General
-
Target
New fol76der (2).7z
-
Size
13.9MB
-
Sample
240713-lv46yawdkj
-
MD5
98ceaf94ea13b449faa32b08b1b7ae12
-
SHA1
746943a01e944ec3d80e469d3f17307194e972ee
-
SHA256
0d9fcb8894240750cb5e4222ea78572aba6618eb5297c2069588ceb979d52d8b
-
SHA512
d463c4ed99b7b687ad7fabeb8d4da68042cc1d495cc558fb5c8548efd19b1cae5b733192899de9dcb67417ca5bef3349945cef6e6fa9748d3f739a5f973bf05f
-
SSDEEP
393216:nUwf43Cv30IES/FQeIrZ8ozAxcY04KZ7ZwMFniW:NbcQTILscY/KZ7biW
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\SkynetData.txt
Extracted
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
Extracted
quasar
1.4.0.0
Office04
67.213.221.18:7812
KFoYp486ql6lO6U0qI
-
encryption_key
OtItMK9boIZNOQTejUzg
-
install_name
Windows Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Windows Services
Extracted
C:\Users\Admin\Documents\PLEASEREAD.txt
Extracted
C:\Users\Admin\Documents\read_it.txt
Extracted
C:\Users\Admin\Contacts\read_it.txt
chaos
Extracted
C:\Users\Admin\Desktop\read_me.txt
chaos
Targets
-
-
Target
0778d2ae6074545731b471360877b58c89ba0aaca6a0ffdb25694340c910cc93.exe
-
Size
328KB
-
MD5
b00f66d6e5f0c0daa86a03f1106920f8
-
SHA1
f7444b3934ce61c65c658a06c3a98aa9f08729e6
-
SHA256
0778d2ae6074545731b471360877b58c89ba0aaca6a0ffdb25694340c910cc93
-
SHA512
da18b638ec68a706a92d06551eed74afaa9da3a3d1f7e11361b50413c06b26fd5df862fb36a8e4290c3a8dead12fcfb8692d2a0e667bcf3355a614efdc9a0899
-
SSDEEP
6144:eGEjbL0hiIO18+LDCvzCnQHw67feMv8KiPuTL94:eZJIOG+vCvnJ8tPuF4
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Deletes itself
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
-
-
Target
2005110ee806a4fb40e00fe6c76af3527e3d66cd828723ee39529942812b8924.exe
-
Size
1.9MB
-
MD5
f0fd67c94f25de71c2fcdff4af0d2889
-
SHA1
2f4884f4e241d0bda353dc074ea1752e0b79af8c
-
SHA256
2005110ee806a4fb40e00fe6c76af3527e3d66cd828723ee39529942812b8924
-
SHA512
13986923eaef12dcbe1a0ce71ca47829ab1209df761c077c83981685fa61d01320372fb9a68d5b6622b597f443dccb125a2033aaf82857c873b1ec2b3e5ebdb0
-
SSDEEP
24576:6SndG2iSNjN2w9Os9cRfO/d8mT6c6aVqwPhUMelv1:/fJqsgXmgyJP
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
290072a9e1cf3872487cf586a592be534abc894d20ffd1121fe8338f1b52b451.exe
-
Size
3.8MB
-
MD5
3566f930e73eacee6933e672c1085d98
-
SHA1
d6c5408fabbf943721946073c80049c3c65f8c8d
-
SHA256
290072a9e1cf3872487cf586a592be534abc894d20ffd1121fe8338f1b52b451
-
SHA512
09e5edcc5fe7a8e6dac63690eb1c8674541993c5a10130db7ed3cee90d802705dc07a0b13612c6326b9462145dcac35e136b12555096e0ee8577e00c3aab69af
-
SSDEEP
24576:TbnWYoXXBzGmL53TaX+vnyuNMOCig82RfVL0K1RWLghaPZUwB74amJl4aOLW6u3r:/W3XXBzhaWBq8Yy8kZmzJ/m
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
3998d0e987accc2837c6bf87fdb2796d0170ae2a79383b78fd778531410e337f.exe
-
Size
153KB
-
MD5
4c19104c6df0817095be0846b1607de6
-
SHA1
ae3bf7a043cb10e8b206261af6af1558fc3d518b
-
SHA256
3998d0e987accc2837c6bf87fdb2796d0170ae2a79383b78fd778531410e337f
-
SHA512
d1ac86c12068192fe1dafd16a6c73e1dbabf0be5ca8c59ba3eeb6290c6061a207c0f91b77f42b190d4f8ebdee4a33a7dc596c7883c451cb039c3c2a0f37e8e4c
-
SSDEEP
3072:o3kkKmAr9iVE3E04sMsXVpBWwLJwvkywY2ZDja9eIBdvhGkJJ9QuxIMb68J5K:y8r9it04XYVBIkNYcaeUvkkD9QRMb6
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
435844f4e1a57fbfa40edf039ac0b29fab6c4115adbaba2ff2907c921a6aac2b.exe
-
Size
1.1MB
-
MD5
75ad544ceac0f47859e0f5417b950889
-
SHA1
5e4976f34abe798ec40087d4a4831e60040cd7dc
-
SHA256
435844f4e1a57fbfa40edf039ac0b29fab6c4115adbaba2ff2907c921a6aac2b
-
SHA512
cd9b17097d4f3d878966ef3f6f8269db3cf96ae517d593b3521761de4ee0fc3b8c8a2e1f603b90ffe73f6426bd5648f9d2f0dbecf6904f96568909745cb9db95
-
SSDEEP
24576:BiIxSqmMEiPPHxXaUHtauiIxLmKPPH3paUS:NSqmKPvxqUHIOLmKPvgUS
Score1/10 -
-
-
Target
495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72.exe
-
Size
2.6MB
-
MD5
9756b1c7d0001100fdde3efefb7e086f
-
SHA1
55de88118fe8abefb29dec765df7f78785908621
-
SHA256
495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72
-
SHA512
d9497cd0af40cc3149db52aee1ba333e8261232ff00e6e7208eaac639fba533d6931828823c3c3211bddf083260904d77d595d877070eb218075b1f631e13f07
-
SSDEEP
49152:kNJLuf3HJrb/TfvO90d7HjmAFd4A64nsfJjogr1n3wSmZD1UCu5ErgXpS/IXF+9c:Tf3SvEoDY95e
Score1/10 -
-
-
Target
542c157186bae766dd3e2df424e9c25251d71086b99cc9df121bc9bf50462688.exe
-
Size
341KB
-
MD5
ffdefa247d3bb4429558e8b334f4f2ae
-
SHA1
af9f3af31889b55552a5721244184d0a115be74c
-
SHA256
542c157186bae766dd3e2df424e9c25251d71086b99cc9df121bc9bf50462688
-
SHA512
0f4b5534179a690bbaa5333fbf4b11e881d2b60c37f3ade95ebf6b481bbf58b76a17bf4945883babadd8b5b9681c4710ddb2ab4380cd27cf73430e8609d0b9d7
-
SSDEEP
6144:Drbwc9N+fwvDIK9LpXXXXXXXXXXXXXXXXQGuFFM5:dWwbLpXXXXXXXXXXXXXXXX5uw5
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (186) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
561d7f05055800d3eb9d9e150969e2c84a71dc82a362fb3e1a224af420e53b35.exe
-
Size
240KB
-
MD5
66e01e1ac0e274c1b4d909e70668a6ad
-
SHA1
fe5a8fa628bbf960010c28625aa58e87d2800978
-
SHA256
561d7f05055800d3eb9d9e150969e2c84a71dc82a362fb3e1a224af420e53b35
-
SHA512
39ebdc7542e255ca9f47d9730fa2fc36e29719a84894522c71a5dcfc9da757563b1b47e3d72ab58db94cfe11d3efc37046f833ce5c03b3f0f3ac309eadc39474
-
SSDEEP
3072:Rmrhm1eibcR+uiUg6p4FLlG4tlL/+mmCSHFZxoHEo3m:REgoZiZhLlG4immCm
Score10/10-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Sets desktop wallpaper using registry
-
-
-
Target
617364875d331ab132bac1e63fb9b5a00ac5a33a22b93749dd6ee384ed435dbb.exe
-
Size
304KB
-
MD5
b634be3c5eb62c87ebbf90f655581e96
-
SHA1
089c2c51a4768925cf5dd0e88726d8a88e861795
-
SHA256
617364875d331ab132bac1e63fb9b5a00ac5a33a22b93749dd6ee384ed435dbb
-
SHA512
090e9dbd685b31818a0a157b042d042e519a43008e4b94ddacf479b34c3c24de7b938a8baf51a8bc0bb3a11a6852ca6ad95988b75c77fa82aef30f7fd8e062fe
-
SSDEEP
3072:6SuVNqRgZRUA0S9tRtd6V+h8Rtt05NkkbjyGez1c:6SaNFZRdnxS++rt07kkbmt+
Score3/10 -
-
-
Target
6312ac91761037de7a7afc7323671a004db71b31a69499178437bdf939fa9dd8.exe
-
Size
400KB
-
MD5
47e14a46326791625b67704d4329bed6
-
SHA1
01e0e607678a36d8e7e23d1fb11f8d7aa2c20581
-
SHA256
6312ac91761037de7a7afc7323671a004db71b31a69499178437bdf939fa9dd8
-
SHA512
e979fb4537a7fadbc6583a5cd537ce533111ea4a596bd8486b9fbf551ed7b390271a6218ccf71cd052d4270c1fe1957ec0aae4527c9613a0cdbc0e24641a19a2
-
SSDEEP
6144:cMr9/U806q0jnjCyc1rIGruapfd7ggZqLuID/pFZwVZ3j:a806qwjCycpIGRpfd8cqCITpFZwD3
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe
-
Size
390KB
-
MD5
5b7e6e352bacc93f7b80bc968b6ea493
-
SHA1
e686139d5ed8528117ba6ca68fe415e4fb02f2be
-
SHA256
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a
-
SHA512
9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6
-
SSDEEP
12288:ef/X4NTS/x9jNG+w+9OqFoK323qdQYKU3:EXATS/x9jNg+95vdQa
Score10/10-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
6555038a04997404d48cf866ebb81f134082ef1613408779cf2a589068312a42.exe
-
Size
97KB
-
MD5
b5de1cca5ec8047847717b01c268509a
-
SHA1
c463d7aa1e69a591ef75db3f0e4b08dcc2901c1e
-
SHA256
6555038a04997404d48cf866ebb81f134082ef1613408779cf2a589068312a42
-
SHA512
a28cc345e4cbff344ec0aef7cdfe231ae9b1ac3f99a5dae6d9aa3f807fe3da9cf64b826bf1b72f3a697a13089d8370d42dbd60ea79e1a0469508647185dd80c9
-
SSDEEP
3072:YrnY2lU8KdD5/Ut6VToG9o+8DtRzpytcpRf9EI4Ixe:/fNdO7f9T4Ix
Score10/10-
Disables service(s)
-
Renames multiple (265) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Deletes itself
-
Drops startup file
-
Modifies file permissions
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
677393ff5efc9f6f050b4b5ed62579f2f050eeec53e7a17cb51c31c148546f59.exe
-
Size
426KB
-
MD5
b532d352685523141305fa9135192256
-
SHA1
fa0e364afa99bca61d747e23a04eddc5b10ffdb2
-
SHA256
677393ff5efc9f6f050b4b5ed62579f2f050eeec53e7a17cb51c31c148546f59
-
SHA512
16fd0ff50df7aefed9ebb4e221b86bd72e6e73c9b761216f37f7c26d328ca577e58d70e68b249cfe873e6073a5d258bcb4a88d4214bade8817de9b7376e09eda
-
SSDEEP
6144:LL0IMdpqDpE9TWvZqtMNXzhTqm8jjyhNYIa/19zTD8WGLA+m4dZvR5SE+v8BW5:LfrDp6TgZqtklvNiHPD8WS8yBb8
Score1/10 -
-
-
Target
680caf0e30b204544971d053b635ed0e3f1dee3332d9eab8a08b3f04cd7ecd75.exe
-
Size
439KB
-
MD5
8f808bb54b422500304dfc68b87198fc
-
SHA1
24ebeb615f0bdcaa3980722100d6fc42111b62ec
-
SHA256
680caf0e30b204544971d053b635ed0e3f1dee3332d9eab8a08b3f04cd7ecd75
-
SHA512
46ce4cde81607819e360b0efc424c4b5602c7515661a88e6a0d66cd9e88dcc68219f0a85200e6c40cc34bcac0e5ab652e6db4b4b1c1b913ad351061dae880e99
-
SSDEEP
6144:vwLRSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkuVB8:v/4AZrg7g9zVGkllbko
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
70192d461c98da3d6d9734663dfee8d121b2739e9868f28b1fa67794ba3c9a8b.exe
-
Size
155KB
-
MD5
179b38c276e09d3b8a79854ba7232094
-
SHA1
bc218f468367b4cf127b10a02d2a62f28f35216a
-
SHA256
70192d461c98da3d6d9734663dfee8d121b2739e9868f28b1fa67794ba3c9a8b
-
SHA512
367c52c5f8ed2166f3d1e6edf564feefa50f46b8bbdbe1b3ab7007eec02db9d4a806e2f32757ea349a86fded9d4586ff0ae5c8e2403f2ace84083dc05253fad7
-
SSDEEP
3072:S5K/B0toLQSNJwlxwsx89TSdBgjMqqDL2/TOKyRG:ScytwtLTTSdBgQqqDL6SKN
Score3/10 -
-
-
Target
76199c26622c58fa0a22355d710ef06d86e3cce56def3d9a3c38ea395e48066d.exe
-
Size
362KB
-
MD5
e52021298206c71590c27392abb94691
-
SHA1
9f9dbed14bee77d30afe99fc7a395259a9cded27
-
SHA256
76199c26622c58fa0a22355d710ef06d86e3cce56def3d9a3c38ea395e48066d
-
SHA512
50408bf9c4276a4683a1e8bcbea142347dd82b20c21398c16391203dbb68094cb9198e9a9dc68bac7f81c54c27b71b1f0aa2478db1af339e4e1cc3dc7c7a7667
-
SSDEEP
6144:xii9gD+iITRy1fGN/ekNymaSszzRm663xjxc6BN/47Ar68SdQtqcK7:Hgi/GfGpJCR+3547Ar6tdb/
Score1/10 -
-
-
Target
8727091cbb89e5e31eeb2503ffaa242601c8840eee0973fd62fedf1b4b58ab44.exe
-
Size
953KB
-
MD5
adb3dde4a25e596c16ced4cdfc6ff8dd
-
SHA1
7934e6bc9489933c0af8dfe7bdff482fc6759bdc
-
SHA256
8727091cbb89e5e31eeb2503ffaa242601c8840eee0973fd62fedf1b4b58ab44
-
SHA512
f14c27892ed4d11bdd46a130abc7fa40ae8c4577bcd45c3af7c5928b82f27c3646b906fda880e5c9df623071edaab8de82fd46af8f3194f33d7d46c2c3d1d587
-
SSDEEP
12288:vEPMLC814R2hig4tHkg2W+AU+R2TjsPvEpv8LpgUO4EP3SL98l0zmWHQuTwYzzjc:/ztQE1ov2AZ9HjkftWy3P
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (216) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
91450f9e8aeb0361867cdefc0bb7e5bad8941b5081db549d34a91072df4db5dc.exe
-
Size
53KB
-
MD5
c5b0f786fe68a4312307535890ba01e4
-
SHA1
ca15010a195cdfdf0af95f2c2543930311142994
-
SHA256
91450f9e8aeb0361867cdefc0bb7e5bad8941b5081db549d34a91072df4db5dc
-
SHA512
b510164ff1c47c198945ab51d8fa2b9d77ebf44b817286c031514554273f7b7d82a85f8932c2b33bd564e7a86277f056689cd33603b5b1d52a37c39dad6b8b55
-
SSDEEP
1536:zNPTkHhFRy2/NSTEj1FVl1Ft9N1FVl1FVFS0TztlY27VqmSVzyqYvd0bRPp24dfv:hIHhFR//NSTXYztlY27VqmSVzyqYvd0j
Score1/10 -
-
-
Target
93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9.exe
-
Size
361KB
-
MD5
7be37dff77a6257da2b430ab7c483612
-
SHA1
028356262caa0076adb3c0a0ad87e4418d386ec8
-
SHA256
93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9
-
SHA512
09dae1c1cb5b07dd4099d21db53f3d08a5ac354777086e666bd872532a37539a67455c35768e78cfc4e181f03bd67ba546aace35d2b50c7aa68a2433c317634a
-
SSDEEP
3072:6pbgo3vg+rJrkQVOUPrxLExK08A+MQ20AFHxH32Hdxkq51:Ubf3vg+rOgOyrNEI3AxQUHK
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
942bc9e43e40e01694365aced2331634257727783353c7d49d940abcc215a17c.exe
-
Size
286KB
-
MD5
ca1c3c08b1291ee31fb47f039ad08129
-
SHA1
629446ad19eb04f6edb8c576bf007facf4ff249c
-
SHA256
942bc9e43e40e01694365aced2331634257727783353c7d49d940abcc215a17c
-
SHA512
e1b49a9738d44666dd93f248844e6bfb331db16c171f05af8333852a99e9c335c527effab61e8de796bed9d9199dfccc9c8f0199fc0eb5998eec9e758bb272fa
-
SSDEEP
384:123MLWHn3kIt/F6Y0p9dpTWJpr91CznHZN0eNQ6Jki2xC5:En3kIX6rp9j+pr9inHD0eNh5
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
-
-
Target
ac7a29cb82b7b3e50d8aaa0da5e431f0b466de07dad241e5b6090cf71963e3b8.exe
-
Size
325KB
-
MD5
9a4827a78e363d84ea0e334e842ab039
-
SHA1
a0d222d2fd9cf90a47a134ef571232ee482a45f7
-
SHA256
ac7a29cb82b7b3e50d8aaa0da5e431f0b466de07dad241e5b6090cf71963e3b8
-
SHA512
0f20fbf72e254155f0b2403488f5d8262c98138335380f3267afed6b79b91f2c9198924853dccb5b60bc9075876a700e12fc7b8509075bdb3b13776d3514ad0c
-
SSDEEP
6144:9dCr9fPhxhdsVFGEeRJk8nrKfQhCd/hAxno0yu:TEhxbsVFGEeRJk8mQE7Axqu
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (223) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
baa851154b7492b20ea71c068f77e7e2b91d347fb97e5e05999af153e3fd0f1f.exe
-
Size
35KB
-
MD5
d7a77d7d1657b93fc7270895e86dff74
-
SHA1
700448723acc915ad6ec8d7f9009f9305f642818
-
SHA256
baa851154b7492b20ea71c068f77e7e2b91d347fb97e5e05999af153e3fd0f1f
-
SHA512
7d90dff4e81e8ad2dcb75c5ac58f875a332e62db9654d89261013007c5211f5a4dcf208fda5e13f1d5220e179cd557cf8212314578ec03691a3b0dfb6843137b
-
SSDEEP
768:sn3kIE69pYIlfr9ixbceEz0pmc+33t7gG:a3kIr3fr9ivEzog39
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
-
-
Target
bb5ca9d8de51734dbd14dc081c7c892d819cd14fafd7ccd62849d70f9e679369.exe
-
Size
205KB
-
MD5
62e53bc5aa5f2a70a54e328bff51505f
-
SHA1
e7deceee97a09d539d81eb91f988ece5e2a2ff51
-
SHA256
bb5ca9d8de51734dbd14dc081c7c892d819cd14fafd7ccd62849d70f9e679369
-
SHA512
a676dd284188271be1760ed1edd3320341713662aba1c615481f256007e614e58756a7b6a565beed777230c2ae829c561e3bf3510921ad6495d3776cfdfaa793
-
SSDEEP
6144:+B4mr9NzqHW7V5V9w/UIRZizI1aqebq/lsyp:+B40qHW7nU/pZmiXqy
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (193) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
-
-
Target
c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07.exe
-
Size
89KB
-
MD5
77bd76f4e4b9481432022ab3b10c89c0
-
SHA1
8213a974f617ee9b191e605856e776ab96ff4382
-
SHA256
c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07
-
SHA512
ad30bb25260f959f2d3db823b2ca65b06cdfa6dc5d27527b053e4b5526ed6363519e6fd137c33f53371d8d4df2bcd6ac49aeab2631b106c891db41d0478e70ce
-
SSDEEP
768:yuqo2ptMp1g4+kR7Er9jJxbXeqxSIHTe9dLTdp:yto2ug417Er9jJsqjHs1
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
-
-
Target
c743ba08610d442531bb897a35748ba6fe897e730cea6e29377ba21141901326.exe
-
Size
164KB
-
MD5
a881838937a145cab27e5c9b439a1ff5
-
SHA1
4cac0241e3d0e1636a174134a623a879adb2a86b
-
SHA256
c743ba08610d442531bb897a35748ba6fe897e730cea6e29377ba21141901326
-
SHA512
888a3f2f45cdc81bc766c66079e250100a3d0641883ecbcf2bcf6deec1ad7c7b2d0e96e466a2b64ae5867afb3c75071763b408250f190a60f69f79a502b5c604
-
SSDEEP
1536:muW0xpn7JWWkH7Jx1Q3j1OefTixyvYZKmWuz82HnJq0Wm03O8gOo:s0TIVAJOHxyCKmW12q0WmG4
Score1/10 -
-
-
Target
cfda742c2de7706171af64a89806656a107069e1677aa4ce0583e696f954fde5.exe
-
Size
125KB
-
MD5
a0f62032cb73a15dd8f3d3165e29cbe5
-
SHA1
099e4d118e111e8fdf0d2ad1fba8e62b7edf80f1
-
SHA256
cfda742c2de7706171af64a89806656a107069e1677aa4ce0583e696f954fde5
-
SHA512
96e6ecd312cc6f44091a177865c87ba03ad7009f373195c8a0c73c9fd39030a785c34e80d203d5382082d496e6ccfc9356bea6c30da46ca296ac82a6c071c70e
-
SSDEEP
768:qn3kIQok/p54NwJfKXRu+r9iPe+FdbJVqB+QPE2IikqKs:Q3kInkH42IU+r9i2+F1Jok
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
-
-
Target
d1d74ec1039ff5aab99faf99bf70fb07f6b4c763a0c2fbc08b702ec9dcb03834.exe
-
Size
10.9MB
-
MD5
a82df55a03a3dc038985a30f797cef24
-
SHA1
fd30147c88f65ee9c83da7fc98c75c02a2fa7b8f
-
SHA256
d1d74ec1039ff5aab99faf99bf70fb07f6b4c763a0c2fbc08b702ec9dcb03834
-
SHA512
d587cb272e28d8142a1e62fb926637c9b3be348984f17afa390b29fe04c726286de95a2f881b22b187881d2e1a440306306cb91ce16f1cdfb1f6fc5c368194b9
-
SSDEEP
98304:xnwgVIXh9xYacrRyyVyGHAeBSut+aFNnLlPLeqNZ8hY/LKbxabdDkEduupRlQgWm:u/YaolX+aFFLlPKQ8hY/RkQWslX4ge+
Score1/10 -
-
-
Target
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe
-
Size
338KB
-
MD5
04fb36199787f2e3e2135611a38321eb
-
SHA1
65559245709fe98052eb284577f1fd61c01ad20d
-
SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
-
SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
SSDEEP
6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv
Score10/10-
CryptoLocker
Ransomware family with multiple variants.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe
-
Size
1.9MB
-
MD5
93d4eb996675019ed856d0b8c5c46515
-
SHA1
a9f67e260a098a55252f0eba7b9333c1cf5b8374
-
SHA256
daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde
-
SHA512
518d24574201e262fc31c1ec6ea07af1285ba4f93805e34f9e8cee472376a7cc5f597020dc702ea165c159c5abc6ae91209dce8250f90766ffc3410615cc1e91
-
SSDEEP
24576:tnxLSUXY7WSIGgjlvYaxKMiZA+yH6uw1ECvGX6H7O3YpPNaG:txOUpSIZZv1xim+y6HLOO3
Score9/10-
Renames multiple (8440) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Possible privilege escalation attempt
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
ed12ea76d03b8255f361975cebd5c579491dacc60c52e03373e7bf509523820a.exe
-
Size
458KB
-
MD5
72ea584eebe5705ea1fd5a02dbfe86a1
-
SHA1
f6d6cdef7eb41e9c201ee52832036bd8a68d0e44
-
SHA256
ed12ea76d03b8255f361975cebd5c579491dacc60c52e03373e7bf509523820a
-
SHA512
e928592dd7061388957c3f1acc82dfd8e105de486e8cbd4835029f7d302f71dcdcb8d9dfd0b2a5b53fbd2679dcc6f8559487e1e5767d26431fc67348d1f4ab08
-
SSDEEP
12288:GJaHnpS22Yh6Nesa6rZvvihw61SLQkY5Pa1uLkB3gE88uY2:DpSosXaYhVZVMVm2
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
f062577b6879fb42fbf7fef1c2a21f96d4d372f1424c1c77f255d13fb60bfae0.exe
-
Size
205KB
-
MD5
2430019335d88321467e82ab8f51546b
-
SHA1
7d233a893492e0efd4d7e919941325b5d44abeb7
-
SHA256
f062577b6879fb42fbf7fef1c2a21f96d4d372f1424c1c77f255d13fb60bfae0
-
SHA512
6ee56eabe77caf05bde12e9e8fbe97703cccee33cfbe09c38e0a0a397a3f93221751bbcd2ad2261f6a11839ef2741689478578ed3cd9ae2d781c3fffee3c2e7b
-
SSDEEP
6144:+B4Ir9NzqHW7V5V9w/UIRZizI1aqebq/lsyp:+B4uqHW7nU/pZmiXqy
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (218) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
-
-
Target
f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35.exe
-
Size
3.8MB
-
MD5
15995b0b1fc5dd82f1c3ba1b7b40c5d4
-
SHA1
3b6a4a5b8b1107854e35b01cd28b4cce7a003413
-
SHA256
f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35
-
SHA512
4ebe82a5d5d499eab10c9049647283976d95f102b24b2113bd59309ea107fb6cf8671640651e7d7cf13435e516c6d2dcbfe3a2fc8a8ed917398b3d86f6a77781
-
SSDEEP
49152:aApBOr1sU6uEgjhlOCDw8mEFAuYg2OWpTMqBx+fdTmG2Y4MT9ffD+CzKcbmoivTN:
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1