Overview

overview

10

Static

static

10

Antivirus.exe

windows11-21h2-x64

10

Resubmissions

18-04-2024 16:18

240418-tr7fwsae6x 10

13-04-2024 06:33

240413-hbqbwseg9z 10

12-04-2024 09:47

240412-lr6klacd6s 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1.zip

  • Size

    78KB

  • Sample

    240413-hbqbwseg9z

  • MD5

    daa45aae87cc8834a9888bd6e0a78710

  • SHA1

    d15bbaa19f1a2836b6e1ad7f21fcc1bb9933723f

  • SHA256

    cac13216f258b46462a963e984a57d0b34fe53cde02b8190a8afb5e9119a9ca0

  • SHA512

    caeb0599289089cc92076577edbf790b5bdc6694e9e86f1dc30e56e360cea62baaf63480f26343eac35a665df701ce9ab49554a8975997aba182241aa61ea9aa

  • SSDEEP

    1536:RBhbXvb8hoJrhUH2vOAeocNo6BRCV/7FHcWZvQRXRsrgKlmx3D:R3vTrdOAMo5pKXRwlG

Score
10/10
chaosdiscoveryevasionpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      Antivirus.exe

    • Size

      111KB

    • MD5

      df1ce61fb4869963a1e95a917adef9d0

    • SHA1

      bcf132651a5bd948e758441e4733519d1502c8bf

    • SHA256

      e58bf0a81866c21e25dbe8f85fd74304259be3e1b53019f857c2354e23f71b1e

    • SHA512

      d2867e1b00900098674f1a87653a9f016911649162c66f0eab67336f758a6611a497bc21a6cbe336bbc2464212bfec59e991b99aa92777ad2250e72b4e17888b

    • SSDEEP

      3072:CB7q9NKEXUrQlGRSAMHsEwGYMl9AYGywOjvOjJ:CB7q9CQ8hMs7GpKPOaj

    Score
    10/10
    chaosdiscoveryevasionpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (172) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Sets file execution options in registry

      persistence

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

7
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

6
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks