General

  • Target

    adawarewebinstaller.bin.exe

  • Size

    137KB

  • Sample

    230206-yvzbxaah8x

  • MD5

    9b02b542834573f9502ca83719a73a01

  • SHA1

    f3bc7cf16eec977772455f3fce87fed505fb18e3

  • SHA256

    e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14

  • SHA512

    290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031

  • SSDEEP

    3072:Eoy7AHYqr9ACDYVbu4sijUtSWnFA22WnVaxs2gzx+IjBz2:0mr9AHVycjUgWnFAGms2gzoch

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\andrianov.txt

Ransom Note
Your Personal Files has been Encrypted and Locked Your documents, photos, databases and other important files have been encrypted with strongest encryption and locked with unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. Caution: Removing of Blackhat will not restore access to your encrypted files. Frequently Asked Questions What happened to my files ? understanding the issue How can i get my files back ? the only way to restore your files What should i do next ? Buy decryption key Now you have the last chance to decrypt your files. 1. Buy Bitcoin (https://blockchain.info) 2. Send amount of 200 dollar to address: to 3QpLGGaeFwxtV61p1bBUpTBzPcKdtPQpNA 3. Transaction will take about 15-30 minutes to confirm. 4. When transaction is confirmed, send email to us at leonid.andrianoviaa@mail.ru Click here to restore and recovery your files
Emails

leonid.andrianoviaa@mail.ru

Wallets

3QpLGGaeFwxtV61p1bBUpTBzPcKdtPQpNA

Targets

    • Target

      adawarewebinstaller.bin.exe

    • Size

      137KB

    • MD5

      9b02b542834573f9502ca83719a73a01

    • SHA1

      f3bc7cf16eec977772455f3fce87fed505fb18e3

    • SHA256

      e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14

    • SHA512

      290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031

    • SSDEEP

      3072:Eoy7AHYqr9ACDYVbu4sijUtSWnFA22WnVaxs2gzx+IjBz2:0mr9AHVycjUgWnFAGms2gzoch

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Defense Evasion

File Deletion

3
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

4
T1490

Defacement

1
T1491

Tasks