Overview

overview

10

Static

static

10

240124-n3eblahecn.exe

windows7-x64

10

240124-n3eblahecn.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    240124-n3eblahecn

  • Size

    3.4MB

  • Sample

    240224-r9b2laeh82

  • MD5

    f64a5c6fa180acaee93d4fac406c579b

  • SHA1

    bacf88f16fe670ef2d87df154929c51b28b12263

  • SHA256

    cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6

  • SHA512

    01687ae73126dd6540308efa140e56c5410d5971415881a3747cf961c4abcd2e9be4dcd75181f865070bfb4e296617b8e3d61f55de747407a4c459e6a2bc0197

  • SSDEEP

    24576:SvFnlgEsJu/SqXF3mh8uNFr95+CUNHEes4pyQquVexXCP7OigudxcAGZLqrDIjHM:QloJ0wtfSHO43ZpTLiADL

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\PLS_READ_ME.txt

Ransom Note
Oops, what happend? All of your files have been encrypted Your computer was infected with Frivinho Ransomware. Your files have been encrypted and you won't be able to decrypt them without our help. What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin or Robux. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Check this pastebin to get the my newest Bitcoin Adress: https://pastebin.com/raw/wZnisRDV And by cheking the pastebin, you can see more information about how you can pay.
URLs

https://pastebin.com/raw/wZnisRDV

Targets

    • Target

      240124-n3eblahecn

    • Size

      3.4MB

    • MD5

      f64a5c6fa180acaee93d4fac406c579b

    • SHA1

      bacf88f16fe670ef2d87df154929c51b28b12263

    • SHA256

      cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6

    • SHA512

      01687ae73126dd6540308efa140e56c5410d5971415881a3747cf961c4abcd2e9be4dcd75181f865070bfb4e296617b8e3d61f55de747407a4c459e6a2bc0197

    • SSDEEP

      24576:SvFnlgEsJu/SqXF3mh8uNFr95+CUNHEes4pyQquVexXCP7OigudxcAGZLqrDIjHM:QloJ0wtfSHO43ZpTLiADL

    Score
    10/10
    chaosevasionransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Detects command variations typically used by ransomware

    • Detects executables (downlaoders) containing URLs to raw contents of a paste

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (191) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks