Overview

overview

10

Static

static

10

chos.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    chos.exe

  • Size

    22KB

  • Sample

    240429-j6p52see51

  • MD5

    af51c1a91ec1249730d7b22979cc7c42

  • SHA1

    5285d86451c719a0b0c0eb833ac227772488436d

  • SHA256

    4710fb0bd1a6beb6f5b9cbb88a3141fbaffc54341f146570a7aac42df2938588

  • SHA512

    b2fcd6dcefb8b672b5c9d27fcd08f0858fc46e58b2f73511d4aaa2fea63d68fb3ac0b5e8a0ea6375227fc5a26a8dfc48b116225397aea6b7b9165a348c3a55e0

  • SSDEEP

    384:U3Mg/bqo2pOv0tpDnqp+Ao4+X0Z/zJHr91C8OWhneK:qqo2EDp+J4+kRVHr9hLJeK

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
!!! ATTENTION !!! Your device has been locked by our ransomware. To regain access to your device and your files, you must pay a ransom of : $100 USD in Bitcoin. Bitcoin Address: bc1qgk07vhn53ws7khy3840gjjvlw7qgzftfjgweq2 Once payment is made, please send an email to [email protected] with the transaction ID as proof of payment. Upon confirmation of your payment, you will receive instructions on how to unlock your device. !!! ATTENTION !!!

Targets

    • Target

      chos.exe

    • Size

      22KB

    • MD5

      af51c1a91ec1249730d7b22979cc7c42

    • SHA1

      5285d86451c719a0b0c0eb833ac227772488436d

    • SHA256

      4710fb0bd1a6beb6f5b9cbb88a3141fbaffc54341f146570a7aac42df2938588

    • SHA512

      b2fcd6dcefb8b672b5c9d27fcd08f0858fc46e58b2f73511d4aaa2fea63d68fb3ac0b5e8a0ea6375227fc5a26a8dfc48b116225397aea6b7b9165a348c3a55e0

    • SSDEEP

      384:U3Mg/bqo2pOv0tpDnqp+Ao4+X0Z/zJHr91C8OWhneK:qqo2EDp+J4+kRVHr9hLJeK

    Score
    10/10
    chaosevasionransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks