chimera | 3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80

General

Target

haywood.ps1
Size

1.4MB
MD5

d87fcd8d2bf450b0056a151e9a116f72
SHA1

48cb6bdbe092e5a90c778114b2dda43ce3221c9f
SHA256

3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80
SHA512

61a636aca3d224dcd2ed29ca000cf0ecf88f51ffd7cb5182ea4599c9e889cb74b78824d93c7383457bd6d591506202527d44c6a15c93a9ab9cfc8230faddd04b

Score

10^/10

persistence ransomware chimera spyware

Malware Config

Signatures

Chimera
Ransomware which infects local and network files, often distributed via Dropbox links.
ransomware chimera
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1948 powershell.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\YOUR_FILES_ARE_ENCRYPTED.HTML powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
4	1948	powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\YOUR_FILES_ARE_ENCRYPTED.HTML	powershell.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

1768 powershell.exe
1768 powershell.exe
1948 powershell.exe

pid	process
1768	powershell.exe
1768	powershell.exe
1948	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeBackupPrivilege	1444	vssvc.exe
Token: SeRestorePrivilege	1444	vssvc.exe
Token: SeAuditPrivilege	1444	vssvc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

powershell.execsc.exepowershell.execsc.exe

description	pid	process	target process
PID 1768 wrote to memory of 1912	1768	powershell.exe	csc.exe
PID 1768 wrote to memory of 1912	1768	powershell.exe	csc.exe
PID 1768 wrote to memory of 1912	1768	powershell.exe	csc.exe
PID 1912 wrote to memory of 1916	1912	csc.exe	cvtres.exe
PID 1912 wrote to memory of 1916	1912	csc.exe	cvtres.exe
PID 1912 wrote to memory of 1916	1912	csc.exe	cvtres.exe
PID 1768 wrote to memory of 1948	1768	powershell.exe	powershell.exe
PID 1768 wrote to memory of 1948	1768	powershell.exe	powershell.exe
PID 1768 wrote to memory of 1948	1768	powershell.exe	powershell.exe
PID 1768 wrote to memory of 1948	1768	powershell.exe	powershell.exe
PID 1948 wrote to memory of 1644	1948	powershell.exe	csc.exe
PID 1948 wrote to memory of 1644	1948	powershell.exe	csc.exe
PID 1948 wrote to memory of 1644	1948	powershell.exe	csc.exe
PID 1948 wrote to memory of 1644	1948	powershell.exe	csc.exe
PID 1644 wrote to memory of 1596	1644	csc.exe	cvtres.exe
PID 1644 wrote to memory of 1596	1644	csc.exe	cvtres.exe
PID 1644 wrote to memory of 1596	1644	csc.exe	cvtres.exe
PID 1644 wrote to memory of 1596	1644	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\haywood.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ffhe4glx\ffhe4glx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES206B.tmp" "c:\Users\Admin\AppData\Local\Temp\ffhe4glx\CSC39887E46EA414858859E17EBB57BEB.TMP"
3⤵
PID:1916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\haywood.ps1"
2⤵
- Blacklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sqxtdbbp\sqxtdbbp.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A12.tmp" "c:\Users\Admin\AppData\Local\Temp\sqxtdbbp\CSC83BDB1C516BC433EBBF43137ABFF4B8D.TMP"
4⤵
PID:1596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES206B.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A12.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffhe4glx\ffhe4glx.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqxtdbbp\sqxtdbbp.dll

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ffhe4glx\CSC39887E46EA414858859E17EBB57BEB.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ffhe4glx\ffhe4glx.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ffhe4glx\ffhe4glx.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sqxtdbbp\CSC83BDB1C516BC433EBBF43137ABFF4B8D.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sqxtdbbp\sqxtdbbp.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sqxtdbbp\sqxtdbbp.cmdline

Download Submit
memory/1596-47-0x0000000000000000-mapping.dmp

Download
memory/1644-44-0x0000000000000000-mapping.dmp

Download
memory/1768-4-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1768-3-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1768-2-0x000000001AAC0000-0x000000001AAC1000-memory.dmp

Filesize
4KB

Download
memory/1768-13-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1768-5-0x000000001B810000-0x000000001B811000-memory.dmp

Filesize
4KB

Download
memory/1768-0-0x000007FEF6790000-0x000007FEF717C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-1-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/1912-6-0x0000000000000000-mapping.dmp

Download
memory/1916-9-0x0000000000000000-mapping.dmp

Download
memory/1936-53-0x000007FEF6440000-0x000007FEF66BA000-memory.dmp

Filesize
2.5MB

Download
memory/1948-18-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1948-40-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download
memory/1948-41-0x0000000006550000-0x0000000006551000-memory.dmp

Filesize
4KB

Download
memory/1948-27-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/1948-19-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1948-32-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1948-17-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/1948-16-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/1948-15-0x0000000073810000-0x0000000073EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1948-14-0x0000000000000000-mapping.dmp

Download
memory/1948-51-0x0000000006640000-0x0000000006641000-memory.dmp

Filesize
4KB

Download
memory/1948-33-0x00000000063C0000-0x00000000063C1000-memory.dmp

Filesize
4KB

Download
memory/1948-54-0x0000000006A7F000-0x0000000006A8F000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads