Overview

overview

10

Static

static

1

B4ZDS.ps1

windows7-x64

10

B4ZDS.ps1

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    B4ZDS.ps1

  • Size

    493B

  • Sample

    240119-xgmwaacbh6

  • MD5

    100782038a6f5875ad82a97aba1f0a78

  • SHA1

    12729f2ffc46a08105ceb10e0e65f2e96602b677

  • SHA256

    b77228530068b5deecd20933e07583c378bfe89d683ed6688841bad9b95999c2

  • SHA512

    bfdf367b8c34d21f42e21f0b84da02d449713399781eb26a6e5917416eef7b67e58fd9168d0ad73429f21cd781c8d945648bf77c9c5fb789a1754e86d5a143de

Score
10/10
chaosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://onedrive.live.com/download?resid=846C4BBAB6D55AB3%212039&authkey=!APwZ1i5uaKqkI8U

Extracted

Path

C:\Users\Admin\Contacts\READ_ME.txt

Ransom Note
Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. send everything you have in ps99 (Pet Simulator 99) to the user : pfftww send everything you have in ps99 (Pet Simulator 99) to the user : pfftww You may also contact us on discord @ cutie.txt https://discord.com (if you send less than $100 worth of ps99 titanics, huges, or gems please send $100 in litecoin to LfAtDiybfusFscbFs5pUnPwa4NMYoEzpXA) You must follow these steps To decrypt your files . 1) Write on uTox (https://utox.org/) :EEE878F439C6C338CA73D20EFB990BB98A6BA3617829B97AFD68BBEBBA710409EEE2AA7AD085 (out uTox ID) 2) Obtain Litecoin (You may have to pay some of the ransom with Litecoin You may buy Litecoin from here https://paybis.com/buy-litecoin/ when the ransom is paid in full then the decryptor tool will be placed onto your desktop.) Dont do anything stupid... We are watching Discord Username: cutie.txt Roblox Username for Pet Simulator X/99: PFFTWW uTox contact ID: EEE878F439C6C338CA73D20EFB990BB98A6BA3617829B97AFD68BBEBBA710409EEE2AA7AD085 Litecoin address: LfAtDiybfusFscbFs5pUnPwa4NMYoEzpXA
URLs

https://discord.com

https://utox.org/

https://paybis.com/buy-litecoin/

Targets

    • Target

      B4ZDS.ps1

    • Size

      493B

    • MD5

      100782038a6f5875ad82a97aba1f0a78

    • SHA1

      12729f2ffc46a08105ceb10e0e65f2e96602b677

    • SHA256

      b77228530068b5deecd20933e07583c378bfe89d683ed6688841bad9b95999c2

    • SHA512

      bfdf367b8c34d21f42e21f0b84da02d449713399781eb26a6e5917416eef7b67e58fd9168d0ad73429f21cd781c8d945648bf77c9c5fb789a1754e86d5a143de

    Score
    10/10
    chaosevasionpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (163) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks