General

  • Target

    NEAS.0d7a640fb05d0ecb9411f6db89dcfefc4407c390aa616ea8b98ab2429f0ece0e_JC.exe

  • Size

    27KB

  • Sample

    231007-yr4r8afa5x

  • MD5

    f924c242f4a8691531d4113eaf559c93

  • SHA1

    4e6d64ecacfc679cf69391369ee42d4d03004429

  • SHA256

    0d7a640fb05d0ecb9411f6db89dcfefc4407c390aa616ea8b98ab2429f0ece0e

  • SHA512

    8d9ca8fd5e7444b1e9ec73afd738b26d792304d129f6a6a69312a9ae0744e4a882b04fe767dac2cd9b5ad67698658256bbd4f44dc8c0af2eda045fa2ae83ebb2

  • SSDEEP

    384:ktWZPzzxAm1vp5ZRoDNhvLKeOS2NiNWlCOy5o91yXpD82vW:p7zxAmpfyzeeOSSiXho9mN82e

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Updater6\read_it.txt

Ransom Note
Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Targets

    • Target

      NEAS.0d7a640fb05d0ecb9411f6db89dcfefc4407c390aa616ea8b98ab2429f0ece0e_JC.exe

    • Size

      27KB

    • MD5

      f924c242f4a8691531d4113eaf559c93

    • SHA1

      4e6d64ecacfc679cf69391369ee42d4d03004429

    • SHA256

      0d7a640fb05d0ecb9411f6db89dcfefc4407c390aa616ea8b98ab2429f0ece0e

    • SHA512

      8d9ca8fd5e7444b1e9ec73afd738b26d792304d129f6a6a69312a9ae0744e4a882b04fe767dac2cd9b5ad67698658256bbd4f44dc8c0af2eda045fa2ae83ebb2

    • SSDEEP

      384:ktWZPzzxAm1vp5ZRoDNhvLKeOS2NiNWlCOy5o91yXpD82vW:p7zxAmpfyzeeOSSiXho9mN82e

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks