General
-
Target
rincrypt.exe
-
Size
165KB
-
Sample
240430-l7fzwahf73
-
MD5
9f99b9ecdb90b991aa0eb5884523185f
-
SHA1
5d99a9343765bb758f8ee85585dd376ec190c6e4
-
SHA256
3bac13b433b453c3db0f70f4e3ce07a2c1108a0892bac358a1d1b38a30e1cd08
-
SHA512
5c7a8f872bd0c5800e60e164eb605650eac06a6fc07322ab78274cd9c024e08c7cb8797580ecfb9067efd0ab6a1117e5c23fd78b4e6256ccecea4997f0859ed5
-
SSDEEP
3072:36oLuur9P2Wr6QhzaNpatUPp0hmHzs/0ui8N/Wm9BsB85:dr9P2Wrb2R0Ya/28
Malware Config
Targets
-
-
Target
rincrypt.exe
-
Size
165KB
-
MD5
9f99b9ecdb90b991aa0eb5884523185f
-
SHA1
5d99a9343765bb758f8ee85585dd376ec190c6e4
-
SHA256
3bac13b433b453c3db0f70f4e3ce07a2c1108a0892bac358a1d1b38a30e1cd08
-
SHA512
5c7a8f872bd0c5800e60e164eb605650eac06a6fc07322ab78274cd9c024e08c7cb8797580ecfb9067efd0ab6a1117e5c23fd78b4e6256ccecea4997f0859ed5
-
SSDEEP
3072:36oLuur9P2Wr6QhzaNpatUPp0hmHzs/0ui8N/Wm9BsB85:dr9P2Wrb2R0Ya/28
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-