General

  • Target

    b4a6bb188816bca1edb65946c49c7439e53913165cb457ca0fafdcb91b7bf2ee

  • Size

    519KB

  • Sample

    231012-h8e77afh43

  • MD5

    5526856582dad856c83aa26b7c060729

  • SHA1

    a067c86e442f7c5dddb1617b7999f416ee28346f

  • SHA256

    b4a6bb188816bca1edb65946c49c7439e53913165cb457ca0fafdcb91b7bf2ee

  • SHA512

    4fe75e50f5e9feb8070e5de83b20ab2355597ece4343f035fed600b6ca4fd7aadb8067c7e4d2683c5bf1610a7fd24ed8d21356171996e8c2003ec21fae0b21b4

  • SSDEEP

    12288:+Ul9c/i/C01H3dfy9pxtNWtpjVf+JCZ7oaI+2tXEEEG:JCE6ZawvE

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Updater6\READ-THIS.txt

Ransom Note
The Eldritch Team Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted You have only 24 hours to contact us, or you will never see anything, ever, again. What guarantees do we give to you? - After payment, files will no longer be encrypted You must follow these steps To decrypt your files : 1) Contact us on our e-mail [email protected] ( In case of no answer in 24 hours check your spam folder ) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Targets

    • Target

      b4a6bb188816bca1edb65946c49c7439e53913165cb457ca0fafdcb91b7bf2ee

    • Size

      519KB

    • MD5

      5526856582dad856c83aa26b7c060729

    • SHA1

      a067c86e442f7c5dddb1617b7999f416ee28346f

    • SHA256

      b4a6bb188816bca1edb65946c49c7439e53913165cb457ca0fafdcb91b7bf2ee

    • SHA512

      4fe75e50f5e9feb8070e5de83b20ab2355597ece4343f035fed600b6ca4fd7aadb8067c7e4d2683c5bf1610a7fd24ed8d21356171996e8c2003ec21fae0b21b4

    • SSDEEP

      12288:+Ul9c/i/C01H3dfy9pxtNWtpjVf+JCZ7oaI+2tXEEEG:JCE6ZawvE

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (188) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks