Overview

overview

10

Static

static

10

001a09a29d...ad.exe

windows7-x64

10

001e9cb57f...ea.exe

windows7-x64

3

00ace607a4...64.exe

windows7-x64

7

0a20f03af5...77.exe

windows7-x64

1

0a6c62c139...b8.exe

windows7-x64

6

0a747a5f77...c2.exe

windows7-x64

0b02c55fbb...c0.exe

windows7-x64

7

0b716abe15...7f.exe

windows7-x64

10

0b997e8b0d...46.exe

windows7-x64

10

0bb2957b2b...1e.exe

windows7-x64

10

0bd9556e36...74.exe

windows7-x64

3

0c0c9a19db...c1.exe

windows7-x64

10

0c7da4e446...86.exe

windows7-x64

10

0cad47e2df...6a.exe

windows7-x64

10

0cb554caaf...b2.exe

windows7-x64

10

0cbb472b55...43.exe

windows7-x64

10

0d25bbbeb6...09.exe

windows7-x64

10

0d9ea4a12d...0e.exe

windows7-x64

1

0dbfd3479c...8d.exe

windows7-x64

6

0ddcce08b7...35.exe

windows7-x64

6

0df9bd640a...72.exe

windows7-x64

0e52434683...e4.exe

windows7-x64

10

0e767dfa6d...e4.exe

windows7-x64

10

0e82ed8dab...a4.exe

windows7-x64

1

0e98661ea6...29.exe

windows7-x64

1

0e9f24d9b1...d5.exe

windows7-x64

10

0ec44257a6...68.exe

windows7-x64

10

0f18f6547a...57.exe

windows7-x64

10

0f3d700c95...90.exe

windows7-x64

10

0f54e0f3c3...36.exe

windows7-x64

1

0f5ace8adb...72.exe

windows7-x64

6

0fc4a985ae...f8.exe

windows7-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    001.7z

  • Size

    8.1MB

  • Sample

    240713-lf62zsvgrm

  • MD5

    e2281da459ccdedea13c7b9d1a1d6c65

  • SHA1

    3260aecbc39e921d931c7650bc1e107bb3820c76

  • SHA256

    8ff8af7b31fe7ed58b2afc1b556c635c2ccdf20bce7ca371897dea490a8b5027

  • SHA512

    1cb4303730daee0114b14c5df0dab37bba4d3472ab8ef937faacb0f482579a5745606a35b91101068ccb8a1efa99938e2dd390b16dc51d04287b3930cae06cdd

  • SSDEEP

    196608:sYpuCLugda7Vv3QctuLolkvSLLx5yU5+jC:jpuSugQd7Zlm0LzyU5r

Score
10/10
chaosdharmagandcrablockbitmodiloaderneshtaphobosryukwannacrydefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealerthemidaworm

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>6ED42086-3423</span></div> <div class='bold'>If there is no response from our mail, you can install the Jabber client and write to us in support of <span class='mark'>[email protected]</span> </div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='title'>Jabber client installation instructions:</div> <div class='note info'> <ul> <li>Download the jabber (Pidgin) client from https://pidgin.im/download/windows/</li> <li>After installation, the Pidgin client will prompt you to create a new account.</li> <li>Click "Add"</li><li>In the "Protocol" field, select XMPP</li> <li>In "Username" - come up with any name</li> <li>In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im</li> <li>Create a password</li><li>At the bottom, put a tick "Create account"</li> <li>Click add</li> <li>If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data:</li> <ul> <li>User</li> <li>password</li> <li>You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)</li> </ul> <li>If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - <a href = "https://www.youtube.com/results?search_query=pidgin+jabber+install">https://www.youtube.com/results?search_query=pidgin+jabber+install</a></li> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span>
URLs

http://www.w3.org/TR/html4/strict.dtd'>

https://pidgin.im/download/windows/</li>

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\How to Recovery.bat

Ransom Note
echo off color 0A cls :MENU ECHO. ECHO -----------------Attention----------------- ECHO. ECHO. Your All Files Have been Encrypted! ECHO. ECHO Your Personal files (Documents, Databases, All Drive, PDF, ETC.) We re encrypted. ECHO. But don't worry about your files,You can take back all of them, To decrypt your all files need ECHO. to buy Our Software With your unique private key. Only our software well allow decrypt your files. ECHO. Remember if you try to recovery your files through any third-party software, ECHO. it's can cause premature damage to your files, and we can't help you either. ECHO. ECHO. -----------------Note!----------------- ECHO. ECHO. You have only 72 hours from the moment when an encryption was done to buy our software at $200 for the payment ECHO. ECHO. BTC Address:- 33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP ECHO. ECHO. And if you Payment complete then Send me proof. ECHO. ECHO. Use the following ID as the title of your email:- QA2Z67DXLBFF723FHN ECHO. ECHO. Use these emails to contact us and receive instructions:- ECHO. ECHO. Main email:- [email protected] ECHO. ECHO. Secondary email ( in case of no response in 48h):- [email protected] ECHO. ECHO. Also, you can send up to 3 test files to see if we can decrypt your files. ECHO. ECHO. After paying, the decryptor software and your private key will be given to you. ECHO. SET /P M=
Wallets

33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP

Extracted

Path

C:\Jjf2IQlAQ.README.txt

Ransom Note
Your data is downloaded and encrypted. To restore the files and prevent it leaked on onion website, you need to pay some money for it. Send email to [email protected] with subject of the encrypted file extension. What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! Warning! If you do not pay the ransom we will attack your company repeatedly again. We will delete the decryptor after 48 hours if you don't send email to us.

Targets

    • Target

      001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe

    • Size

      3.7MB

    • MD5

      fcd18971f21cfd63598d5b3dec2b7a53

    • SHA1

      8ad7f39746f236c606ebeaf1e085cadcaa7b35e5

    • SHA256

      001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead

    • SHA512

      d344fb8164907c772e40721ae9d7485a68deb34366c3161fe7f08bf552286a1b3f5cdb46092e7d8646d7eff3556f3196bcacc0f0716c3a6d062fd212a9351cf4

    • SSDEEP

      24576:eEtl9mRda12sX7B9NRdpkhtIShJVVTyJNPtz:9Es1R3DCjVyB

    Score
    10/10
    persistenceransomware

    • Modifies WinLogon for persistence

      persistence

    • Renames multiple (91) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1

    • Target

      001e9cb57f9e922d7b0d92ec43b8b5e376c5ab6e4ea827b84c76e13c994fbbea.exe

    • Size

      155KB

    • MD5

      b549a40b7426410c3cc3145e56ac24ed

    • SHA1

      a5a2722ff785eb08c543f316fb3ec93272f55674

    • SHA256

      001e9cb57f9e922d7b0d92ec43b8b5e376c5ab6e4ea827b84c76e13c994fbbea

    • SHA512

      0cb1449f646ba2339b53e8ea9ec7074766ccd288b2facb59377452365aa57a7867bd22b2f66e3a6591e704bd376bfe5b771bd9b903f1cb8ac48f00836adc85e9

    • SSDEEP

      3072:S5K/B0toLbQSNJhlxwsx89TSdBgjMqqDL2/TOKOPG:ScytwbtcTTSdBgQqqDL6SKT

    Score
    3/10
    behavioral2

    • Target

      00ace607a44cbcd3e0bcdfb0a6b5f27c834fce66b95ee987c28eb651da9c2464.exe

    • Size

      4.2MB

    • MD5

      98d4a021d297fc479a7badbb378907a0

    • SHA1

      ff8fa169a1727ad4529f0e9ab957bb3a3a119b40

    • SHA256

      00ace607a44cbcd3e0bcdfb0a6b5f27c834fce66b95ee987c28eb651da9c2464

    • SHA512

      df158667cdc3f78cebf48397dd0a48aa66d928b8e74e10d28e96be88cbceaad3604fd9e1ca9d7091407b267548d02d268a4c75af6315b53470a761808aad826b

    • SSDEEP

      98304:oXB4uluJRmMg6QWlIpgi0rHqsih/mCqJ4B4uluP:ovsJR0TW6yiIKRhzqOsP

    Score
    7/10

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral3

    • Target

      0a20f03af50d14404b349279b3dc20886b1bf91419ede3f1b0c7fbdda579ae77.exe

    • Size

      16.0MB

    • MD5

      f89692198bfc2d2c0f96ae539f1f20ff

    • SHA1

      5000a45154ae471680f586b51cc2996e3ab8e65a

    • SHA256

      0a20f03af50d14404b349279b3dc20886b1bf91419ede3f1b0c7fbdda579ae77

    • SHA512

      270bdd5b60b68ff612aacd8f1c8edc7383c431307a7a41372b787dc5d0d8e9befe953b784476ac3bcfdf63b2c90d1371b77f46ac8008076240aef5e00e1185c4

    • SSDEEP

      3072:S5K/B0toLOSNJmlxwsx89TSdBgjMqqDL2/TOK21Gl:ScytwbFTTSdBgQqqDL6SKZ

    Score
    1/10
    behavioral4

    • Target

      0a6c62c139aa9baf898add2a10fada3d49f78b3089507b84e613868242e169b8.exe

    • Size

      70KB

    • MD5

      b9bb0a0cff8d16143c50af7c71b22f5d

    • SHA1

      89dc77a9ef0294b99ce849c2145f9d5139025480

    • SHA256

      0a6c62c139aa9baf898add2a10fada3d49f78b3089507b84e613868242e169b8

    • SHA512

      d1da8fa0267b5efbfb0c1d94ac1fc1813f41e0cea062b9c10ee9b6a123afc5d496729d63a7b5a27d931f638ddc8b9ad89b2c3049e0603a9b23405a07cd81c1be

    • SSDEEP

      1536:zZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:id5BJHMqqDL2/Ovvdr

    Score
    6/10
    persistence

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5

    • Target

      0a747a5f771168c0c32e944da6d6d996f24284e4fb44eaea562b21266a9e3ac2.exe

    • Size

      92KB

    • MD5

      07a14116ac737b484efd8184ee716109

    • SHA1

      18a51e12e7f37dd04429482e219883bb044e2e42

    • SHA256

      0a747a5f771168c0c32e944da6d6d996f24284e4fb44eaea562b21266a9e3ac2

    • SHA512

      4a7f8ff122a06d9159f89a3b570de49b84e31cca11dd2324784e37d4926a021e365981d2300bfb767ca49edae22820c94ebb911b3b21615fc009318c752602d2

    • SSDEEP

      1536:tBwl+KXpsqN5vlwWYyhY9S4Acc+zVDSmrJA0OGfzbrB5e:Hw+asqN5aW/hLpwpHTe

    Score
    1/10
    behavioral6

    • Target

      0b02c55fbb40d7757b5808efe3fd1343f943bcefb92e0009689f4995e3eb26c0.exe

    • Size

      10.0MB

    • MD5

      ae3a625b9d6bf29b465d56502b22b7b1

    • SHA1

      232d769ae3b52efe6c2cf831cc2880bca34d44f2

    • SHA256

      0b02c55fbb40d7757b5808efe3fd1343f943bcefb92e0009689f4995e3eb26c0

    • SHA512

      bc607a19544ab5d85956605917dd82baf3ebb620c036a7716cc970719b328892964aa1a3312c3864845756b38664d3e7b1a51bb54c7cae7d31d22cd4087a1390

    • SSDEEP

      49152:FwaYoE4htZYBl+OHJ1V4dYFgZPsv97H4numCM1+7:SaYoE4htZ2p8dfZPs54numh1+

    Score
    7/10
    themida

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida
    behavioral7

    • Target

      0b716abe15b17a114c2f12fab954c861f82165bb0868f863cfb8dc634f76be7f.exe

    • Size

      22KB

    • MD5

      bffd46a9c588683c66b6f4c0dba865c7

    • SHA1

      ac4eb4cdc14f374935a8cd72976da47bd941dbb1

    • SHA256

      0b716abe15b17a114c2f12fab954c861f82165bb0868f863cfb8dc634f76be7f

    • SHA512

      bf2bdd9dc55d548e4b0c0e381095a405e4639a3d94028e4a9212aaffd4f17f43313c1056dcc0f1da9a56edd90f8e93d03aad2497063e80701af5759e97fccfd6

    • SSDEEP

      384:m3Mg/bqo2CGVdKXqpVOjuwzUbJlr91CQJc3zDeN:Uqo2RnKXqpIjKtlr9AXeN

    Score
    10/10
    chaosransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Renames multiple (206) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral8

    • Target

      0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446.exe

    • Size

      58KB

    • MD5

      d458a2f85bc1330f13acccd63d88d015

    • SHA1

      2604402597e41faa97db737fe0fb4166864752ad

    • SHA256

      0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446

    • SHA512

      5e89c3541022d31df8d7d2b15522734649796428ba6842182ab59988d3ea5679e1f8b2903b4e7646785c46c8d41b5e99031a4875a340e9be84362b63797e1c99

    • SSDEEP

      1536:hNeRBl5PT/rx1mzwRMSTdLpJ5mwnf+viID/:hQRrmzwR5JUD/

    Score
    10/10
    phobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (317) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral9

    • Target

      0bb2957b2b8ed0a1c458da6edeaf5a48b2c1ecdd7d7ed33d00749ef1f5653b1e.exe

    • Size

      88KB

    • MD5

      bcf73d0b807d66634d7d25f399fa8ffe

    • SHA1

      3db3790b46e2d430374f6c40e7ce25e633696b75

    • SHA256

      0bb2957b2b8ed0a1c458da6edeaf5a48b2c1ecdd7d7ed33d00749ef1f5653b1e

    • SHA512

      0750fe4212f1bc7a16a426f6c363797e926656f7f27cc2bc5d5f624a436b3a075263ca29fa609696d7ef2d18b79ef7da4998c75a36c9bda2bd2beb456ae08f31

    • SSDEEP

      768:Hqo2MgNp4wBAQr9uNev2SU2Ip4jBqltCF0AxEjenoB69+Fx:Ko2g0AQr9usv2SFHBWAxEjc+

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (208) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral10

    • Target

      0bd9556e36c620bbedfafd2e76bb6703f069aa654e34008f2aef3b4a0ce6f874.exe

    • Size

      155KB

    • MD5

      6827dfd481743d41ed35fb36740c0db7

    • SHA1

      a3739fad76445b8e95970a7ae1638b8e7377c99d

    • SHA256

      0bd9556e36c620bbedfafd2e76bb6703f069aa654e34008f2aef3b4a0ce6f874

    • SHA512

      9a149ba007eb8f7b6160f5637d578dcc8b28d3bc36e8cb78d354a96b726431202a8d6230599bf28528cefb9cb2567b0eaf2ded3cfb4cda3a8996166f7a6cd5a4

    • SSDEEP

      3072:l5K/B0toLQSNJ7lZHQsozTS+SMqqDL2/TrK/uG:lcytwtJ1yTS+xqqDL6HKX

    Score
    3/10
    behavioral11

    • Target

      0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

    • Size

      97KB

    • MD5

      8881f3e50b9f1bcb315769e24b76a3cc

    • SHA1

      f6f21445663a197b8f88a7a2fdbc4cbe2bf3be51

    • SHA256

      0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1

    • SHA512

      dde4d848499dd0eb92982358ad2990a82c22e2c1738a0387ca03dfadfd602b9fe429570815acf648aebc11e5337b1bc44b77e58f4aabd2f9ca5be88f6a34111b

    • SSDEEP

      1536:JxqjQ+P04wsmJCf5HqwoOFcqZNeRBl5PT/rx1mzwRMSTdLpJ1M:sr85CfxbtcSQRrmzwR5JS

    Score
    10/10
    neshtaphobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (329) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral12

    • Target

      0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe

    • Size

      3.1MB

    • MD5

      76b466c9387684239681d8774bb5956b

    • SHA1

      ed773e756932dc3af27e235b4bf7993781665a92

    • SHA256

      0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286

    • SHA512

      d6b83126b27532e56c39b7253668a4540baf29916105955937132c01fc11096b297f7abe545094823cac2c0e65fcf2282997e1bdb594d6fe99a342812d9bf42c

    • SSDEEP

      12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCe:eEtl9mRda12sX7hKB8NIyXbacAfF

    Score
    10/10
    persistenceransomware

    • Modifies WinLogon for persistence

      persistence

    • Renames multiple (91) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral13

    • Target

      0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe

    • Size

      3.2MB

    • MD5

      debf24ccdc00420e4a88454338f1c726

    • SHA1

      1674f180860cbe61b1cfc30c48582461ead73347

    • SHA256

      0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a

    • SHA512

      7cc073387610f5a993ec53857563946b7779111a62c80aad338b0ebce8fe437bcaaf71767815aa439ad0f848b288b6d2f36b4543c42e25f048a9a3cd4689ac48

    • SSDEEP

      12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCw:eEtl9mRda12sX7hKB8NIyXbacAfR

    Score
    10/10
    persistenceransomware

    • Modifies WinLogon for persistence

      persistence

    • Renames multiple (91) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral14

    • Target

      0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe

    • Size

      2.4MB

    • MD5

      a949330481ec49db59a0406c4deebee4

    • SHA1

      f2c8921b8acf3779f05679f51c279c120fb48919

    • SHA256

      0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2

    • SHA512

      13763fa20ad8fb76fc86168fe5c2fed13b76eb4831a251cb1c43431d03e43f6f14b89372d24137883717e15f3d14b8e7e7c651ae99364a35d6966a01a50bfb14

    • SSDEEP

      12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCL:eEtl9mRda12sX7hKB8NIyXbacAfU

    Score
    10/10
    persistenceransomware

    • Modifies WinLogon for persistence

      persistence

    • Renames multiple (91) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral15

    • Target

      0cbb472b555d4cab454948ba900675db48b120afaedf246a14d87d970b233a43.exe

    • Size

      92KB

    • MD5

      a0dd1dfbac4b2aaed94b2065a9c9f30c

    • SHA1

      b797000407eb333dc80777dd088204179b62fb5c

    • SHA256

      0cbb472b555d4cab454948ba900675db48b120afaedf246a14d87d970b233a43

    • SHA512

      13949bcbd0a6d7efee4e466f9f8818bd4b0643f8bc1116cd302b9b72808dbe018e30aa36d1edd4474ebf590d5d29438247f391988b6b2b5a5188d79a47ae1229

    • SSDEEP

      1536:mBwl+KXpsqN5vlwWYyhY9S4AQp27xRgjGri0wEeKirLWP6d7cH:Qw+asqN5aW/hL+pwl2RsivPd

    Score
    10/10
    dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (324) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral16

    • Target

      0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe

    • Size

      885KB

    • MD5

      6a5bf25ff4f72ebca91280ffda057260

    • SHA1

      722063331acdbfc93ccbfacbec045800a835dd9e

    • SHA256

      0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

    • SHA512

      64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

    • SSDEEP

      12288:Qm+PiUwyM02Jl5YqWYgeWYg955/155/0QebUlAAsrsKCQoZRn6X:Q5iUtklagQKUKRrsKCQON6

    Score
    10/10
    ryukdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Disables service(s)

      evasionexecution

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (8366) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Disables taskbar notifications via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Drops startup file

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral17

    • Target

      0d9ea4a12d29d79b00bd3d0788f531642832b799bdc3baaebd0ee213cee4720e.exe

    • Size

      362KB

    • MD5

      ef1bff9e70e5cb2362ed58479484eab0

    • SHA1

      f5625e3928bde215cc03b2c9ad1c9b131627a1ca

    • SHA256

      0d9ea4a12d29d79b00bd3d0788f531642832b799bdc3baaebd0ee213cee4720e

    • SHA512

      cc25dadb8de2bd7c1b8e97459ced2701adea2cc4daab54a7d1695bf86aa448e6f5b9c3914e7bd8c8facc5c2bc260da4f1efdaac5d7efc720db1139bedad05b3d

    • SSDEEP

      6144:NqRfEPqxpc7xSPyRft/C0kbxuci4CdlzRepmnlhT5gtU/zPFVUuQtqWg2:ZqxpCxSa1t8alz6mnrzPFiuHK

    Score
    1/10
    behavioral18

    • Target

      0dbfd3479cfaf0856eb8a75f0ad4fccb5fd6bd17164bcfa6a5a386ed7378958d.exe

    • Size

      217KB

    • MD5

      e307123c3012248c4f7eac48b5c803c0

    • SHA1

      13cad899944c5267b1de0aecd6a6964c3e2696c2

    • SHA256

      0dbfd3479cfaf0856eb8a75f0ad4fccb5fd6bd17164bcfa6a5a386ed7378958d

    • SHA512

      c8e6b07a9dda7e71417f185a723b9874e7564379184c744f547f32a6108f18d18e0e81c9cd5520e1bbb0c98453484dfec92b041323c7e67eb64da9edbcb08e63

    • SSDEEP

      3072:phXD6M9my8NbPYOBLujYx5I8XDZW0956w/J+UdSZWD/rcV9YHcqM3:phT6+mntYOJ9FR60hd/D/rcV9c

    Score
    6/10
    persistenceransomware
    behavioral19

    • Target

      0ddcce08b727ccbbae208459032f010956794a84b7f35e225b5bae927b0f6835.exe

    • Size

      70KB

    • MD5

      7bd74c234b2b0a783340f7bc8f273c84

    • SHA1

      5b55082a53e2f2cf5c4badf8e93da0717bd90f67

    • SHA256

      0ddcce08b727ccbbae208459032f010956794a84b7f35e225b5bae927b0f6835

    • SHA512

      82d49384f879c42ed41a208e6ebcef990abda1ca3de1a83e683c1ee718c6c0c72f833027d4c57ef2f6dc4e5b9cf7f481dc0051ce093a4b347e40e02d1a712817

    • SSDEEP

      1536:hZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:Id5BJHMqqDL2/Ovvdr

    Score
    6/10
    persistence

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral20

    • Target

      0df9bd640ad5bb636095c524e54f9152bb84092889e720dcaa549e65dc3c1472.exe

    • Size

      1.9MB

    • MD5

      bca775f0297bc8138b54f182d1e6aed2

    • SHA1

      31351fe925ce97d44fb1a779b391a76e6859da6b

    • SHA256

      0df9bd640ad5bb636095c524e54f9152bb84092889e720dcaa549e65dc3c1472

    • SHA512

      1f817242b47e645826c43c296a849d80dc29a2ac33beaff7a96604b5a96fe64cf34eef7b300ba110b1c265332b6150ed8dafa66b60dd602c176d023d63e65136

    • SSDEEP

      24576:CSndG2iSNjN2w9Os9cRfO/d8mT6c6aVqwPhUMel842:HfJqsgXmgyJPu2

    Score
    1/10
    behavioral21

    • Target

      0e524346835f7c208667a18699df3faf34fcf8a3cceab8a7418d3f88e87211e4.exe

    • Size

      2.8MB

    • MD5

      efe70e514cf869d4b46cee676c74ba2e

    • SHA1

      2d00e444cc2f1bd39952f830bc471be100e2b0d5

    • SHA256

      0e524346835f7c208667a18699df3faf34fcf8a3cceab8a7418d3f88e87211e4

    • SHA512

      868a5c96d3b692779502ad2e28260a17a4af247b2e8140753032285971455d8a178cc48b3ffc9f92a48671bd42c3b696cdf2f343239b78a4b77a09696f9bf7cb

    • SSDEEP

      24576:BS4lQMNWi3VesNY8106qPN4K3P0QcejoMZLyiTtiFfkOfE/S:BSy6PX3PpM+P5IdIS

    Score
    10/10
    chaosneshtadefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Disables Task Manager via registry modification

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral22

    • Target

      0e767dfa6d7887e832225433ed8866195df94607ccb474868b9abbbf20843ae4.exe

    • Size

      6.4MB

    • MD5

      2f15750b2abd86157c676cd18987c3c9

    • SHA1

      709ac17f0844f0eccd1d2ec5e75ffbd84b29cc74

    • SHA256

      0e767dfa6d7887e832225433ed8866195df94607ccb474868b9abbbf20843ae4

    • SHA512

      757919fd463a1e3fcb49af9dd3cf1b1d33d144ee34814cb9d0d18cac3ed9a873fcc0825dc4c75748f0f89ebe87c59b03445477e0415c09622e38632d7c5d8c58

    • SSDEEP

      6144:YE9l9yzqIYVTH5DgSg8ajldktM0XXrs2QhMV9qb:YibLgPluxQhMb

    Score
    10/10
    wannacrydefense_evasiondiscoveryransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

      defense_evasion

    • Drops file in System32 directory

    behavioral23

    • Target

      0e82ed8dabc9bb697d3e2f7ba1ee8d5235d3501796fbc1cd79ccffe7df11d9a4.exe

    • Size

      362KB

    • MD5

      3c13842d28a4e2577c6c0e5bd65228b6

    • SHA1

      32c9462b0805f0622dd81ec1a890553db96607ab

    • SHA256

      0e82ed8dabc9bb697d3e2f7ba1ee8d5235d3501796fbc1cd79ccffe7df11d9a4

    • SHA512

      5f91303cdf4c7f276ad1b5e2888a4be07ed9ae3958e8ffe0412ab0f49d528dbccb6f4cf7270df75ba22cc4de65208aec08c6379d34b45f33650dc4e8bf656e34

    • SSDEEP

      6144:gAwjJA2gls1IVOkZiWaiUzz9m/nSenhb9oSJwIB/QXwPihQpqAuk:XwVALu2zm90n3nBQXwKhv8

    Score
    1/10
    behavioral24

    • Target

      0e98661ea680708e9bb55f32131f743811108e826b91cae99d69a8fc1856d429.exe

    • Size

      31.5MB

    • MD5

      6569fd60f73e5705f4c28ab59d86fb39

    • SHA1

      7159be53512f91b2aeabe5c15a54d95955eb4d6a

    • SHA256

      0e98661ea680708e9bb55f32131f743811108e826b91cae99d69a8fc1856d429

    • SHA512

      9fc0dcd04779bb99569449dab031513d4404e3ef15d7d0db988bf9537bf1945f72bd83a5768ccc494d013f16c47e0c0a95a12c2258b33ea1bcc4cfe1e93ead4f

    • SSDEEP

      6144:ScytwbnTTSdBgQqqDL6SK+iZz+FF4X4sYN+Qaf3AVwbLW:vyinTqn6r+iZz+v4+9M

    Score
    1/10
    behavioral25

    • Target

      0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

    • Size

      146KB

    • MD5

      c4944d000475c9c6b515e030b59652c9

    • SHA1

      eaf2695c872913f35a450b11a7b5f58d848d0735

    • SHA256

      0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5

    • SHA512

      e41e21ef56cb097c78b7b8a48d54e9d611e863da5a15d14d8fb11c7975348c71708ccb9d491f00a682874dd6667fa2252ba3568b3d06fa2c2600648838d080fd

    • SSDEEP

      1536:KzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDmi3rNHUmVNypY2hamdb2SxsUyz:5qJogYkcSNm9V7DmCymVoRwmd/qT

    Score
    10/10
    ransomware

    • Renames multiple (189) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral26

    • Target

      0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe

    • Size

      2.8MB

    • MD5

      dc2906e5bcdea645e2339b9f74027a20

    • SHA1

      26f846b2ea394b0005f2254fb6d56d5534f467d8

    • SHA256

      0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268

    • SHA512

      6e28b4e954eaa3f246ef334cd4adfd9e9af49e7fc782cf254b5934c93423b93b113195d8f98bad46587a5dca0e876f5888559bcd486c9599ae7e4fc13c47d100

    • SSDEEP

      12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCo:eEtl9mRda12sX7hKB8NIyXbacAfT

    Score
    10/10
    persistenceransomware

    • Modifies WinLogon for persistence

      persistence

    • Renames multiple (91) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral27

    • Target

      0f18f6547a1c8e86963a9e9f9dd9e6e42bd506de21c034ec884c3b55a789ac57.exe

    • Size

      23KB

    • MD5

      4cc6ec4d961a14c4fc4b45dfe939ca00

    • SHA1

      7a115dcc3ca91877b70de091b122259503d7109f

    • SHA256

      0f18f6547a1c8e86963a9e9f9dd9e6e42bd506de21c034ec884c3b55a789ac57

    • SHA512

      9bcdb453be961b88ae3a85a9d68e8f2e8ea6394e27641a46f4a28c9b56133cf97f5cf74699feab475563f5e9617120dffa944c8d3554d06749071e104cd237fd

    • SSDEEP

      384:m3Mg/bqo2uda2duoiXslkpaDKB+98SJer91CCob5LeU:Uqo2ka2kAkpaDuNGer9pobJeU

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral28

    • Target

      0f3d700c95b21e5437c0aedb3cacd787ce6701c49180d8d564e4574dffc42190.exe

    • Size

      1.9MB

    • MD5

      2c6f8e680a400cb2b5426090ccbdea93

    • SHA1

      47a691c438547b27fac9896f3783026d8be4dbe9

    • SHA256

      0f3d700c95b21e5437c0aedb3cacd787ce6701c49180d8d564e4574dffc42190

    • SHA512

      48a70440e4009c4ab2a913ee3b9dc24b73ab4413cc82f5e8194f1cca87ead356de1de90c461c9109afa5f690cb0c9365f49a5ea83f54b4ad97c4287346237f03

    • SSDEEP

      24576:CSndG2iSNjN2w9Os9cRfO/d8mT6c6aVqwPhUMel84Mn:HfJqsgXmgyJPu

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral29

    • Target

      0f54e0f3c3408647bf9844f9d97b64dbc62278091280b3d7bf1db5bdde3fc436.exe

    • Size

      362KB

    • MD5

      21ba47cee02f4b2fa523f4acc81539d0

    • SHA1

      fa0a9c6a10aa5cb581cd9422afeb9dcf739c414c

    • SHA256

      0f54e0f3c3408647bf9844f9d97b64dbc62278091280b3d7bf1db5bdde3fc436

    • SHA512

      b0e27054b3d37b6e558bee48690af6f1f694e806789d530d66ea84b64e085606c08ae1674b94991c895e187ff44915f3c369f4392684eb908267d21ee7bd3bf0

    • SSDEEP

      6144:QlgEenwKdnC0rrdGSkFFMMy0qzpBMYlDB/PA1K/Nk6F3wYQRq83a:xEsbE0rRQep5lxN3FAYHd

    Score
    1/10
    behavioral30

    • Target

      0f5ace8adbaf1f05d0f5765166537ff4b77ea9f038cffbc08c16afd4cc869972.exe

    • Size

      70KB

    • MD5

      6933fffefd94b7e16bcb04a498c82da6

    • SHA1

      6f4f45bdba6379f7df52326f8754995c28a9b335

    • SHA256

      0f5ace8adbaf1f05d0f5765166537ff4b77ea9f038cffbc08c16afd4cc869972

    • SHA512

      71588385c4f48942ad88f6dffdedbe5e3c76b6b79adadb7621bcc60406b3d4930e109efa56ea6b9fbe44a4ef9ecdaff93a51ab9de4ccdd6c15d52ec8dc85a1c9

    • SSDEEP

      1536:RZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:4d5BJHMqqDL2/Ovvdr

    Score
    6/10
    persistence

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral31

    • Target

      0fc4a985aed460862a8f70dd982fadbd65ea0ad88fb58ced2d909f4264ab98f8.exe

    • Size

      155KB

    • MD5

      6dc42bf3bdd770e5506c5f5a51472e4a

    • SHA1

      643765b078c8fb6ea6b6cb664c78d49244dd1921

    • SHA256

      0fc4a985aed460862a8f70dd982fadbd65ea0ad88fb58ced2d909f4264ab98f8

    • SHA512

      a80d6fbeaedf1b77db531c87c19e795c9cfe69081e48120f2540d29d36ef683c1d023d6662dd99be3a5f24a1bab770f690dcf0d59a6378cbd4a6b72cf040e9ee

    • SSDEEP

      3072:l5K/B0toLVSNJrlZHQsozTS+SMqqDL2/TrKnFG:lcytwIJ1yTS+xqqDL6HKI

    Score
    3/10
    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Netsh Helper DLL

1
T1546.007

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Direct Volume Access

1
T1006

File and Directory Permissions Modification

2
T1222

Windows File and Directory Permissions Modification

1
T1222.001

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

4
T1070

File Deletion

3
T1070.004

Modify Registry

5
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

5
T1490

Service Stop

1
T1489

Tasks

static1

themidagandcrabchaosneshtamodiloaderlockbit
Score
10/10

behavioral1

persistenceransomware
Score
10/10

behavioral2

Score
3/10

behavioral3

Score
7/10

behavioral4

Score
1/10

behavioral5

persistence
Score
6/10

behavioral6

Score
1/10

behavioral7

themida
Score
7/10

behavioral8

chaosransomwarespywarestealer
Score
10/10

behavioral9

phobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer
Score
10/10

behavioral10

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral11

Score
3/10

behavioral12

neshtaphobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer
Score
10/10

behavioral13

persistenceransomware
Score
10/10

behavioral14

persistenceransomware
Score
10/10

behavioral15

persistenceransomware
Score
10/10

behavioral16

dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral17

ryukdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral18

Score
1/10

behavioral19

persistenceransomware
Score
6/10

behavioral20

persistence
Score
6/10

behavioral21

Score
1/10

behavioral22

chaosneshtadefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral23

wannacrydefense_evasiondiscoveryransomwareworm
Score
10/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

ransomware
Score
10/10

behavioral27

persistenceransomware
Score
10/10

behavioral28

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral29

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral30

Score
1/10

behavioral31

persistence
Score
6/10

behavioral32

Score
3/10