General

  • Target

    svchost.exe

  • Size

    26KB

  • Sample

    231016-138lnafh6w

  • MD5

    77621bd052797e738ed47a9a4db1beea

  • SHA1

    4417200e540a377b298613edfbc56cd8c09d38f2

  • SHA256

    bff457cb492f8286fcb5904231f033529b0dade3a3bf615a1674ffe5e6ca303b

  • SHA512

    179c674fee62444a233f655d64dc841b50e9c3585f7464d3d5c9b058860028fe5405cb71f3f77a136adb52e087dcfbc2fc09e0a6a0e334a2f68cc93053336878

  • SSDEEP

    384:etWZPzzxAm1vGdUOGKFKAUa5FKW6pVnAQ5NYlFOy5o91A/ba82vz:D7zxAmGGdu5z6pGQ5Oho9CG827

Malware Config

Targets

    • Target

      svchost.exe

    • Size

      26KB

    • MD5

      77621bd052797e738ed47a9a4db1beea

    • SHA1

      4417200e540a377b298613edfbc56cd8c09d38f2

    • SHA256

      bff457cb492f8286fcb5904231f033529b0dade3a3bf615a1674ffe5e6ca303b

    • SHA512

      179c674fee62444a233f655d64dc841b50e9c3585f7464d3d5c9b058860028fe5405cb71f3f77a136adb52e087dcfbc2fc09e0a6a0e334a2f68cc93053336878

    • SSDEEP

      384:etWZPzzxAm1vGdUOGKFKAUa5FKW6pVnAQ5NYlFOy5o91A/ba82vz:D7zxAmGGdu5z6pGQ5Oho9CG827

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (184) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks