chaos

Sharing

Copy URL

Twitter E-mail

General

Target

001.7z
Size

8.1MB
Sample

240713-lf62zsvgrm
MD5

e2281da459ccdedea13c7b9d1a1d6c65
SHA1

3260aecbc39e921d931c7650bc1e107bb3820c76
SHA256

8ff8af7b31fe7ed58b2afc1b556c635c2ccdf20bce7ca371897dea490a8b5027
SHA512

1cb4303730daee0114b14c5df0dab37bba4d3472ab8ef937faacb0f482579a5745606a35b91101068ccb8a1efa99938e2dd390b16dc51d04287b3930cae06cdd
SSDEEP

196608:sYpuCLugda7Vv3QctuLolkvSLLx5yU5+jC:jpuSugQd7Zlm0LzyU5r

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>6ED42086-3423</span></div> <div class='bold'>If there is no response from our mail, you can install the Jabber client and write to us in support of <span class='mark'>[email protected]</span> </div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='title'>Jabber client installation instructions:</div> <div class='note info'> <ul> <li>Download the jabber (Pidgin) client from https://pidgin.im/download/windows/</li> <li>After installation, the Pidgin client will prompt you to create a new account.</li> <li>Click "Add"</li><li>In the "Protocol" field, select XMPP</li> <li>In "Username" - come up with any name</li> <li>In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im</li> <li>Create a password</li><li>At the bottom, put a tick "Create account"</li> <li>Click add</li> <li>If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data:</li> <ul> <li>User</li> <li>password</li> <li>You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)</li> </ul> <li>If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - <a href = "https://www.youtube.com/results?search_query=pidgin+jabber+install">https://www.youtube.com/results?search_query=pidgin+jabber+install</a></li> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

https://pidgin.im/download/windows/</li>

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\How to Recovery.bat

Ransom Note

echo off color 0A cls :MENU ECHO. ECHO -----------------Attention----------------- ECHO. ECHO. Your All Files Have been Encrypted! ECHO. ECHO Your Personal files (Documents, Databases, All Drive, PDF, ETC.) We re encrypted. ECHO. But don't worry about your files,You can take back all of them, To decrypt your all files need ECHO. to buy Our Software With your unique private key. Only our software well allow decrypt your files. ECHO. Remember if you try to recovery your files through any third-party software, ECHO. it's can cause premature damage to your files, and we can't help you either. ECHO. ECHO. -----------------Note!----------------- ECHO. ECHO. You have only 72 hours from the moment when an encryption was done to buy our software at $200 for the payment ECHO. ECHO. BTC Address:- 33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP ECHO. ECHO. And if you Payment complete then Send me proof. ECHO. ECHO. Use the following ID as the title of your email:- QA2Z67DXLBFF723FHN ECHO. ECHO. Use these emails to contact us and receive instructions:- ECHO. ECHO. Main email:- [email protected] ECHO. ECHO. Secondary email ( in case of no response in 48h):- [email protected] ECHO. ECHO. Also, you can send up to 3 test files to see if we can decrypt your files. ECHO. ECHO. After paying, the decryptor software and your private key will be given to you. ECHO. SET /P M=

Emails

[email protected]

Wallets

33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP

Extracted

Path

C:\Jjf2IQlAQ.README.txt

Ransom Note

Your data is downloaded and encrypted. To restore the files and prevent it leaked on onion website, you need to pay some money for it. Send email to [email protected] with subject of the encrypted file extension. What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! Warning! If you do not pay the ransom we will attack your company repeatedly again. We will delete the decryptor after 48 hours if you don't send email to us.

Emails

[email protected]

Targets

- Target
  
  001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
- Size
  
  3.7MB
- MD5
  
  fcd18971f21cfd63598d5b3dec2b7a53
- SHA1
  
  8ad7f39746f236c606ebeaf1e085cadcaa7b35e5
- SHA256
  
  001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead
- SHA512
  
  d344fb8164907c772e40721ae9d7485a68deb34366c3161fe7f08bf552286a1b3f5cdb46092e7d8646d7eff3556f3196bcacc0f0716c3a6d062fd212a9351cf4
- SSDEEP
  
  24576:eEtl9mRda12sX7B9NRdpkhtIShJVVTyJNPtz:9Es1R3DCjVyB
Score

10^/10

persistence ransomware
- Modifies WinLogon for persistence
  persistence
- Renames multiple (91) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1
- Target
  
  001e9cb57f9e922d7b0d92ec43b8b5e376c5ab6e4ea827b84c76e13c994fbbea.exe
- Size
  
  155KB
- MD5
  
  b549a40b7426410c3cc3145e56ac24ed
- SHA1
  
  a5a2722ff785eb08c543f316fb3ec93272f55674
- SHA256
  
  001e9cb57f9e922d7b0d92ec43b8b5e376c5ab6e4ea827b84c76e13c994fbbea
- SHA512
  
  0cb1449f646ba2339b53e8ea9ec7074766ccd288b2facb59377452365aa57a7867bd22b2f66e3a6591e704bd376bfe5b771bd9b903f1cb8ac48f00836adc85e9
- SSDEEP
  
  3072:S5K/B0toLbQSNJhlxwsx89TSdBgjMqqDL2/TOKOPG:ScytwbtcTTSdBgQqqDL6SKT
Score

3^/10
behavioral2
- Target
  
  00ace607a44cbcd3e0bcdfb0a6b5f27c834fce66b95ee987c28eb651da9c2464.exe
- Size
  
  4.2MB
- MD5
  
  98d4a021d297fc479a7badbb378907a0
- SHA1
  
  ff8fa169a1727ad4529f0e9ab957bb3a3a119b40
- SHA256
  
  00ace607a44cbcd3e0bcdfb0a6b5f27c834fce66b95ee987c28eb651da9c2464
- SHA512
  
  df158667cdc3f78cebf48397dd0a48aa66d928b8e74e10d28e96be88cbceaad3604fd9e1ca9d7091407b267548d02d268a4c75af6315b53470a761808aad826b
- SSDEEP
  
  98304:oXB4uluJRmMg6QWlIpgi0rHqsih/mCqJ4B4uluP:ovsJR0TW6yiIKRhzqOsP
Score

7^/10
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
behavioral3
- Target
  
  0a20f03af50d14404b349279b3dc20886b1bf91419ede3f1b0c7fbdda579ae77.exe
- Size
  
  16.0MB
- MD5
  
  f89692198bfc2d2c0f96ae539f1f20ff
- SHA1
  
  5000a45154ae471680f586b51cc2996e3ab8e65a
- SHA256
  
  0a20f03af50d14404b349279b3dc20886b1bf91419ede3f1b0c7fbdda579ae77
- SHA512
  
  270bdd5b60b68ff612aacd8f1c8edc7383c431307a7a41372b787dc5d0d8e9befe953b784476ac3bcfdf63b2c90d1371b77f46ac8008076240aef5e00e1185c4
- SSDEEP
  
  3072:S5K/B0toLOSNJmlxwsx89TSdBgjMqqDL2/TOK21Gl:ScytwbFTTSdBgQqqDL6SKZ
Score

1^/10
behavioral4
- Target
  
  0a6c62c139aa9baf898add2a10fada3d49f78b3089507b84e613868242e169b8.exe
- Size
  
  70KB
- MD5
  
  b9bb0a0cff8d16143c50af7c71b22f5d
- SHA1
  
  89dc77a9ef0294b99ce849c2145f9d5139025480
- SHA256
  
  0a6c62c139aa9baf898add2a10fada3d49f78b3089507b84e613868242e169b8
- SHA512
  
  d1da8fa0267b5efbfb0c1d94ac1fc1813f41e0cea062b9c10ee9b6a123afc5d496729d63a7b5a27d931f638ddc8b9ad89b2c3049e0603a9b23405a07cd81c1be
- SSDEEP
  
  1536:zZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:id5BJHMqqDL2/Ovvdr
Score

6^/10

persistence
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5
- Target
  
  0a747a5f771168c0c32e944da6d6d996f24284e4fb44eaea562b21266a9e3ac2.exe
- Size
  
  92KB
- MD5
  
  07a14116ac737b484efd8184ee716109
- SHA1
  
  18a51e12e7f37dd04429482e219883bb044e2e42
- SHA256
  
  0a747a5f771168c0c32e944da6d6d996f24284e4fb44eaea562b21266a9e3ac2
- SHA512
  
  4a7f8ff122a06d9159f89a3b570de49b84e31cca11dd2324784e37d4926a021e365981d2300bfb767ca49edae22820c94ebb911b3b21615fc009318c752602d2
- SSDEEP
  
  1536:tBwl+KXpsqN5vlwWYyhY9S4Acc+zVDSmrJA0OGfzbrB5e:Hw+asqN5aW/hLpwpHTe
Score

1^/10
behavioral6
- Target
  
  0b02c55fbb40d7757b5808efe3fd1343f943bcefb92e0009689f4995e3eb26c0.exe
- Size
  
  10.0MB
- MD5
  
  ae3a625b9d6bf29b465d56502b22b7b1
- SHA1
  
  232d769ae3b52efe6c2cf831cc2880bca34d44f2
- SHA256
  
  0b02c55fbb40d7757b5808efe3fd1343f943bcefb92e0009689f4995e3eb26c0
- SHA512
  
  bc607a19544ab5d85956605917dd82baf3ebb620c036a7716cc970719b328892964aa1a3312c3864845756b38664d3e7b1a51bb54c7cae7d31d22cd4087a1390
- SSDEEP
  
  49152:FwaYoE4htZYBl+OHJ1V4dYFgZPsv97H4numCM1+7:SaYoE4htZ2p8dfZPs54numh1+
Score

7^/10

themida
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
behavioral7
- Target
  
  0b716abe15b17a114c2f12fab954c861f82165bb0868f863cfb8dc634f76be7f.exe
- Size
  
  22KB
- MD5
  
  bffd46a9c588683c66b6f4c0dba865c7
- SHA1
  
  ac4eb4cdc14f374935a8cd72976da47bd941dbb1
- SHA256
  
  0b716abe15b17a114c2f12fab954c861f82165bb0868f863cfb8dc634f76be7f
- SHA512
  
  bf2bdd9dc55d548e4b0c0e381095a405e4639a3d94028e4a9212aaffd4f17f43313c1056dcc0f1da9a56edd90f8e93d03aad2497063e80701af5759e97fccfd6
- SSDEEP
  
  384:m3Mg/bqo2CGVdKXqpVOjuwzUbJlr91CQJc3zDeN:Uqo2RnKXqpIjKtlr9AXeN
Score

10^/10

chaos ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Renames multiple (206) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral8
- Target
  
  0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446.exe
- Size
  
  58KB
- MD5
  
  d458a2f85bc1330f13acccd63d88d015
- SHA1
  
  2604402597e41faa97db737fe0fb4166864752ad
- SHA256
  
  0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446
- SHA512
  
  5e89c3541022d31df8d7d2b15522734649796428ba6842182ab59988d3ea5679e1f8b2903b4e7646785c46c8d41b5e99031a4875a340e9be84362b63797e1c99
- SSDEEP
  
  1536:hNeRBl5PT/rx1mzwRMSTdLpJ5mwnf+viID/:hQRrmzwR5JUD/
Score

10^/10

phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (317) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral9
- Target
  
  0bb2957b2b8ed0a1c458da6edeaf5a48b2c1ecdd7d7ed33d00749ef1f5653b1e.exe
- Size
  
  88KB
- MD5
  
  bcf73d0b807d66634d7d25f399fa8ffe
- SHA1
  
  3db3790b46e2d430374f6c40e7ce25e633696b75
- SHA256
  
  0bb2957b2b8ed0a1c458da6edeaf5a48b2c1ecdd7d7ed33d00749ef1f5653b1e
- SHA512
  
  0750fe4212f1bc7a16a426f6c363797e926656f7f27cc2bc5d5f624a436b3a075263ca29fa609696d7ef2d18b79ef7da4998c75a36c9bda2bd2beb456ae08f31
- SSDEEP
  
  768:Hqo2MgNp4wBAQr9uNev2SU2Ip4jBqltCF0AxEjenoB69+Fx:Ko2g0AQr9usv2SFHBWAxEjc+
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (208) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral10
- Target
  
  0bd9556e36c620bbedfafd2e76bb6703f069aa654e34008f2aef3b4a0ce6f874.exe
- Size
  
  155KB
- MD5
  
  6827dfd481743d41ed35fb36740c0db7
- SHA1
  
  a3739fad76445b8e95970a7ae1638b8e7377c99d
- SHA256
  
  0bd9556e36c620bbedfafd2e76bb6703f069aa654e34008f2aef3b4a0ce6f874
- SHA512
  
  9a149ba007eb8f7b6160f5637d578dcc8b28d3bc36e8cb78d354a96b726431202a8d6230599bf28528cefb9cb2567b0eaf2ded3cfb4cda3a8996166f7a6cd5a4
- SSDEEP
  
  3072:l5K/B0toLQSNJ7lZHQsozTS+SMqqDL2/TrK/uG:lcytwtJ1yTS+xqqDL6HKX
Score

3^/10
behavioral11
- Target
  
  0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
- Size
  
  97KB
- MD5
  
  8881f3e50b9f1bcb315769e24b76a3cc
- SHA1
  
  f6f21445663a197b8f88a7a2fdbc4cbe2bf3be51
- SHA256
  
  0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1
- SHA512
  
  dde4d848499dd0eb92982358ad2990a82c22e2c1738a0387ca03dfadfd602b9fe429570815acf648aebc11e5337b1bc44b77e58f4aabd2f9ca5be88f6a34111b
- SSDEEP
  
  1536:JxqjQ+P04wsmJCf5HqwoOFcqZNeRBl5PT/rx1mzwRMSTdLpJ1M:sr85CfxbtcSQRrmzwR5JS
Score

10^/10

neshta phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (329) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral12
- Target
  
  0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
- Size
  
  3.1MB
- MD5
  
  76b466c9387684239681d8774bb5956b
- SHA1
  
  ed773e756932dc3af27e235b4bf7993781665a92
- SHA256
  
  0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286
- SHA512
  
  d6b83126b27532e56c39b7253668a4540baf29916105955937132c01fc11096b297f7abe545094823cac2c0e65fcf2282997e1bdb594d6fe99a342812d9bf42c
- SSDEEP
  
  12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCe:eEtl9mRda12sX7hKB8NIyXbacAfF
Score

10^/10

persistence ransomware
- Modifies WinLogon for persistence
  persistence
- Renames multiple (91) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral13
- Target
  
  0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
- Size
  
  3.2MB
- MD5
  
  debf24ccdc00420e4a88454338f1c726
- SHA1
  
  1674f180860cbe61b1cfc30c48582461ead73347
- SHA256
  
  0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a
- SHA512
  
  7cc073387610f5a993ec53857563946b7779111a62c80aad338b0ebce8fe437bcaaf71767815aa439ad0f848b288b6d2f36b4543c42e25f048a9a3cd4689ac48
- SSDEEP
  
  12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCw:eEtl9mRda12sX7hKB8NIyXbacAfR
Score

10^/10

persistence ransomware
- Modifies WinLogon for persistence
  persistence
- Renames multiple (91) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral14
- Target
  
  0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
- Size
  
  2.4MB
- MD5
  
  a949330481ec49db59a0406c4deebee4
- SHA1
  
  f2c8921b8acf3779f05679f51c279c120fb48919
- SHA256
  
  0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2
- SHA512
  
  13763fa20ad8fb76fc86168fe5c2fed13b76eb4831a251cb1c43431d03e43f6f14b89372d24137883717e15f3d14b8e7e7c651ae99364a35d6966a01a50bfb14
- SSDEEP
  
  12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCL:eEtl9mRda12sX7hKB8NIyXbacAfU
Score

10^/10

persistence ransomware
- Modifies WinLogon for persistence
  persistence
- Renames multiple (91) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral15
- Target
  
  0cbb472b555d4cab454948ba900675db48b120afaedf246a14d87d970b233a43.exe
- Size
  
  92KB
- MD5
  
  a0dd1dfbac4b2aaed94b2065a9c9f30c
- SHA1
  
  b797000407eb333dc80777dd088204179b62fb5c
- SHA256
  
  0cbb472b555d4cab454948ba900675db48b120afaedf246a14d87d970b233a43
- SHA512
  
  13949bcbd0a6d7efee4e466f9f8818bd4b0643f8bc1116cd302b9b72808dbe018e30aa36d1edd4474ebf590d5d29438247f391988b6b2b5a5188d79a47ae1229
- SSDEEP
  
  1536:mBwl+KXpsqN5vlwWYyhY9S4AQp27xRgjGri0wEeKirLWP6d7cH:Qw+asqN5aW/hL+pwl2RsivPd
Score

10^/10

dharma defense_evasion execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (324) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral16
- Target
  
  0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
- Size
  
  885KB
- MD5
  
  6a5bf25ff4f72ebca91280ffda057260
- SHA1
  
  722063331acdbfc93ccbfacbec045800a835dd9e
- SHA256
  
  0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
- SHA512
  
  64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42
- SSDEEP
  
  12288:Qm+PiUwyM02Jl5YqWYgeWYg955/155/0QebUlAAsrsKCQoZRn6X:Q5iUtklagQKUKRrsKCQON6
Score

10^/10

ryuk defense_evasion discovery evasion execution impact persistence ransomware
- Disables service(s)
  evasion execution
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (8366) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Disables taskbar notifications via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Drops startup file
- Modifies file permissions
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral17
- Target
  
  0d9ea4a12d29d79b00bd3d0788f531642832b799bdc3baaebd0ee213cee4720e.exe
- Size
  
  362KB
- MD5
  
  ef1bff9e70e5cb2362ed58479484eab0
- SHA1
  
  f5625e3928bde215cc03b2c9ad1c9b131627a1ca
- SHA256
  
  0d9ea4a12d29d79b00bd3d0788f531642832b799bdc3baaebd0ee213cee4720e
- SHA512
  
  cc25dadb8de2bd7c1b8e97459ced2701adea2cc4daab54a7d1695bf86aa448e6f5b9c3914e7bd8c8facc5c2bc260da4f1efdaac5d7efc720db1139bedad05b3d
- SSDEEP
  
  6144:NqRfEPqxpc7xSPyRft/C0kbxuci4CdlzRepmnlhT5gtU/zPFVUuQtqWg2:ZqxpCxSa1t8alz6mnrzPFiuHK
Score

1^/10
behavioral18
- Target
  
  0dbfd3479cfaf0856eb8a75f0ad4fccb5fd6bd17164bcfa6a5a386ed7378958d.exe
- Size
  
  217KB
- MD5
  
  e307123c3012248c4f7eac48b5c803c0
- SHA1
  
  13cad899944c5267b1de0aecd6a6964c3e2696c2
- SHA256
  
  0dbfd3479cfaf0856eb8a75f0ad4fccb5fd6bd17164bcfa6a5a386ed7378958d
- SHA512
  
  c8e6b07a9dda7e71417f185a723b9874e7564379184c744f547f32a6108f18d18e0e81c9cd5520e1bbb0c98453484dfec92b041323c7e67eb64da9edbcb08e63
- SSDEEP
  
  3072:phXD6M9my8NbPYOBLujYx5I8XDZW0956w/J+UdSZWD/rcV9YHcqM3:phT6+mntYOJ9FR60hd/D/rcV9c
Score

6^/10

persistence ransomware
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral19
- Target
  
  0ddcce08b727ccbbae208459032f010956794a84b7f35e225b5bae927b0f6835.exe
- Size
  
  70KB
- MD5
  
  7bd74c234b2b0a783340f7bc8f273c84
- SHA1
  
  5b55082a53e2f2cf5c4badf8e93da0717bd90f67
- SHA256
  
  0ddcce08b727ccbbae208459032f010956794a84b7f35e225b5bae927b0f6835
- SHA512
  
  82d49384f879c42ed41a208e6ebcef990abda1ca3de1a83e683c1ee718c6c0c72f833027d4c57ef2f6dc4e5b9cf7f481dc0051ce093a4b347e40e02d1a712817
- SSDEEP
  
  1536:hZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:Id5BJHMqqDL2/Ovvdr
Score

6^/10

persistence
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral20
- Target
  
  0df9bd640ad5bb636095c524e54f9152bb84092889e720dcaa549e65dc3c1472.exe
- Size
  
  1.9MB
- MD5
  
  bca775f0297bc8138b54f182d1e6aed2
- SHA1
  
  31351fe925ce97d44fb1a779b391a76e6859da6b
- SHA256
  
  0df9bd640ad5bb636095c524e54f9152bb84092889e720dcaa549e65dc3c1472
- SHA512
  
  1f817242b47e645826c43c296a849d80dc29a2ac33beaff7a96604b5a96fe64cf34eef7b300ba110b1c265332b6150ed8dafa66b60dd602c176d023d63e65136
- SSDEEP
  
  24576:CSndG2iSNjN2w9Os9cRfO/d8mT6c6aVqwPhUMel842:HfJqsgXmgyJPu2
Score

1^/10
behavioral21
- Target
  
  0e524346835f7c208667a18699df3faf34fcf8a3cceab8a7418d3f88e87211e4.exe
- Size
  
  2.8MB
- MD5
  
  efe70e514cf869d4b46cee676c74ba2e
- SHA1
  
  2d00e444cc2f1bd39952f830bc471be100e2b0d5
- SHA256
  
  0e524346835f7c208667a18699df3faf34fcf8a3cceab8a7418d3f88e87211e4
- SHA512
  
  868a5c96d3b692779502ad2e28260a17a4af247b2e8140753032285971455d8a178cc48b3ffc9f92a48671bd42c3b696cdf2f343239b78a4b77a09696f9bf7cb
- SSDEEP
  
  24576:BS4lQMNWi3VesNY8106qPN4K3P0QcejoMZLyiTtiFfkOfE/S:BSy6PX3PpM+P5IdIS
Score

10^/10

chaos neshta defense_evasion evasion execution impact persistence ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Disables Task Manager via registry modification
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral22
- Target
  
  0e767dfa6d7887e832225433ed8866195df94607ccb474868b9abbbf20843ae4.exe
- Size
  
  6.4MB
- MD5
  
  2f15750b2abd86157c676cd18987c3c9
- SHA1
  
  709ac17f0844f0eccd1d2ec5e75ffbd84b29cc74
- SHA256
  
  0e767dfa6d7887e832225433ed8866195df94607ccb474868b9abbbf20843ae4
- SHA512
  
  757919fd463a1e3fcb49af9dd3cf1b1d33d144ee34814cb9d0d18cac3ed9a873fcc0825dc4c75748f0f89ebe87c59b03445477e0415c09622e38632d7c5d8c58
- SSDEEP
  
  6144:YE9l9yzqIYVTH5DgSg8ajldktM0XXrs2QhMV9qb:YibLgPluxQhMb
Score

10^/10

wannacry defense_evasion discovery ransomware worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Drops file in System32 directory
behavioral23
- Target
  
  0e82ed8dabc9bb697d3e2f7ba1ee8d5235d3501796fbc1cd79ccffe7df11d9a4.exe
- Size
  
  362KB
- MD5
  
  3c13842d28a4e2577c6c0e5bd65228b6
- SHA1
  
  32c9462b0805f0622dd81ec1a890553db96607ab
- SHA256
  
  0e82ed8dabc9bb697d3e2f7ba1ee8d5235d3501796fbc1cd79ccffe7df11d9a4
- SHA512
  
  5f91303cdf4c7f276ad1b5e2888a4be07ed9ae3958e8ffe0412ab0f49d528dbccb6f4cf7270df75ba22cc4de65208aec08c6379d34b45f33650dc4e8bf656e34
- SSDEEP
  
  6144:gAwjJA2gls1IVOkZiWaiUzz9m/nSenhb9oSJwIB/QXwPihQpqAuk:XwVALu2zm90n3nBQXwKhv8
Score

1^/10
behavioral24
- Target
  
  0e98661ea680708e9bb55f32131f743811108e826b91cae99d69a8fc1856d429.exe
- Size
  
  31.5MB
- MD5
  
  6569fd60f73e5705f4c28ab59d86fb39
- SHA1
  
  7159be53512f91b2aeabe5c15a54d95955eb4d6a
- SHA256
  
  0e98661ea680708e9bb55f32131f743811108e826b91cae99d69a8fc1856d429
- SHA512
  
  9fc0dcd04779bb99569449dab031513d4404e3ef15d7d0db988bf9537bf1945f72bd83a5768ccc494d013f16c47e0c0a95a12c2258b33ea1bcc4cfe1e93ead4f
- SSDEEP
  
  6144:ScytwbnTTSdBgQqqDL6SK+iZz+FF4X4sYN+Qaf3AVwbLW:vyinTqn6r+iZz+v4+9M
Score

1^/10
behavioral25
- Target
  
  0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
- Size
  
  146KB
- MD5
  
  c4944d000475c9c6b515e030b59652c9
- SHA1
  
  eaf2695c872913f35a450b11a7b5f58d848d0735
- SHA256
  
  0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5
- SHA512
  
  e41e21ef56cb097c78b7b8a48d54e9d611e863da5a15d14d8fb11c7975348c71708ccb9d491f00a682874dd6667fa2252ba3568b3d06fa2c2600648838d080fd
- SSDEEP
  
  1536:KzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDmi3rNHUmVNypY2hamdb2SxsUyz:5qJogYkcSNm9V7DmCymVoRwmd/qT
Score

10^/10

ransomware
- Renames multiple (189) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral26
- Target
  
  0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
- Size
  
  2.8MB
- MD5
  
  dc2906e5bcdea645e2339b9f74027a20
- SHA1
  
  26f846b2ea394b0005f2254fb6d56d5534f467d8
- SHA256
  
  0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268
- SHA512
  
  6e28b4e954eaa3f246ef334cd4adfd9e9af49e7fc782cf254b5934c93423b93b113195d8f98bad46587a5dca0e876f5888559bcd486c9599ae7e4fc13c47d100
- SSDEEP
  
  12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCo:eEtl9mRda12sX7hKB8NIyXbacAfT
Score

10^/10

persistence ransomware
- Modifies WinLogon for persistence
  persistence
- Renames multiple (91) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral27
- Target
  
  0f18f6547a1c8e86963a9e9f9dd9e6e42bd506de21c034ec884c3b55a789ac57.exe
- Size
  
  23KB
- MD5
  
  4cc6ec4d961a14c4fc4b45dfe939ca00
- SHA1
  
  7a115dcc3ca91877b70de091b122259503d7109f
- SHA256
  
  0f18f6547a1c8e86963a9e9f9dd9e6e42bd506de21c034ec884c3b55a789ac57
- SHA512
  
  9bcdb453be961b88ae3a85a9d68e8f2e8ea6394e27641a46f4a28c9b56133cf97f5cf74699feab475563f5e9617120dffa944c8d3554d06749071e104cd237fd
- SSDEEP
  
  384:m3Mg/bqo2uda2duoiXslkpaDKB+98SJer91CCob5LeU:Uqo2ka2kAkpaDuNGer9pobJeU
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral28
- Target
  
  0f3d700c95b21e5437c0aedb3cacd787ce6701c49180d8d564e4574dffc42190.exe
- Size
  
  1.9MB
- MD5
  
  2c6f8e680a400cb2b5426090ccbdea93
- SHA1
  
  47a691c438547b27fac9896f3783026d8be4dbe9
- SHA256
  
  0f3d700c95b21e5437c0aedb3cacd787ce6701c49180d8d564e4574dffc42190
- SHA512
  
  48a70440e4009c4ab2a913ee3b9dc24b73ab4413cc82f5e8194f1cca87ead356de1de90c461c9109afa5f690cb0c9365f49a5ea83f54b4ad97c4287346237f03
- SSDEEP
  
  24576:CSndG2iSNjN2w9Os9cRfO/d8mT6c6aVqwPhUMel84Mn:HfJqsgXmgyJPu
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral29
- Target
  
  0f54e0f3c3408647bf9844f9d97b64dbc62278091280b3d7bf1db5bdde3fc436.exe
- Size
  
  362KB
- MD5
  
  21ba47cee02f4b2fa523f4acc81539d0
- SHA1
  
  fa0a9c6a10aa5cb581cd9422afeb9dcf739c414c
- SHA256
  
  0f54e0f3c3408647bf9844f9d97b64dbc62278091280b3d7bf1db5bdde3fc436
- SHA512
  
  b0e27054b3d37b6e558bee48690af6f1f694e806789d530d66ea84b64e085606c08ae1674b94991c895e187ff44915f3c369f4392684eb908267d21ee7bd3bf0
- SSDEEP
  
  6144:QlgEenwKdnC0rrdGSkFFMMy0qzpBMYlDB/PA1K/Nk6F3wYQRq83a:xEsbE0rRQep5lxN3FAYHd
Score

1^/10
behavioral30
- Target
  
  0f5ace8adbaf1f05d0f5765166537ff4b77ea9f038cffbc08c16afd4cc869972.exe
- Size
  
  70KB
- MD5
  
  6933fffefd94b7e16bcb04a498c82da6
- SHA1
  
  6f4f45bdba6379f7df52326f8754995c28a9b335
- SHA256
  
  0f5ace8adbaf1f05d0f5765166537ff4b77ea9f038cffbc08c16afd4cc869972
- SHA512
  
  71588385c4f48942ad88f6dffdedbe5e3c76b6b79adadb7621bcc60406b3d4930e109efa56ea6b9fbe44a4ef9ecdaff93a51ab9de4ccdd6c15d52ec8dc85a1c9
- SSDEEP
  
  1536:RZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:4d5BJHMqqDL2/Ovvdr
Score

6^/10

persistence
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral31
- Target
  
  0fc4a985aed460862a8f70dd982fadbd65ea0ad88fb58ced2d909f4264ab98f8.exe
- Size
  
  155KB
- MD5
  
  6dc42bf3bdd770e5506c5f5a51472e4a
- SHA1
  
  643765b078c8fb6ea6b6cb664c78d49244dd1921
- SHA256
  
  0fc4a985aed460862a8f70dd982fadbd65ea0ad88fb58ced2d909f4264ab98f8
- SHA512
  
  a80d6fbeaedf1b77db531c87c19e795c9cfe69081e48120f2540d29d36ef683c1d023d6662dd99be3a5f24a1bab770f690dcf0d59a6378cbd4a6b72cf040e9ee
- SSDEEP
  
  3072:l5K/B0toLVSNJrlZHQsozTS+SMqqDL2/TrKnFG:lcytwIJ1yTS+xqqDL6HKI
Score

3^/10
behavioral32

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Themida packer

Chaos Ransomware

Renames multiple (206) files with added filename extension

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Phobos

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (317) files with added filename extension

Deletes backup catalog

Modifies Windows Firewall

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Chaos

Chaos Ransomware

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (208) files with added filename extension

Deletes backup catalog

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Detect Neshta payload

Neshta

Phobos

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (329) files with added filename extension

Deletes backup catalog

Modifies Windows Firewall

Drops startup file

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file