Resubmissions

08-09-2023 19:19

230908-x1zdesfa2w 10

08-09-2023 19:08

230908-xtd4xaeh7t 6

08-09-2023 19:07

230908-xs5kgaeg85 3

08-09-2023 18:58

230908-xmy6haeg56 7

08-09-2023 17:30

230908-v3hscaea96 8

General

  • Target

    Captura de pantalla 2023-03-05 184332.png

  • Size

    47KB

  • Sample

    230908-x1zdesfa2w

  • MD5

    c662c6bef8d03268babc40558500c421

  • SHA1

    33881cac944362c415ce1c000d0e6c43e7b8fd57

  • SHA256

    1be92987b9ab334d25c940577da37ccbbd417b2e4e52b97b668347d90e1eeabb

  • SHA512

    4f7f75247e717337309d73004a79a0986911fa0525f36f41dc5be3ca3a0ed2033575737ceded69895a77626cb6e90152bdb0ea16655e6a8048731301e11802be

  • SSDEEP

    768:UZ+vjsWKoGWORUYGnBAPmxVU68vKbLxY0OKZY+S7SaLeP2MeqrsP4/jx4Lbf2:UnRofGoLJ8ib75a+kSaLK2Z+sA/eO

Malware Config

Targets

    • Target

      Captura de pantalla 2023-03-05 184332.png

    • Size

      47KB

    • MD5

      c662c6bef8d03268babc40558500c421

    • SHA1

      33881cac944362c415ce1c000d0e6c43e7b8fd57

    • SHA256

      1be92987b9ab334d25c940577da37ccbbd417b2e4e52b97b668347d90e1eeabb

    • SHA512

      4f7f75247e717337309d73004a79a0986911fa0525f36f41dc5be3ca3a0ed2033575737ceded69895a77626cb6e90152bdb0ea16655e6a8048731301e11802be

    • SSDEEP

      768:UZ+vjsWKoGWORUYGnBAPmxVU68vKbLxY0OKZY+S7SaLeP2MeqrsP4/jx4Lbf2:UnRofGoLJ8ib75a+kSaLK2Z+sA/eO

    • Chimera

      Ransomware which infects local and network files, often distributed via Dropbox links.

    • Chimera Ransomware Loader DLL

      Drops/unpacks executable file which resembles Chimera's Loader.dll.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Renames multiple (4029) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

    • Suspicious Office macro

      Office document equipped with macros.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks