Overview

overview

9

Static

static

7

Chaos.exe

windows10-2004-x64

fpsunlocker.exe

windows10-2004-x64

1

ps.py

windows10-2004-x64

3

pssuspend.exe

windows10-2004-x64

1

Resubmissions

20-04-2024 07:35

240420-je38lacd2y 9

19-04-2024 20:29

240419-y9v8ssfe4z 9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Chaos_V2_FIXED.zip

  • Size

    14.8MB

  • Sample

    240420-je38lacd2y

  • MD5

    1fcddf9daae6135260518069b8438411

  • SHA1

    bd416305c6e071d7fffe47baadab7380faee1dce

  • SHA256

    9d08ae69118892ea1c52c7de851489669381d7f22da553279f7294a647428dc5

  • SHA512

    99003e5966400f155df49b8f60d4f32a460af61f1e4f2e2fd7d5138c0977abda281447660fa1f52a6158789d16f05e4537cb186208036ea8d2beba8519b27c1d

  • SSDEEP

    393216:Lgh0q07BIaAbv5OuNabe+yClD+iQw9Ddc5hsAYnLqy:k82v5nprKHN95W6AALt

Score
9/10
bootkitevasionpersistenceransomwarethemidatrojanupx

Malware Config

Targets

    • Target

      Chaos.exe

    • Size

      14.1MB

    • MD5

      0f2af0b53a994fd35b805fc145d75d7f

    • SHA1

      605eaa911754fa8f52af25d292b7230bb5cde454

    • SHA256

      8468e629d2bd9b14889e565066bcaf369b53738eb01d05714e99bb16c59d0c07

    • SHA512

      448ab9b91f082050b290b4c21be98ed3c89697f501cc4e7e33686fff9b75ab6ca48900b947d1da5337acb30f554beb96b95ef020e6157101d17eca2879a72b9c

    • SSDEEP

      393216:jazOUkLXiKcjFVA87ODedSSCnomX/+MX36fqc4GXRF:6AKFVT7dSSTOPXUqcB

    Score
    9/10
    bootkitevasionpersistenceransomwarethemidatrojanupx

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Renames multiple (150) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      fpsunlocker.exe

    • Size

      666KB

    • MD5

      f0c71376e55ba3c65942e90348169921

    • SHA1

      239085aa264e9eb743dde706231169820c32e03c

    • SHA256

      94f4140b6e7c3e73364205829da26479dad5257752c009dca4dec4a6ce9f9637

    • SHA512

      4ce20f764aac880362fbf9f9ade18c89e19eaa697e73cb08ce37b2eb25b3b655ec569de180c33ded00ca42147dd2c84d21b837224b318d56f258a6e881b6057f

    • SSDEEP

      12288:4KOjJsDc2+WC+D+4H/xeGofENaTSuGCC709:4KyacgDD+4fwG1NaTSw

    Score
    1/10
    behavioral2

    • Target

      ps.py

    • Size

      622KB

    • MD5

      3a02c5c2ce5b235f7c6026c0c85f9c3d

    • SHA1

      b1c745695ce203dfccc41ce95325a2f41f663d6d

    • SHA256

      351628536b70b66a5b18d48710fc29c027235ae9f63015a36563a606d969c2cc

    • SHA512

      f4f6e06e97a609253da2efebdde26a6cd7497538e4b159f59ed8bb968a0a73dd6e9d07752cc25038506068e3038478d3a589eaec112f0ffc413588cb1188756e

    • SSDEEP

      12288:GZFwpMzfJJFQrvnR0e/wFXVLNe/OajxYImvf/Opyp:N/SowFXVV/Tv2m

    Score
    3/10
    behavioral3

    • Target

      pssuspend.exe

    • Size

      383KB

    • MD5

      1b9f1a75593dfc670fa7c54659ab5796

    • SHA1

      c9f0c40e012f8cfe20b1e5cd6a9a7b078e89a00b

    • SHA256

      95a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd

    • SHA512

      ab7b26ce5487af2a337cabfa16908ddf72bf1f6942675760e7decee874dd0f72fd47aa42bc442fe11f71fab03106c75db0234199974c7de84d1ed3f12a9b4788

    • SSDEEP

      6144:V/M1xPjrG1x+YgoglDni32wAO5GeLCfCsip9631L5qMbYd:W3PG1x+1+pBLCfCjGNqGY

    Score
    1/10
    behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks