Overview

overview

10

Static

static

10

37ca1cfa1f...60.exe

windows7-x64

10

37ca1cfa1f...60.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    94da5540d463bc77e8f23cfb74fef5c20539ed40151704312738ca8a0e25103d.zip

  • Size

    375KB

  • Sample

    240402-bm147scd6w

  • MD5

    55c5f95a5ce1154c61d38b3eda83ad19

  • SHA1

    9dc914ef0a0dc1bc43169cf87c6b23ddb60ec966

  • SHA256

    94da5540d463bc77e8f23cfb74fef5c20539ed40151704312738ca8a0e25103d

  • SHA512

    f6be0297bcfecc03b1309a984d45839c0e5ada10e75c707dbef16da777a3adb8bd42b12639ce7cde9d9ccb352f871b4b7623da2738c1c2852bac4fcc2e34702b

  • SSDEEP

    6144:taKYsu0ULNbubfC0/2wYiY1+E+Wi73Cx8x0Sn+QOJ2FUJ1EqO3d12opWKoAte:oKY5VLNbV0+iY1l76SH8+XYFEEVNjpWx

Score
10/10
chaosransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\PLEASEREAD.txt

Ransom Note
WELCOME, DODO has returned AGAIN. Your files have been encrypted and you won't be able to decrypt them. You can buy decryption software from us, this software will allow you to recover all of your data and remove the ransomware from your computer. The price of the software is $15. Payment can be made in Bitcoin How do I pay, where do I get Bitcoin? Purchasing cryptocurrency varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Payment information: send $15, to one of our addresses, then send us email with payment confirmation and you'll get the decryption software in email. Email Address : [email protected] BTC address: bc1qwel3y5ef4sgumcnm9njln3eupvxutymlv732gu We Promise ALl your files will be back as soon as u pay

Targets

    • Target

      37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60

    • Size

      953KB

    • MD5

      5fc3bd9632a02f189d81f75fc3b12ebf

    • SHA1

      6abbc78a6fb421adf80051365dbfaff0b3fb696b

    • SHA256

      37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60

    • SHA512

      cf0b9df6db5c85ebc85967dbfbdd99ada401f718445f69f258d9d0a9466f7b58a7bb2f1287cb5679988bd79b42807fa0e0e7fc419557f0af3fbb620b40b2c2af

    • SSDEEP

      12288:OzEPMLC814R2hig4tHkg2W+AU+R2TjsPvEpv8LpgUO4EP3SL98l0zmWHQuTwYzz5:0ztQE1ov2AZ9HjkftWyq

    Score
    10/10
    chaosransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Detects command variations typically used by ransomware

    • Renames multiple (195) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks