Overview

overview

10

Static

static

10

cho2.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cho2.exe

  • Size

    22KB

  • Sample

    240429-j7nnlsee7y

  • MD5

    29fa75458106f03a11560ca466363129

  • SHA1

    89db6502c8170f260b48d80ee0ece3380ba77eb5

  • SHA256

    3f5ade39f3658b6da93987f7ba7dba38d7d94096638ef9f3565790e6ab73eef7

  • SHA512

    28a58b096f560ac4cd03b96f77f7e0cbe7e96c4fb56fb6758c3e4ff7304e3ae4e0db35570f69070c676e45143dedb7be50556bc80f38364400ea2d43bec99188

  • SSDEEP

    384:j3Mg/bqo2uOv0tpDnqp+Ao4+X0Z/dJZr91C8OWh0et:Vqo2BDp+J4+kRrZr9hLyet

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
!!! ATTENTION !!! Your device has been locked by our ransomware. To regain access to your device and your files, you must pay a ransom of : $100 USD in Bitcoin. Bitcoin Address: bc1qgk07vhn53ws7khy3840gjjvlw7qgzftfjgweq2 Once payment is made, please send an email to domnicanu2856@gmail.com with the transaction ID as proof of payment. Upon confirmation of your payment, you will receive instructions on how to unlock your device. !!! ATTENTION !!!
Emails

domnicanu2856@gmail.com

Targets

    • Target

      cho2.exe

    • Size

      22KB

    • MD5

      29fa75458106f03a11560ca466363129

    • SHA1

      89db6502c8170f260b48d80ee0ece3380ba77eb5

    • SHA256

      3f5ade39f3658b6da93987f7ba7dba38d7d94096638ef9f3565790e6ab73eef7

    • SHA512

      28a58b096f560ac4cd03b96f77f7e0cbe7e96c4fb56fb6758c3e4ff7304e3ae4e0db35570f69070c676e45143dedb7be50556bc80f38364400ea2d43bec99188

    • SSDEEP

      384:j3Mg/bqo2uOv0tpDnqp+Ao4+X0Z/dJZr91C8OWh0et:Vqo2BDp+J4+kRrZr9hLyet

    Score
    10/10
    chaosevasionransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Resource Development

Reconnaissance

Tasks