Overview

overview

10

Static

static

Trojan-Ran...b0.exe

windows7-x64

10

Trojan-Ran...b0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2022 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan-Ransom.Win32.Chimera.l-ffb4a81fc336b1d77c81eef96eab0a5249ebb053c8920dd0c02e1d9f3ac257b0.exe

  • Size

    384KB

  • MD5

    e6922a68fca90016584ac48fc7722ef8

  • SHA1

    a039ae3f86f31a569966a94ad45dbe7e87f118ad

  • SHA256

    ffb4a81fc336b1d77c81eef96eab0a5249ebb053c8920dd0c02e1d9f3ac257b0

  • SHA512

    33671f3ce8ae5ce1b2852aeb3a601db82b9b8c83bc682abdebf69fb96d878edeb91a21183f1f456d18dd5ed59c797389de912c627d060866fccb580548c96319

  • SSDEEP

    3072:2FHH5FeD8D/6XyNj41ozQDameUGkI81m9+ntccr8jQSaeA83KHGcQ3f4MdwtTDKd:2h5AD876CNmhza9V88A8rcw4MdmxqA

Score
10/10
chimeraransomwarespywarestealer

Malware Config

Signatures

  • Chimera 64 IoCs

    Ransomware which infects local and network files, often distributed via Dropbox links.

    ransomwarechimera
  • Chimera Ransomware Loader DLL 1 IoCs

    Drops/unpacks executable file which resembles Chimera's Loader.dll.

    ransomware
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 37 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Chimera.l-ffb4a81fc336b1d77c81eef96eab0a5249ebb053c8920dd0c02e1d9f3ac257b0.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Chimera.l-ffb4a81fc336b1d77c81eef96eab0a5249ebb053c8920dd0c02e1d9f3ac257b0.exe"
    1⤵
    • Chimera
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1600

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    340B

    MD5

    ac7ac6856b451d46df9a85c0c87c0627

    SHA1

    d5beffce5c82dc7a496e5a53ca5529be3bc8ced9

    SHA256

    67a7ba9d54b52050657b3b99c1c736b07680b786eb9aad1a26dfe4d706207666

    SHA512

    620377813e5d7cbb92dfa0602a8159717f4f21820bdbe8ac7a25c21b2fe2ad6dd2da66fcd372b8a5e2b55affa65508eb380d564993c15590494fc315b1b54d5d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KZAX2G3S.txt
    Filesize

    607B

    MD5

    1e307dceccd82b98ed846df2b02c2fec

    SHA1

    71b31886e66eea797d95237c1478030fe2c6f25e

    SHA256

    18e96999b1cc4ea004a59c86379041afb281097bf5753e911c09af534cff2e9f

    SHA512

    00390a18add30011820c126da784dab5975af52e36ba1c6ac846f1a5b660d8bcf9b7fd9c5597060022735ecd715426f36171ca8ee0efbd1aa62e2e4c526854a7

    Download Submit

  • C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML
    Filesize

    4KB

    MD5

    55c04ca9d72bab44c6238349d4f1fb1c

    SHA1

    616f0ff5b1fb01410d952b9b3fd0e2ba120345fb

    SHA256

    a7e889f0c643dea1bb1741f0b42b9409e12382dd8b017752afa1a7b4b6da08f3

    SHA512

    9bbabff6e4ee7689d5c358aef4a0bd4a2817fc3fe8ab97c00aae52bff3a047e671d98c4ed4c96e9496473d989cb89719899a2e042bf28216d82d49f8655b6bc5

    Download Submit

  • memory/1532-54-0x0000000075091000-0x0000000075093000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1532-55-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1532-59-0x0000000074110000-0x00000000746BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1532-60-0x00000000005F4000-0x000000000060A000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1532-61-0x0000000000960000-0x000000000097A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1532-62-0x0000000074110000-0x00000000746BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1532-63-0x00000000005F4000-0x000000000060A000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1532-64-0x0000000000960000-0x000000000097A000-memory.dmp

    Filesize

    104KB

    Download