/PjjisU9FR4GNO9OCo0/E9bx0MpO5oO4A2K8iYBo:/Pjjiz9FCrTGfmoOTrD

    Score
    3/10
    • Target

      source/Cov29LockScreen/Cov29LockScreen.exe

    • Size

      48KB

    • MD5

      f724c6da46dc54e6737db821f9b62d77

    • SHA1

      e35d5587326c61f4d7abd75f2f0fc1251b961977

    • SHA256

      6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c

    • SHA512

      6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

    • SSDEEP

      768:/PjjisU9FR4GNO9OCo0/E9bx0MpO5oO4A2K8iYBo:/Pjjiz9FCrTGfmoOTrD

    Score
    3/10
    • Target

      source/TrojanRansomCovid29.bat

    • Size

      1KB

    • MD5

      57f0432c8e31d4ff4da7962db27ef4e8

    • SHA1

      d5023b3123c0b7fae683588ac0480cd2731a0c5e

    • SHA256

      b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc

    • SHA512

      bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Sets desktop wallpaper using registry

    • Target

      source/mbr.exe.danger

    • Size

      1.3MB

    • MD5

      35af6068d91ba1cc6ce21b461f242f94

    • SHA1

      cb054789ff03aa1617a6f5741ad53e4598184ffa

    • SHA256

      9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e

    • SHA512

      136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

    • SSDEEP

      24576:LT3LlvRiQNGYXCI+b1w30WgvZef6YhuQ5O3h3JMtbu:7XNGDIu8NyMtbu

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks

static1

upxchaos
Score
10/10

behavioral1

chaosbootkitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojanupx
Score
10/10

behavioral2

chaosbootkitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojanupx
Score
10/10

behavioral3

discoveryupx
Score
5/10

behavioral4

discoveryupx
Score
5/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral8

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral9

chaosransomware
Score
10/10

behavioral10

chaosransomware
Score
10/10

behavioral11

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral12

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

chaosbootkitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojan
Score
10/10

behavioral18

chaosbootkitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojan
Score
10/10

behavioral19

bootkitpersistence
Score
6/10

behavioral20

bootkitdiscoverypersistence
Score
6/10