General

  • Target

    f1167808.exe

  • Size

    23KB

  • Sample

    231015-pamypshc22

  • MD5

    a88a0aa62a9e29cc30948b721e9e8b52

  • SHA1

    45b71da84aca13b69dd9c8cb21b815260c23a215

  • SHA256

    9d70b9e0df50aedb0a5864fc53b4c738b5725e4fec5286f723b52eef0c709211

  • SHA512

    0a2f9dc57e81dd2d234e934562ad4951565c6f6b47b587e5cadc6b4041b1dbaff4e4c60b19b3156ceecf3ea8c7b3d9559a3fc1da219af00c47145a909ba7c18a

  • SSDEEP

    384:X3Mg/bqo2klNxFd8wOpupHDKB+98cJ6r91CjEcfSeO:Bqo2ixFWwppHDuN06r9uEcKeO

Malware Config

Extracted

Path

C:\Users\Admin\Documents\bitdecrypter.txt

Ransom Note
coinlocker All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is 100 btc Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable coinbase kraken Payment information Amount: 100 BTC Bitcoin Address: 3BrbefoFF6oFyYYhXPSBGVMLWNHDHSL3rK [email protected]
Wallets

3BrbefoFF6oFyYYhXPSBGVMLWNHDHSL3rK

Targets

    • Target

      f1167808.exe

    • Size

      23KB

    • MD5

      a88a0aa62a9e29cc30948b721e9e8b52

    • SHA1

      45b71da84aca13b69dd9c8cb21b815260c23a215

    • SHA256

      9d70b9e0df50aedb0a5864fc53b4c738b5725e4fec5286f723b52eef0c709211

    • SHA512

      0a2f9dc57e81dd2d234e934562ad4951565c6f6b47b587e5cadc6b4041b1dbaff4e4c60b19b3156ceecf3ea8c7b3d9559a3fc1da219af00c47145a909ba7c18a

    • SSDEEP

      384:X3Mg/bqo2klNxFd8wOpupHDKB+98cJ6r91CjEcfSeO:Bqo2ixFWwppHDuN06r9uEcKeO

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (185) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (199) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks