Resubmissions
15-04-2024 19:23
240415-x3x85sgc7w 715-04-2024 19:22
240415-x3lv4sgc6z 315-04-2024 19:21
240415-x2vfvsea28 715-04-2024 19:14
240415-xxtnrsdh25 1015-04-2024 19:10
240415-xvtwraga7x 715-04-2024 18:36
240415-w8xzwsdc78 1015-04-2024 18:26
240415-w29p4sfd71 715-04-2024 17:59
240415-wkv6dseh4w 10General
-
Target
advbattoexeconverter.exe
-
Size
804KB
-
Sample
240415-xxtnrsdh25
-
MD5
83bb1b476c7143552853a2cf983c1142
-
SHA1
8ff8ed5c533d70a7d933ec45264dd700145acd8c
-
SHA256
af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb
-
SHA512
6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a
-
SSDEEP
24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r
Malware Config
Targets
-
-
Target
advbattoexeconverter.exe
-
Size
804KB
-
MD5
83bb1b476c7143552853a2cf983c1142
-
SHA1
8ff8ed5c533d70a7d933ec45264dd700145acd8c
-
SHA256
af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb
-
SHA512
6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a
-
SSDEEP
24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r
Score10/10-
Adds autorun key to be loaded by Explorer.exe on startup
-
Chimera
Ransomware which infects local and network files, often distributed via Dropbox links.
-
Chimera Ransomware Loader DLL
Drops/unpacks executable file which resembles Chimera's Loader.dll.
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Renames multiple (3248) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies Installed Components in the registry
-
Registers new Print Monitor
-
Sets file execution options in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Modifies WinLogon
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
7Registry Run Keys / Startup Folder
5Winlogon Helper DLL
2Browser Extensions
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
7Registry Run Keys / Startup Folder
5Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Modify Registry
15Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1