chaos | b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a | Triage

Submit
Reports

Overview

overview

Static

static

Cov29Cry.exe

windows7-x64

Cov29Cry.exe

windows10-2004-x64

Sharing

General

Target

Cov29Cry.exe.death
Size

103KB
Sample

250211-h52a9azlfk
MD5

8bcd083e16af6c15e14520d5a0bd7e6a
SHA1

c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256

b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA512

35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a
SSDEEP

3072:H3kyzZr9SE9RmXjSPjXvyT2cQf8WhjTRqvM:N1r9SELZDv25iVly

Score

10^/10

chaos defense_evasion discovery evasion execution impact ransomware spyware stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Cov29Cry.exe

Resource

win7-20240903-en

chaos defense_evasion evasion execution impact ransomware spyware stealer

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

Cov29Cry.exe

Resource

win10v2004-20250207-en

chaos defense_evasion discovery evasion execution impact ransomware spyware stealer

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Targets

- Target
  
  Cov29Cry.exe.death
- Size
  
  103KB
- MD5
  
  8bcd083e16af6c15e14520d5a0bd7e6a
- SHA1
  
  c4d2f35d1fdb295db887f31bbc9237ac9263d782
- SHA256
  
  b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
- SHA512
  
  35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a
- SSDEEP
  
  3072:H3kyzZr9SE9RmXjSPjXvyT2cQf8WhjTRqvM:N1r9SELZDv25iVly
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer discovery
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Chaos family
  chaos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Windows Management Instrumentation

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

Indicator Removal

File Deletion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Defacement

Inhibit System Recovery

Tasks

static1

behavioral1

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

behavioral2

chaosdefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealer

© 2018-2025

Terms | Privacy