Resubmissions

05/10/2023, 13:45

231005-q2jwssbd8z 10

05/10/2023, 13:25

231005-qnyg2adb98 10

General

  • Target

    7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c

  • Size

    4.1MB

  • Sample

    231005-q2jwssbd8z

  • MD5

    b1b5d6204253f7d60330b4146365ef5a

  • SHA1

    074e5e4894812ffc17a2a2ab5a44ceea266dcf78

  • SHA256

    7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c

  • SHA512

    64834d5b2574ef3089eadfb7ca1a803391d705be7237e13837ac6a9d894893fefbdde6914a997a538e2a79a541916096886e23d53b22244238d238d4720fdac8

  • SSDEEP

    98304:2sgW9rfApQAQ5yzwO1Y/4kXG7tUkbcQ+fSRxyDIXZfS6QZnn:2shlMrQ5yzwOC/nXG7NcbfSRcDgVr2n

Malware Config

Targets

    • Target

      7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c

    • Size

      4.1MB

    • MD5

      b1b5d6204253f7d60330b4146365ef5a

    • SHA1

      074e5e4894812ffc17a2a2ab5a44ceea266dcf78

    • SHA256

      7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c

    • SHA512

      64834d5b2574ef3089eadfb7ca1a803391d705be7237e13837ac6a9d894893fefbdde6914a997a538e2a79a541916096886e23d53b22244238d238d4720fdac8

    • SSDEEP

      98304:2sgW9rfApQAQ5yzwO1Y/4kXG7tUkbcQ+fSRxyDIXZfS6QZnn:2shlMrQ5yzwOC/nXG7NcbfSRcDgVr2n

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • UAC bypass

    • Windows security bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks