Overview

overview

10

Static

static

10

37ca1cfa1f...60.exe

windows7-x64

10

37ca1cfa1f...60.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    55c5f95a5ce1154c61d38b3eda83ad19.bin

  • Size

    375KB

  • Sample

    240403-bqsx1abe9x

  • MD5

    5336b4012d13f6c3e1e1722c41342381

  • SHA1

    f6da609fc27b3bf28466dc6d9f94a503340f9c29

  • SHA256

    16415f71e42b4b0a3d062bb661c95caaff9e49d4d7518f20e0d71fab9a4d336f

  • SHA512

    5b22192432b5cd5d3a2f7ea97735c51def9eedd8bb7fc5bdb357912a8128ef4da85061b19ea1dac76321fa7ee0f793151573a5c040bd08fe6202175c8c3df012

  • SSDEEP

    6144:/m6pfBxz+9rtHn8sDZ6jjcAooUHtSATrI63pjZTJvZMb4iuFq8b84PBFdObIqsYy:e657+9RHx0jjc3oUNHY2rkuVbbobtbG

Score
10/10
chaosransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\PLEASEREAD.txt

Ransom Note
WELCOME, DODO has returned AGAIN. Your files have been encrypted and you won't be able to decrypt them. You can buy decryption software from us, this software will allow you to recover all of your data and remove the ransomware from your computer. The price of the software is $15. Payment can be made in Bitcoin How do I pay, where do I get Bitcoin? Purchasing cryptocurrency varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Payment information: send $15, to one of our addresses, then send us email with payment confirmation and you'll get the decryption software in email. Email Address : [email protected] BTC address: bc1qwel3y5ef4sgumcnm9njln3eupvxutymlv732gu We Promise ALl your files will be back as soon as u pay

Targets

    • Target

      37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60

    • Size

      953KB

    • MD5

      5fc3bd9632a02f189d81f75fc3b12ebf

    • SHA1

      6abbc78a6fb421adf80051365dbfaff0b3fb696b

    • SHA256

      37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60

    • SHA512

      cf0b9df6db5c85ebc85967dbfbdd99ada401f718445f69f258d9d0a9466f7b58a7bb2f1287cb5679988bd79b42807fa0e0e7fc419557f0af3fbb620b40b2c2af

    • SSDEEP

      12288:OzEPMLC814R2hig4tHkg2W+AU+R2TjsPvEpv8LpgUO4EP3SL98l0zmWHQuTwYzz5:0ztQE1ov2AZ9HjkftWyq

    Score
    10/10
    chaosransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Renames multiple (199) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks