Overview

overview

10

Static

static

Trojan-Ran...b0.exe

windows7-x64

10

Trojan-Ran...b0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2022 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan-Ransom.Win32.Chimera.l-ffb4a81fc336b1d77c81eef96eab0a5249ebb053c8920dd0c02e1d9f3ac257b0.exe

  • Size

    384KB

  • MD5

    e6922a68fca90016584ac48fc7722ef8

  • SHA1

    a039ae3f86f31a569966a94ad45dbe7e87f118ad

  • SHA256

    ffb4a81fc336b1d77c81eef96eab0a5249ebb053c8920dd0c02e1d9f3ac257b0

  • SHA512

    33671f3ce8ae5ce1b2852aeb3a601db82b9b8c83bc682abdebf69fb96d878edeb91a21183f1f456d18dd5ed59c797389de912c627d060866fccb580548c96319

  • SSDEEP

    3072:2FHH5FeD8D/6XyNj41ozQDameUGkI81m9+ntccr8jQSaeA83KHGcQ3f4MdwtTDKd:2h5AD876CNmhza9V88A8rcw4MdmxqA

Score
10/10
chimeraransomwarespywarestealer

Malware Config

Signatures

  • Chimera 64 IoCs

    Ransomware which infects local and network files, often distributed via Dropbox links.

    ransomwarechimera
  • Chimera Ransomware Loader DLL 1 IoCs

    Drops/unpacks executable file which resembles Chimera's Loader.dll.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 27 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Chimera.l-ffb4a81fc336b1d77c81eef96eab0a5249ebb053c8920dd0c02e1d9f3ac257b0.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Chimera.l-ffb4a81fc336b1d77c81eef96eab0a5249ebb053c8920dd0c02e1d9f3ac257b0.exe"
    1⤵
    • Chimera
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3804
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3804 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1060

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    a042902dbdea921b2f46c7d0198c9ccd

    SHA1

    c8deb19ba5d251f44c2bbcbf52340123bc9f1da8

    SHA256

    abbd85d1c316255702f6a692c549a64ede98dc77b2db39c562ffcd34002345b7

    SHA512

    9a4863916f16fa2636cfdb46d7403b0d263db0b155c13264c9f95bcf87122fe5659edae41f2fb6cd7a440e0073c1a66fc12e65b1f9a6d7de3bb6825e0e6c5d9c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    7f784bbf9017d38d7067a8ebf3857c68

    SHA1

    afae4ec7ab9761aed831750cf03cdc54c06481d8

    SHA256

    572f2e6a60628ade7f4623a7bd3af463a81a8cd340f544e1a5a3343d270fc172

    SHA512

    70a34eabc4bb837bad5dcb6db83f3046c3806a0ca9d66d76661f564b54537af11c68fe61ae838eba47c2ea4ab4db8b5e453e0e6cea3c9ce1a214969cd02094db

    Download Submit

  • C:\Users\Admin\Favorites\Links\YOUR_FILES_ARE_ENCRYPTED.HTML
    Filesize

    4KB

    MD5

    0d17e5c197ef2253690fb1e24052afb2

    SHA1

    30c710b5cf522de793b900c1369d09bfe8778d81

    SHA256

    7ffba266ca23e38d108c1b2f3e31daaf528a719fa61a9426fec70f31bd52a7a1

    SHA512

    4ffec72d231b922158a6743291e94393d7de4bedaaebd2403523d134104f014aa81570dcabc0aa80ccb30db81d5f6a235b43c60c7c485a30d266ba6ffdeac0da

    Download Submit

  • C:\Users\Admin\Favorites\YOUR_FILES_ARE_ENCRYPTED.HTML
    Filesize

    4KB

    MD5

    0d17e5c197ef2253690fb1e24052afb2

    SHA1

    30c710b5cf522de793b900c1369d09bfe8778d81

    SHA256

    7ffba266ca23e38d108c1b2f3e31daaf528a719fa61a9426fec70f31bd52a7a1

    SHA512

    4ffec72d231b922158a6743291e94393d7de4bedaaebd2403523d134104f014aa81570dcabc0aa80ccb30db81d5f6a235b43c60c7c485a30d266ba6ffdeac0da

    Download Submit

  • C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML
    Filesize

    4KB

    MD5

    0d17e5c197ef2253690fb1e24052afb2

    SHA1

    30c710b5cf522de793b900c1369d09bfe8778d81

    SHA256

    7ffba266ca23e38d108c1b2f3e31daaf528a719fa61a9426fec70f31bd52a7a1

    SHA512

    4ffec72d231b922158a6743291e94393d7de4bedaaebd2403523d134104f014aa81570dcabc0aa80ccb30db81d5f6a235b43c60c7c485a30d266ba6ffdeac0da

    Download Submit

  • memory/2772-132-0x00000000745F0000-0x0000000074BA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2772-133-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2772-137-0x0000000000AF5000-0x0000000000B0C000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2772-138-0x0000000004D80000-0x0000000004D9A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2772-139-0x00000000745F0000-0x0000000074BA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2772-141-0x0000000004D80000-0x0000000004D9A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2772-140-0x0000000000AF5000-0x0000000000B0C000-memory.dmp

    Filesize

    92KB

    Download