chaos

General

Target

Ransomware.exe
Size

127KB
Sample

240329-ls75tafa83
MD5

6f014d20774a7ec9869e54fe3d977f11
SHA1

2f05737ded3e8f2a6c7468482a6d500ec32d7d30
SHA256

3688345fc9eaee1073bfb24872d397a180a784e263b7a3b0ef91a8cd2bdad747
SHA512

c67358c788beab21c192032fd157dbfaa81398c719a4d4091d49bef2d02c364760f1fac23721e433d7d10a7f25779db143a5f4f68cc07a500e14cb6b544852a8
SSDEEP

1536:KNboAHq9CTesdi+y1WAPoRD9AuH7x9Z2eVGjzfnvI7BpxZe2WyKlsEX7xuTI3:ulHq9CliXWAPEV9Ue4znvqg2WVrxua

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Default\read_it.txt

Ransom Note

Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Emails

[email protected]

Targets

- Target
  
  Ransomware.exe
- Size
  
  127KB
- MD5
  
  6f014d20774a7ec9869e54fe3d977f11
- SHA1
  
  2f05737ded3e8f2a6c7468482a6d500ec32d7d30
- SHA256
  
  3688345fc9eaee1073bfb24872d397a180a784e263b7a3b0ef91a8cd2bdad747
- SHA512
  
  c67358c788beab21c192032fd157dbfaa81398c719a4d4091d49bef2d02c364760f1fac23721e433d7d10a7f25779db143a5f4f68cc07a500e14cb6b544852a8
- SSDEEP
  
  1536:KNboAHq9CTesdi+y1WAPoRD9AuH7x9Z2eVGjzfnvI7BpxZe2WyKlsEX7xuTI3:ulHq9CliXWAPEV9Ue4znvqg2WVrxua
Score

10^/10

chaos discovery evasion persistence ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1