Overview

overview

10

Static

static

3

XClient.exe

windows7-x64

7

XClient.exe

windows10-2004-x64

Resubmissions

01-05-2024 16:35

240501-t3ng6ade53 7

01-05-2024 11:16

240501-ndh89afg46 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.exe

  • Size

    1.3MB

  • Sample

    240501-ndh89afg46

  • MD5

    0e7dbde65ff6eb526caf5a8517b3ef14

  • SHA1

    326b1a54238ff6560dea85053bbea1c521dddd62

  • SHA256

    3a23809b4f8c295cc07fb589966ef0c695d6df61c244e28127be54874ef38ec4

  • SHA512

    f6fd535c17c5ea57eb9ee6a0f6705885b58b628801b3cd6e792da1518d5e1e490a007dbb9f1e72341ba2e60c635c2549762faed878fcdfac7633f3074dc55302

  • SSDEEP

    6144:HCvSkBoOd7x9JR0hg5efTfnxPQ6EgjDcOKeSZhzjnnpDnC5QQfWMFH6n/8sJdaTp:HCvTo+GTfnxPQlgyymKJ162d0jLifU

Score
10/10
chaosbootkitdiscoverypersistenceransomwareupx

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\read_it.txt

Ransom Note
All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qw0ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg

Targets

    • Target

      XClient.exe

    • Size

      1.3MB

    • MD5

      0e7dbde65ff6eb526caf5a8517b3ef14

    • SHA1

      326b1a54238ff6560dea85053bbea1c521dddd62

    • SHA256

      3a23809b4f8c295cc07fb589966ef0c695d6df61c244e28127be54874ef38ec4

    • SHA512

      f6fd535c17c5ea57eb9ee6a0f6705885b58b628801b3cd6e792da1518d5e1e490a007dbb9f1e72341ba2e60c635c2549762faed878fcdfac7633f3074dc55302

    • SSDEEP

      6144:HCvSkBoOd7x9JR0hg5efTfnxPQ6EgjDcOKeSZhzjnnpDnC5QQfWMFH6n/8sJdaTp:HCvTo+GTfnxPQlgyymKJ162d0jLifU

    Score
    10/10
    persistencechaosbootkitdiscoveryransomwareupx

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks