Overview

overview

10

Static

static

10

49aca08f5b...24.exe

windows7-x64

10

49aca08f5b...24.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24.zip

  • Size

    21KB

  • Sample

    230321-rwynfaba59

  • MD5

    012e4c4c91c91cf63aa32830fe36327e

  • SHA1

    29e52888ba46100642e1bb53aa93ef178ed7a6c2

  • SHA256

    ee1a5655838454e6e534fcd227c7fac4a7d0848694bc6dad78527a497ab0808b

  • SHA512

    b6a2b548c0fc7c33bb99d4148f0d4f93032b1997d5e1244f0c8d72b0b3972a0405eebec833bd422e1209b481592e0db759bd2e1df8844ff95a7cadce94eecd0e

  • SSDEEP

    384:bD96Ldy+GTelr3fiAvKs+u4KFOmUTWzJm94GAHJvy96cQuzf6bIe:bDU4+7lbfiAys+HKFOrTWzQ2dJvyMc5C

Score
10/10
chaosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\لفك تشفير ملفات اضغط هنا

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back? Contact me to decrypt your files : https://t.me/+aZZ3tv3FBVM5ODk8
URLs

https://t.me/+aZZ3tv3FBVM5ODk8

Targets

    • Target

      49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24.exe

    • Size

      44KB

    • MD5

      7977bc8781a00875b4d465bc2a90d5d4

    • SHA1

      9f4b2858edcff694fee76636bf8cf33a366fc237

    • SHA256

      49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24

    • SHA512

      245d65b9301b759097cded2a2f078e4e41c7b68e303a71fccd465a6fa230b48e13e571c4e57e03710934a5e6b9536ed634e0edc502ba35433b02147760e5f05b

    • SSDEEP

      768:0AxEin+Z8W9KCZLhaY4m9lUOmMayPpfHlynRUhMgAA9dEmCJ:7xESW9KC1hxJ9lJPQLH

    Score
    10/10
    chaosevasionpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks