Overview

overview

10

Static

static

10

020db58e3c...4c.exe

windows10-2004-x64

10

06cbef0e90...f8.exe

windows10-2004-x64

9

083c5b43df...fb.exe

windows10-2004-x64

10

15cb04fa5c...4f.exe

windows10-2004-x64

9

22a1f50db9...85.exe

windows10-2004-x64

9

24cb5e44b6...8d.exe

windows10-2004-x64

10

27c9f44e0c...d6.exe

windows10-2004-x64

10

2c2aa8458f...3d.exe

windows10-2004-x64

7

2e9e18954a...d1.exe

windows10-2004-x64

10

2ebb2a34dd...c6.exe

windows10-2004-x64

10

2fff52aa0c...21.exe

windows10-2004-x64

10

37ca1cfa1f...60.exe

windows10-2004-x64

10

38cd67a044...4c.exe

windows10-2004-x64

9

3d4f84e20d...96.exe

windows10-2004-x64

49cff73125...4b.exe

windows10-2004-x64

10

4c0153b979...a5.exe

windows10-2004-x64

10

4ded976d2e...5a.exe

windows10-2004-x64

10

4ee95ee627...68.exe

windows10-2004-x64

10

5b439daac4...d7.exe

windows10-2004-x64

10

67df6d4554...78.exe

windows10-2004-x64

3

6b3bf710cf...2e.exe

windows10-2004-x64

7

6df64a0a92...fe.exe

windows10-2004-x64

10

75b45fea60...34.exe

windows10-2004-x64

10

82e6b71b99...5a.exe

windows10-2004-x64

10

8a6aa9e5d5...47.exe

windows10-2004-x64

8bcfb60733...fd.exe

windows10-2004-x64

10

8bf1319fd0...6c.exe

windows10-2004-x64

10

8d76a9a577...20.exe

windows10-2004-x64

10

8dd283ca01...4c.exe

windows10-2004-x64

10

8edaee2550...e7.exe

windows10-2004-x64

10

9bff71afad...75.exe

windows10-2004-x64

10

9d7fb7050c...20.exe

windows10-2004-x64

10

Resubmissions

13-07-2024 09:54

240713-lxbx6swdmm 10

13-07-2024 09:50

240713-lvbvdsyapd 10

13-07-2024 09:46

240713-lr1dksyajd 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New folder (2).7z

  • Size

    13.3MB

  • Sample

    240713-lxbx6swdmm

  • MD5

    300907600633b7aacc130b724aec7fe2

  • SHA1

    4191d63dc42b2c3f866dca771b595c249b7eb6e9

  • SHA256

    d418ca84ca4bb7db72d2b00f8d6225a57909e02f712c7b0e2d9cefb2e18d0737

  • SHA512

    be6bdb6824b03d4749189d8eb5f9cb5b45b0a74c2ae347570acb0c5e8dd5442ee9a5359cf888cbf24da5f597c718a3db605355929d55dbbc3d93bee83523ce3e

  • SSDEEP

    393216:NKJ8US7afzdQRNspruRNL0EMuGMjFVWz9:NKm3KQAr1P9

Score
10/10
blackcatchaosgandcrablegionlockermafiaware666mimikatzmodiloaderneshtazeppelinbackdoorbootkitdefense_evasiondiscoveryevasionexecutionexploitimpactpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\Documents\How Do I Recover My Files (Readme).txt

Ransom Note
* What happened to my files? Your important files are encrypted. Many of your documents, photos, videos, databases, and other files are no longer accessible because they are encrypted. Maybe you're busy finding a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. However, if you want to use the programs of data recovery companies, please do not work on your original files, but make copies of them. Corruption of the actual files can cause irreversible damage to your data. * Can I Recover My Files? Sure. We guarantee that you can recover all your files safely and easily. But for this you need to send $300 worth bitcoins to our address. Even if you give money, Do not believe the people around you who say they will not give your files, I Have Enough Reference To Give You Confidence. I don't know about you, so there is no point in having bad feelings towards you, doing evil to you, my goal is just to earn an income from this business. * What about the guarantees? This is just a job. We never care about you and your deals. If we do not fulfill our work and obligations - no one will cooperate with us. If you do not believe us, tell us any 1 or 2 files with SIMPLE extensions (jpg, xls, doc, etc ... not databases!) And low size (max 1 mb) 1 or 2 file and following special public and private mzrevenge keys produced for you send us we will decrypt these files and send it back to you. This is our guarantee. * How to contact with you? You can write us to our mailbox: [email protected] Don't forget, check your "Spam" or "Junk" folder it you can't get more than 6 hours of answer. * How will the decryption process proceed after payment? After payment, we will send you our special decoder program by mail, just open it, then it will automatically decrypt all your files. but you need to pay for it and contact us. * So what is Bitcoin and how to get it? The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ If you are ready to pay the money we want, Bitcoin address to which you will send the payment: 3HYoqfBS1ZceA2AvmdEucbnEHp74nu9cjd These are public and private MZREVENGE decryption keys produced for you. If these keys are damaged, nobody can recovery your files. ============================{ PUBLIC MZREVENGE KEY }============================= MZRKEYPUBLICwoo5YMOkZsKmw6rDvCLDnBXCmARSMcOSbFvCmsOvehPCsjrDj08Hw4fDpMK2ZVBrPxXCk8OGw4ozw4JmfsKJwrYnMznCnk3CkcKFEsOtK8OZw6nCulDCssKow4k2dcOLw7ULXGdrT3DDssKRQcKmEsKMTDjCnsO3fsKaw6Jnwqg0fnjDu8K9wrXCqF7DkTwVw4pDwogWA8OpwppoMRXDuT1nehHDksK2MMKucVAmBsOmdcKowqgTwrbCv8K9w7cVZ8Kgw4TCnsKOcsKxw4FNOFnCv8OBw5Uqd8OGwqY/w6lRw4PCkT02w6TDpcKUw6k4LsOqQj3Ct8KPwpcmwrZ4w57Do8KxBcKHWEtYwp7CgcKuw586w4TCgMKFSDp4NsKaUMKOGjPCvcOGEXnDhMKIw7URQmjDpDYjwqcBwphiwqRrKCxvVsORw5gFwrRzasK+wp1va8KzA0Y6wpMmEhPClMKoWSVew7wQw4fCucORbcK5w6s9w5Bjw4LDqsONw4/Dn8KYw48ywph6wrI2YsOGwooUUDZnw67DvMODwoPCicOeKzLCtxw1RMK0w7DDgQ4TXsOvw6l6fMOnwrg6Z8K3w51LDMKpFDbDqcOnw6TDkGdjRcOSw4BxwooYCzxWw4o= ================================================================================= ============================{ PRIVATE MZREVENGE KEY }============================ MZRKEYPRIVATEw7dowp9iHDPDo8KwLXDDhcOJwp8rw7DCgsKZTcOzPjHDkcK7dRNDY3FQb8KGw5/DrcKOw5VFPFtywq7ChsK0RVtZwoDDkcOuNMK+wqTCr8KJwpzCsGHDtw7DoEVHccKRwqLDvDzDjyLDucOhA8O3wp0zwo8eP8KAwrzCvikzwpU/w6FFODbCpMONYMK3w4PCmCPCssOdw4N5wr3Cml7DhcKFwrIdwrXDh23Dpnpqw5DDhMOCdsK5wrUzCCQxQwwMw77CvjptwopaDMOHw67DkMKNEnrCl8OkQAscKV1DdgxEw4lDwrlZwohARUQOw68HUMKfwpTCsVHCp2k1woZkXcOeAR7CocK1NMKpPXY8DHjCpUTCncOuw6TDksKpcnMLwrjDlcOkImPDrinCiQbCtWNKC3jDt1zCiV0mw5cGw4PCvEp2wrdAPxwmSAHDl0rCjxZDw43Cg8OgwrjCjnNdURDCrCvChmHCsMOGOsOXZh3Dgn7Cp8OLw5DDi8Opw5TCv1BDwp3DpDkEwqXCnsKvf1TDtG7Cuw7DmcONTMOPHsOpM8K1NMKOw5DCsMOpw6sTNMOnDjbDqRjDrMKRw5TCnXNDwoUMw7wGwovCicOdOgIDZTlkesKxw7zDr0VUw4sUwok4wojCj8Kvw6HCscKQA2w5woZmQMOpw4jDpzHCoSnDlcKheMK8OTTDhQHCnsOowo7ChcK7w4TCksKFBsKAw67DuDZYw57CisKkw7XDl8Kab8Kbw4o2w4fCicKBXcORw4/DmsOmw7TDixbCpcKsDsOnw5LChcKmw54uBsOoKAnCo1fClyw0wqREMTXCh8KJccKOKllKMcOmOsKBwr1vwrjCjAgUwqNZIno9woLCh0AGFTbDkgYvSjkyRMOmaMO5w57CpwvDuXrDg8KrwpczwpNjIFAVwpJcEsOlwq0zf8O8woE/w5LDpgwVw4rCnXJRaMOkwpLDpMKDWMKLHDh4wpPDomjCtwxsBTMCw6Zcw6nCiU0Vw4ssesKSw57DocODwonCsUDCvkPDtMKlwrrDoE42ZsOEKiJ6wqHCjVlxwrBMJsOuBsK7OsKcwqfDp8OSVsKGesOmwpLDlCJywr7Col0yw484w4vCtUXDskDDpsO4w5QDwobCm8K3a8ODc0MTwonDhWLCuXoew4HCjVRrw7fCmcO5wqnDgQLDt8K9ccOgeB5NOcOkeMOwwqbCmMOuwq02w59EDxXCq8KdworCocKYwqrDpsOZQQPDm3oGwoPDiMK6w7BLwpwiTXUFM8ONXjrCtXHCsBrCpHfDn8KqesKlQxR2b8K9wogVwrREDwYpccOzUMOEw7lmw7drZMOfwo5rdUsrDnpEw43DjsOew7jCn8KFw4fCscOpesOdRcKIUMKCw78UwqFxw6rCtcKbNMOww6UgD8OcXcKbw5gHw67Ds3ELfsOGwoU5wrbCpjLCgMKtwok2w48LSC/Cj8OUK8KPwrV+wrU0ZMKkwqJDw6bCozHDg8OSQCgGwprDjcO+ZjbCrMKPwqzDnlDDl8Kww6AmMyZ2Z1DDvMK4ZSZOVsKKHMKdSMKow6gUw4phKVDDncOvcsKewrbCm0BDeBxewo9kw5XDkcOLSBJswrLCpMK5wqnDh8KJwonDj3XCvgg6w7TCpRrDjxXDg8KHw4Utw6M3wqB5wppdeMKRw7zDqMOdIsOXImLCikQoM8OZwprDv2dOw7PCp009NGvDozvCvMKbw7zCg8KgwqY9ARNuwprCu8K9MQvChw/CjMK5w7nDiS1ADMOjP8OCJsOwOBpYwr5vwrDDl8OGw59YwrVfwrAzwozCj8OJw6lYMXwXNsKZAcOHb8Kgwo/CgFzCk8K5w4HCuGtFw7rDgnlvIw/DmcOXw5zCpnnCtUDDjUTClGZlWMO0w6TDgWLCjjbCl2PCrcKnwpfCqcKofMOxPcKow6o2w7BHwoXDnWFRwq7ChsKMwot5woVNwpJQFTgowpotMcOpL8OKZsK4XcO8MsO3KHnCjjLDhzPCv1kcwrLDosKjMsOwUDjCuDPDvjfDh8KafsO8RMO8woYjw6xxWcKPcMOeFcKCw7XCkgbDvmvCuxkyQC04w7N+w7fCoUXDsTgUMnXCscOSEMKdOcOGUMKlw418esKow50dwqrCsR3DkVF6asKZwrIiw6A9w4V8AcOQw5DDjg5Rw57DninCosOmwoLCpsOEWxRkwp1lwo7CqGzCt2fDlyYBw6gmwoB4wpvCpAvCpzpuZ8KSMwEBDCzDjcOgwoDCmnJQw5/Ds0gwBcOzw4vCoRzDi2LCicOLwpfCrybDhw/Ch8O/wqzCpcKnaQVlwpzCrxUZa8O0w5nCt3hFCF7Di8ObHcOVwpc2VMODw65QwrLCoTjDg8OKD00EwqfCuRPDs8K3QsO5K8KBJMKUw5wx =================================================================================
Wallets

3HYoqfBS1ZceA2AvmdEucbnEHp74nu9cjd

Extracted

Path

C:\Users\Admin\Documents\PLEASEREAD.txt

Ransom Note
WELCOME, DODO has returned AGAIN. Your files have been encrypted and you won't be able to decrypt them. You can buy decryption software from us, this software will allow you to recover all of your data and remove the ransomware from your computer. The price of the software is $15. Payment can be made in Bitcoin How do I pay, where do I get Bitcoin? Purchasing cryptocurrency varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Payment information: send $15, to one of our addresses, then send us email with payment confirmation and you'll get the decryption software in email. Email Address : [email protected] BTC address: bc1qwel3y5ef4sgumcnm9njln3eupvxutymlv732gu We Promise ALl your files will be back as soon as u pay

Extracted

Path

C:\Users\Admin\AppData\Local\How to Recovery.bat

Ransom Note
echo off color 0A cls :MENU ECHO. ECHO -----------------Attention----------------- ECHO. ECHO. Your All Files Have been Encrypted! ECHO. ECHO Your Personal files (Documents, Databases, All Drive, PDF, ETC.) We re encrypted. ECHO. But don't worry about your files,You can take back all of them, To decrypt your all files need ECHO. to buy Our Software With your unique private key. Only our software well allow decrypt your files. ECHO. Remember if you try to recovery your files through any third-party software, ECHO. it's can cause premature damage to your files, and we can't help you either. ECHO. ECHO. -----------------Note!----------------- ECHO. ECHO. You have only 72 hours from the moment when an encryption was done to buy our software at $1,000 for the payment ECHO. ECHO. BTC Address:- 33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP ECHO. ECHO. And if you Payment complete then Send me proof. ECHO. ECHO. Use the following ID as the title of your email:- QA2Z67DXLBFF1000FHN ECHO. ECHO. Use these emails to contact us and receive instructions:- ECHO. ECHO. Main email:- [email protected] ECHO. ECHO. Secondary email ( in case of no response in 48h):- [email protected] ECHO. ECHO. Also, you can send up to 3 test files to see if we can decrypt your files. ECHO. ECHO. After paying, the decryptor software and your private key will be given to you. ECHO. SET /P M=
Wallets

33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP

Extracted

Path

C:\Users\Admin\AppData\Local\How to Recovery.bat

Ransom Note
echo off color 0a cls :MENU ECHO. ECHO -----------------Attention----------------- ECHO. ECHO. Your All Files Have been Encrypted! ECHO. ECHO Your Personal files (Documents, Databases, All Drive, PDF, ETC.) We re encrypted. ECHO. But don't worry about your files,You can take back all of them, To decrypt your all files need ECHO. to buy Our Software With your unique private key. Only our software well allow decrypt your files. ECHO. Remember if you try to recovery your files through any third-party software, ECHO. it's can cause premature damage to your files, and we can't help you either. ECHO. ECHO. -----------------Note!----------------- ECHO. ECHO. You have only 72 hours from the moment when an encryption was done to buy our software at $200 for the payment ECHO. ECHO. BTC Address:- 33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP ECHO. ECHO. And if you Payment complete then Send me proof. ECHO. ECHO. Use the following ID as the title of your email:- QA2Z67DXLBFF05FHN ECHO. ECHO. Use these emails to contact us and receive instructions:- ECHO. ECHO. Main email:- [email protected] ECHO. ECHO. Secondary email ( in case of no response in 48h):- [email protected] ECHO. ECHO. Also, you can send up to 3 test files to see if we can decrypt your files. ECHO. ECHO. After paying, the decryptor software and your private key will be given to you. ECHO. SET /P M=
Wallets

33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Extracted

Path

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\How to Recovery.bat

Ransom Note
echo off color 0A cls :MENU ECHO. ECHO -----------------Attention----------------- ECHO. ECHO. Your All Files Have been Encrypted! ECHO. ECHO Your Personal files (Documents, Databases, All Drive, PDF, ETC.) We re encrypted. ECHO. But don't worry about your files,You can take back all of them, To decrypt your all files need ECHO. to buy Our Software With your unique private key. Only our software well allow decrypt your files. ECHO. Remember if you try to recovery your files through any third-party software, ECHO. it's can cause premature damage to your files, and we can't help you either. ECHO. ECHO. -----------------Note!----------------- ECHO. ECHO. You have only 72 hours from the moment when an encryption was done to buy our software at $600 for the payment ECHO. ECHO. BTC Address:- 33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP ECHO. ECHO. And if you Payment complete then Send me proof. ECHO. ECHO. Use the following ID as the title of your email:- QA2Z67DXLBFF724FHN ECHO. ECHO. Use these emails to contact us and receive instructions:- ECHO. ECHO. Main email:- [email protected] ECHO. ECHO. Secondary email ( in case of no response in 48h):- [email protected] ECHO. ECHO. Also, you can send up to 3 test files to see if we can decrypt your files. ECHO. ECHO. After paying, the decryptor software and your private key will be given to you. ECHO. SET /P M=
Wallets

33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP

Extracted

Path

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\NOTE!.txt

Ransom Note
Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Extracted

Path

C:\Users\Admin\3D Objects\# How to Decrypt Files-NJFD7.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; line-height: 1.2; } h2 { color: #555; text-align: center; line-height: 1.2; } ol li { padding-bottom: 13pt; } .container { background-color: white; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { border: 1px solid #888; background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text { text-align: justify; } .lsb{ display: none; margin: 3%; text-align: center; } .ls { cursor: pointer; border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 0.2em 0.1em; line-height: 2em; display: inline-block; } .ls:hover { background-color: #D0D0D0; } .l { display: none; } .lu { display: none; } #change_language { float: right; display: none; } </style> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> </div> <div class='container'> <div class="text l l-en" style='display:block'> <br> <div> <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAL8AAAEICAMAAAA5jNVNAAAAeFBMVEX///8AAAD8/PxQUFCJiYk0NDSenp5TU1M9PT329vb6+vrv7+/z8/Pl5eXKyspfX18oKCjCwsKPj4/o6Oivr699fX1xcXGioqLa2tq7u7uTk5PS0tI6OjogICCCgoJoaGh1dXUXFxeqqqpHR0cODg4cHBxaWlotLS1/4KDGAAAHlUlEQVR4nO2daVciPRCFaRpkRzYXXNCGUf7/P3zldUZn6O6bSmrDc3I/a/IASaVSqVQ6HQWt55v97rpcLIo/el4cXnr77eNYoztBjZZ3L78KpPJqO/WmbNZks8PoX6p226437ZnuV0ca+9fvsB95M39ptqri4D91vfUGP6m7GabAf+rBey5MVunw/+t17Ug/e2XSu36CyY0A/Uk7j6ncvRKiP2lvjj9fhKkiVN6b0k9vRelPujLEX1bi+EUxMJvHPQX6k+Ym9OtSCd9mDD2+qeEXxa26X7dVpP9QqexQ3OniF8Vhpon/oI1fFH3FD2CAr/kBTPD1PoCkwwM1nGjgb6zwP6yQghmd2+EXxYs4/qyy5C9Wwvjjgyl+UQjv7eX95ZBENwSGc/ePDoKxxvv47qvypne1Xc5n6/lye9W7KavYFnZi+N1Ij7nsbdfTMxPYna43u7hI0VKKP2rhetlMWq33eH03oLe0EFrGIkZPuQn6v7OHitraqwz/O7k/ms3obqixC5ENJXXH8hrhdm1om7gnARs0pX1Zgzh73aXFTR/4/LSO4pfLGckYsV3pGaWX9yRLsSO0fMvlp8RoU3/lJaHtRx4+xXamrzOE1q95/AS/jeNoEUYny4YS2ufNsEmw/QGn+fDo5xqI8DfE+AEmwQNd/gr5GOqCMQOCtl8i4BrcWyRPsGnoTPpdAL/TCR0CJq8BQc9HKMwR8lBS/eiQ48lcW74UmsOJwYhQszdC+MHA5DHtfDU0ewU32IERlLTCj59wo5IRmkBwL8mEBgzzQRC/07nGnaUcTQbWXqnJ+6nAXEtYZ0bY+DP9wpqwo3iIt9SB4SP79Qdd6Xg3Cw+fUhg/NAOit0gjbH3EYmNfwiYoegDh3/NZHD+0BsQOILwkahz04yhlbI/Y99E4YMNbsUh7J9oYUXgGx31leDZtVPjxRibOXcEpPjr5dlPYZ5y3C8P0OsMnMICiYrl4+GtlC+LklhgfDg9/rUQ17MTFTDq4dekr4Xe6cAmLmQAvqKGeFj/2uYb0CYDPLPTS3rEFpa8Aa6F2YoX7pcf6YOBnoZcjOH5GHdPDKHD6so9EgOAujJ5UA5vRTDKFPuiCuuyP+qgZzSxffKJEnXh49dW8bIBdIOo3B/deleYdOjyBqSMXmmGZmHmb4MJJXYGh86y3+ga7HhAtNzxQ0M1xhy5oRZt6OF1J99IcjprRktNHcBKp5ocHDBAt6OdnPj++O9g3beMEtxFvuleQuzArheYBwUUwIRIcJWhAaSmJ0AZoem8nQQNKCxxA71PX/Afiln3S4IV5RQIZXVB4C0YyHnAIat+0xJEPygKAly/5wP+/wgsAZfHBB1/S50Zx/JTecQvaV41HMDOUEsPy5R/DX/+O0IKn+9AJHJxQrB90HxbqFUyg805ZfaAF66tfEIWrD4Ufuj9aof9vsWNPe19+GAKqb76758L8vfo/yAp3/177835NcPf19lT/B1nB7ou3s7/uwL++fGV+X2V+X2V+X2V+X2V+X2V+X2V+X2V+XzXyHwflBWrQlNXQxP80Ut7jpqlxZ9/Erx9jSBOVn3XjU1GZ31eZ31eZ31eZ31eZ31eZ31eZ31eZ31eZ31fW/N35ditZBdOW//F3Gt2NWMKxJf/krys0K6GcFUP++T+Fm4YyFybt+GtJnCLTwIy/oSOJS0tW/I0ZMAK/gBF/y+VDvhmy4W+7AXJkv0xgwr9uLRl3zTWjFvyoTje3JrgFP7xBzcz9NuDHFeN+8W4+6/Pj+9PckxF9/kAVLmbhEXX+cD1Y1ghS5w8UjDuJc/1Hm5/0wgRjFdPmJz2GR7mB4MM/puBzyvYp81OqORec6hfK/MRXAtJNqDI/8S3IdC9ImZ/4wkr6BVBlflj04lvp9QuU+Qmr10npN4Au4/tPN6DK/EHn7VPpPqgyP/El3XQPSJmf+LRfev0LZX7SSxOcQJC2/1aR+NMvUGrzU97jKF6T8dX5Se8MMe5vq++/CB4E5/7qBex/WRt4/fhD8Adg1Y7T5w++ZcE6BjCIvwWei7n0+FVnhB8sufT4YSCGcvnxW7gL5pausTl/aa3+wi4cZ3T+1VK6mP8WnBF/c+X6J/7D3Fbnp9OGGlwC+Ibn77UaJkOJZ9EN8x/O1rGDSNUXQ/6zBAiZt2QN+c9jiSI5QHb8NRPEiPp/y46/dg4p8h63Y/4P8+TXmr9+Cv+T8n+aKrBJPAZtxt8QyYooHu/P39SRgAU142+KRAuU/TXz3xralLjUasXfnETzc/zn5hwmfuFKI/5x8+MT/NcWjfhbwrg/Zv/YVsGWbUFt+FvLt7ItqA1/a/lNtgW14W8vIMy1oDb87WkcXAtqwj+uWvm5PqgJPzgE41pQ7/gt14Ka8KMsCOYu3oIfvj/A3MVb8OMTMF4YzoIfJ/HxdvEW/DiJj3eDwYAfv/9TlKwrJAb8uPY404Uw4A9lELAevzHg3x+HSH3W6xP5/rKvMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vfjp/0wXRJv7jqneJWjVdLGji/0nK/L7K/L7K/L7K/L7K/L7K/L7K/L7K/L7K/L76DxuakMqfwNR4AAAAAElFTkSuQmCC" alt="LockLogo" /> </div> <br> <p><samp># All your files has been encrypted by "KRAKEN CRYPTOR".</samp></p> <p><samp># Read the following instructions carefully to decrypt your files.</samp></p> <br> <div class="info"> -----BEGIN KRAKEN ENCRYPTED UNIQUE KEY----- <br> w4p7DOBESk+RHFLduZvNf6veYncATS+opvs+TSL+14+IypnTRjcRhLvuj9AbPdwH<br>jnagteVuUJ1asmsFJpEfg3JlSBGhFemFl8EP5qQDt+1/bGS03AxkEjhXeZYOS0eF<br>tVoGfNtlXYAHyrF+K1FRpEXz1DZUI7DLj10hEK+FyafSN/Pq4Hh2doM86z/1+nGQ<br>a3uZTYH8wSNyYVqodnBIr7gX4/sGpFu7wvBX3zzh72A7fPyeQUMbKKXnoU26ti2M<br>42t96V7BxBWaDb2MRjP1u60FH98nlEd+u3sJQVLGy4mzjokbJtAb4jJluMTg3Fwo<br>I3rxA28XV70U8sQcvKDyGEoSZWSHcu2OIFtl3/A2nDiQcLTd30242+AT2v8P93pU<br>iHQPA49umlX+XH8MQDVv67q1aNvO6DuxVlkcm8hkCoRvD912PcQyhWf7XDLMQmys<br>UYwwpcTQRXe7LliuDf11A+JuAWrRFru3/avyOBEvwQRlskldRwIVOY/8lRJOVQ0y<br>gNNGfkncG/4iG5Ziy+/v+saH6hJ1r47Me1pdD2sWx+wN/0dmMpjC+jMfUZAkB5wQ<br>u2TnznsqLuZ9ATRsptGr0xvDyqv8ngWuEUyMhsuwJCzZx0MmXlouc4d8IFsciwA5<br>fN3fzupc2nD9jqde4g8UDDgaNVRECvJBwX1CZZJgXYsmsJ2TfPjm+qWwBIxZUrXF<br>AnTohytoaVV9KezNRFpUssSdcCzAWIpoW/RgBA4= <br> -----END KRAKEN ENCRYPTED UNIQUE KEY----- </div> <br> Extension <div class="info"> .NJFD7 </div> <br> <p style="color: #D91E18;">What happened to my computer?</p> <hr> <p>All of your files such as documents, images, videos and other files with the different names and extensions are encrypted by "KRAKEN CRYPTOR"!</p> <p>Don't delete .NJFD7 files! there are not virus and are your files, but encrypted!</p> <p>The speed, power and complexity of this encryption have been high and if you are now viewing this guide.</p> <p>It means that "KRAKEN CRYPTOR" immediately removed form your system!</p> <p>No way to recovery your files without "KRAKEN DECRYPTOR" software and your computer "UNIQUE KEY"!</p> <p>You need to buy it from us because only we can help you!</p> <br> <p style="color: #D91E18;">How can recovery my files?</p> <hr> <p>We guarantee that you can recover all your files soon safely.</p> <p>You can decrypt one of your encrypted smaller file for free in the first contact with us.</p> <p>For the decryption service, we also need your "KRAKEN ENCRYPTED UNIQUE KEY" you can see this in the top!</p> <p>Are you want to decrypt all of your encrypted files? If yes! You need to pay for decryption service to us!</p> <p>After your payment made, all of your encrypted files has been decrypted.</p> <br> <p style="color: #D91E18;">How much is need to pay?</p> <hr> <p>You need to pay (0.256 BTC), payment only can made as Bitcoins.</p> <p>This links help you to understand whats is a Bitcoins and how it work.</p> <p><a href="https://wikipedia.org/wiki/Bitcoin">https://en.wikipedia.org/wiki/Bitcoin</a></p> <p><font size="3" color="red"> This price is for the contact with us in first week otherwise it will increase.</font></p> <br> <p style="color: #D91E18;">Where can buy Bitcoins?</p> <hr> <p>The easiest way to buy Bitcoins is LocalBitcoins website.</p> <p>You must register on this site and click "BUY Bitcoins" then choose your country to find sellers and their prices.</p> <p><a href="https://localBitcoins.com">https://localBitcoins.com</a></p> <br> <p>Other places to buy Bitcoins in exchange for other currencies worldwide:</p> <p><a href="https://www.bestbitcoinexchange.io/">https://www.bestbitcoinexchange.io</a></p> <br> <p style="color: #D91E18;">How to contact you?</p> <hr> <p>We use best and easy way to communications. It's email support, you can see our emails below.</p> <p>Please send your message with same subject to both address.</p> <br> E-Mail <div class="info"> [email protected] </div> <br> Alternative <div class="info"> [email protected] </div> <br> <p style="color: #D91E18;">Attention</p> <hr> <ul type="disc"> <li>DON'T MODIFY OR RENAME ENCRYPTED FILES.</li> <li>DON'T MODIFY "KRAKEN ENCRYPT UNIQUE KEY".</li> <li>DON'T USE THIRD PARTY, PUBLIC TOOLS/SOFTWARE TO DECRYPT YOUR FILES, THIS CAUSE DAMAGE YOUR FILES PERMANENTLY.</li> <li>DON'T ASK PEOPLE OR DATA RECOVERY CENTERS, THEY ARE MAY ADD EXTRA CHARGE.</li> </ul> <br> <p><b>Additional</b></p> <hr> <ul type="square"> <li>Project "KRAKEN CRYPTOR" doesn't damage any of your files, this action is reversible if you follow the instructions above.</li> <li>Also, our policy is obvious: "NO PAYMENT, NO DECRYPT".</li> </ul> </div> </div> </body> </html>

Targets

    • Target

      020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe

    • Size

      1.3MB

    • MD5

      ffce3f25a125b5dfcd96e92148b7d209

    • SHA1

      a4c2bfa23b98471ac1ea7103e194cf6488a058ac

    • SHA256

      020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c

    • SHA512

      7d0af9214e4cdabceab9abb2586288e0a42ef9b7a7abc1bc7f03c04cf48b6722eeeee4a476aaf2567feaacbc70fb3e6bf36aa1050b010ef68019b7e80886f823

    • SSDEEP

      24576:1pa1z++i/OfNbXirk1nF1qfWk3w80geAcVW9CFnBOmp7BCr/otH5LSp+7I80w:zF+BZk6FnBOmp7BCr/G7I80

    Score
    10/10
    defense_evasionevasionexecutionimpactransomwaretrojan

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (174) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1

    • Target

      06cbef0e9051e2f54cf17e0d191f890d82cfec91bbc3e5bc429a2f364fd925f8.exe

    • Size

      147KB

    • MD5

      ce4c09c4b836c31993e902adf115a54a

    • SHA1

      5fe984d96c4361a996c898e93dd72538614ca0c6

    • SHA256

      06cbef0e9051e2f54cf17e0d191f890d82cfec91bbc3e5bc429a2f364fd925f8

    • SHA512

      02226e2abb6616525a2431ce6f4d6c81d54d2c06f7cf4f5cb8af740b14e03df657e8fa22e71d8b83ab7e1cdb9b943868f7d3d687482b499d85b2ca7974f0140d

    • SSDEEP

      3072:ribQR54LZPhG1tqIFMH4zGrEV9SzjS3vqY:riI6PhGqI+YqrEV9S2q

    Score
    9/10
    defense_evasionexecutionimpactpersistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      083c5b43df8bee2a6235c3f5038cc9860b4a4bfd1675d367a67fcfff93ccfcfb.exe

    • Size

      353KB

    • MD5

      c525eb716420dc915fe574b8a3973143

    • SHA1

      b272f9a63aed4c5ab06e887d3ceb9854f52fa1d7

    • SHA256

      083c5b43df8bee2a6235c3f5038cc9860b4a4bfd1675d367a67fcfff93ccfcfb

    • SHA512

      24ba34d78e5c295c740e2ec9d0c27c90a25dcad5f330c72929c9e98a64f36f8ab6763c7f9929bc72a31d9b52d11ab17882a3841a75b77b904f4aeb90c768177d

    • SSDEEP

      6144:G1/ZVevGFi0Xx6HQpNnCnoed+wBlO18eDKO3wexcXQVkcoHnqyk:WeUjNHCFkw3OCMpxcXiPoKN

    Score
    10/10
    defense_evasionevasionexecutionimpactpersistenceransomwaretrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral3

    • Target

      15cb04fa5c58299e320c833b62a6e44ec67423aed9fcc969d5b90f4380ccf24f.exe

    • Size

      213KB

    • MD5

      3271867f57a7ddd53d2f36210f79b241

    • SHA1

      04ccf49f32406c6a0d61745bae090a9426a1500d

    • SHA256

      15cb04fa5c58299e320c833b62a6e44ec67423aed9fcc969d5b90f4380ccf24f

    • SHA512

      a0a0725b6023cab53363303db4aa0c6c1c1916a6b178b1f3a6301e779c67a2b1d68202a696ee328ffa9080f2f7236f581cbf8aadef4eadebb748ed6fcf35baa9

    • SSDEEP

      3072:XBkGJ8YXmHDZLWlTSMu/9laSnsBOSrXo0hL5VNWrIV9Y5cYE3vqY:uGuYXeDZW4MuVgUsBOchL5LWrIV9ugq

    Score
    9/10
    defense_evasionexecutionimpactpersistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (143) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral4

    • Target

      22a1f50db97e2f91417a668d7c31379012b9f756d37a6697220b10aaf1f8b585.exe

    • Size

      240KB

    • MD5

      598b2a2bdfb474047a6d5b5f0469c27a

    • SHA1

      a2d42ceb046e3bfcab1bb3dc9ef9e89f12e2bd66

    • SHA256

      22a1f50db97e2f91417a668d7c31379012b9f756d37a6697220b10aaf1f8b585

    • SHA512

      ff6930e0dd15d7fc23f3cd62b5213863ec0c59b8ada189960e52be1832c8a1b928ddb3debf9eca65bbd5203e7b191e55d79dd2c7592bed3e197bdfb5b200ddbf

    • SSDEEP

      3072:PC4zn72NrvV9YhZv0FKbgx2HMdYlTYpu/EVarwBwCc45TEywugt45ZoIWpEzGVz1:Pn72NrvV9OCTE45Z1WpEKvmSx7ri

    Score
    9/10
    persistenceransomware

    • Renames multiple (133) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral5

    • Target

      24cb5e44b68c9dd2a115de3415ee96e78d2180dfd287133c54dfa29c90c1088d.exe

    • Size

      88KB

    • MD5

      e60df2922d5ceb45856f405e41a9d6cc

    • SHA1

      2e438348f4ec2fbd82ce944ad3697d58771ac170

    • SHA256

      24cb5e44b68c9dd2a115de3415ee96e78d2180dfd287133c54dfa29c90c1088d

    • SHA512

      21eac0c509698b0b257e0f8b304204b0f29bbca8f0fafbb33aee5d93af727859ec6e2977c45c658248858cbe362ee5438c37bf566c269e4b708a89f22c87cca3

    • SSDEEP

      768:/qo23p8xAcr9G5eH2SU2Ip4jBqltCF0AxEjenoB69+Fx:yo2iAcr9GYH2SFHBWAxEjc+

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (231) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral6

    • Target

      27c9f44e0c5de68792b684355a68ad83eba89cbe46cc9cf3a6efeb448c9f39d6.exe

    • Size

      352KB

    • MD5

      b431bf2649aee55b729f1668a7bc4b12

    • SHA1

      f618c191798cd8a809120bbf6b09ff79d8877138

    • SHA256

      27c9f44e0c5de68792b684355a68ad83eba89cbe46cc9cf3a6efeb448c9f39d6

    • SHA512

      b31ac84b8d41c4d77536763acf3daa75c437b62e792329f232892e7939b35ed8731f3aaaa3e406cf1bf6121a64c920dd03df4da07847debdd2caae3dc70ed544

    • SSDEEP

      3072:L3kLEir9ihicEQ23lcjxXedA3MYRjuOGK2OIcVtkzuwOYHYHYN4YHYHYcSuCexyM:Ur9ikcL2mj4d6riOZ+qSHej/Kd+bN

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral7

    • Target

      2c2aa8458f3d138a2cfaa38b2da75b541ccdad655b5db374733e4cecfb24833d.exe

    • Size

      4.2MB

    • MD5

      4755656e64a4cb4ee7ae5846acc1bbc1

    • SHA1

      fd8f5007141ac941fcac77c6565ccb1ec86b1391

    • SHA256

      2c2aa8458f3d138a2cfaa38b2da75b541ccdad655b5db374733e4cecfb24833d

    • SHA512

      6aecc49f717d19425256ef0dcfe5ee8fdd47e131d91322ef8f250d92935d55130226227e0a5f8d8a1d94f1a8f31c4325f026755610a15717a05df26a4c498af5

    • SSDEEP

      98304:oXB4uluJRmMg6QWlIpgi0rHqsih/mCqJ4B4ulur:ovsJR0TW6yiIKRhzqOsr

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral8

    • Target

      2e9e18954a73762ae06eaa6fa85c4dbdabf607fee4ec2ed016a689c7173dbfd1.exe

    • Size

      283KB

    • MD5

      f5a0c315b535c5a65bbbad8352592221

    • SHA1

      97e4cff4bece35cbcea863045025645f931fce14

    • SHA256

      2e9e18954a73762ae06eaa6fa85c4dbdabf607fee4ec2ed016a689c7173dbfd1

    • SHA512

      58560e1f409fb5cbd70517594d47d2e6145b17d3e64170ef6c1ae583cdf59fe670c2f1c468733ecca0a99c8ec893426a6ca9a8263be12a8845e87af3be50d335

    • SSDEEP

      3072:4W2W9AU+AUae0RgBhr2TLJY74vSePjxi4vLE3YKFcLhNLUt/sVZuQ5kROFz8C9uk:4jW9/+AGBOLS4cvIpNYqa6kIFzn9/x

    Score
    10/10
    chaospersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral9

    • Target

      2ebb2a34dd6633e785f67d118a8c778969e4e34d667cf554268997e13920a1c6.exe

    • Size

      241KB

    • MD5

      692ea33f6b08ccd47ef8a4f8b913fc4f

    • SHA1

      8a2f0c6b5f422cb2125273be1eece261aa3007e0

    • SHA256

      2ebb2a34dd6633e785f67d118a8c778969e4e34d667cf554268997e13920a1c6

    • SHA512

      df87964befe8dad825e869e4d915c46d71bb72b4f318f9c52d9a1381d391bad73aef5e555057e8189dca479359fa635b19727bb64d1876c1403057ed1e1faca7

    • SSDEEP

      3072:aoT9szr954q4qf8NWPr0Dp/XpoO1zDsJOFQVrFsUBTa488+6WniGxfLwxhqSEaqw:0r95wCPADpaOOwajTa65HyigEX1OeLn

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral10

    • Target

      2fff52aa0c2fac4e53008cdf0bbea4ade2243bf42418330a03d5ce6f0d598421.exe

    • Size

      2.4MB

    • MD5

      42935359d9ae5ab7507f082c117c0027

    • SHA1

      05dd7616805833497c0ec1826ffc53b7673d8191

    • SHA256

      2fff52aa0c2fac4e53008cdf0bbea4ade2243bf42418330a03d5ce6f0d598421

    • SHA512

      f7fb318258fd7faaed95facea3b8c1ee2c11c13cb5ea239773b22ae5e270cef94a1892dfd2f60df15cf79f9f4935e4145bf5127734ff8893c3020c245d18189a

    • SSDEEP

      12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCH:eEtl9mRda12sX7hKB8NIyXbacAfk

    Score
    10/10
    persistence

    • Modifies WinLogon for persistence

      persistence

    • Drops startup file

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral11

    • Target

      37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

    • Size

      953KB

    • MD5

      5fc3bd9632a02f189d81f75fc3b12ebf

    • SHA1

      6abbc78a6fb421adf80051365dbfaff0b3fb696b

    • SHA256

      37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60

    • SHA512

      cf0b9df6db5c85ebc85967dbfbdd99ada401f718445f69f258d9d0a9466f7b58a7bb2f1287cb5679988bd79b42807fa0e0e7fc419557f0af3fbb620b40b2c2af

    • SSDEEP

      12288:OzEPMLC814R2hig4tHkg2W+AU+R2TjsPvEpv8LpgUO4EP3SL98l0zmWHQuTwYzz5:0ztQE1ov2AZ9HjkftWyq

    Score
    10/10
    chaosransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Renames multiple (206) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral12

    • Target

      38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exe

    • Size

      1.9MB

    • MD5

      d28e88e6e9ad654f81909e605f3398c1

    • SHA1

      84726882c606eec6b7ed7d0ba1d9acdd13390e45

    • SHA256

      38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c

    • SHA512

      3e971529338ef0576ce40679b33fb763b2e1f3e7c16255b922434baf486d6569ee1e0770959ba7763b9759d89bf55b149d54546bdfa7299c41fd2c5d302ecaf7

    • SSDEEP

      24576:tnxLSUXY7WSIGgjvvYaxKMiZA+yH6uw1ECvGX6H7O3YpPNaG:txOUpSIZDv1xim+y6HLOO3

    Score
    9/10
    discoveryexploitpersistenceransomwarespywarestealer

    • Renames multiple (8637) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Possible privilege escalation attempt

      exploit

    • Deletes itself

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral13

    • Target

      3d4f84e20d5cf317edcefcc98bdd7e126078b25cdc56b816edbec532a8763096.exe

    • Size

      6.3MB

    • MD5

      6a7b2c486baa38a1d89e10889fc0802b

    • SHA1

      6b8ddf08972160a12e144e00aa8a486b3c35e5e1

    • SHA256

      3d4f84e20d5cf317edcefcc98bdd7e126078b25cdc56b816edbec532a8763096

    • SHA512

      a1d60b7113fea5c71309cb2bf49758802f73c5c8152030b7376d8ae2eb7c87d117fdb72b29f73e11c9cbc3ed17ef68a856ce56ed3d93fe4143f9085fd191f739

    • SSDEEP

      98304:RfrQZerQZ2cK5YOXwnS4rV340Jy9+lG498HL:Rfr2er22KIJZr

    Score
    1/10
    behavioral14

    • Target

      49cff73125bdbed98cdda85572228372cecaedc8fa98fd48706fd23e6ad1ad4b.exe

    • Size

      2.8MB

    • MD5

      4431e8c03162a470cc1c74edfded4afb

    • SHA1

      1fdd90a0a702447aebbd683e175c85a50acb9715

    • SHA256

      49cff73125bdbed98cdda85572228372cecaedc8fa98fd48706fd23e6ad1ad4b

    • SHA512

      f006cab8488dc669b5d23e64eea14efce8f6c90cd1ab57b71967e9ecb1748f57da2d5d6bf7eb824338b6025346abd823391abb2932e9d2eb719d55404f565922

    • SSDEEP

      24576:BS4lQMNWi3VesNY8106qPN4K3P0QcejoMZLyiTtiFfkOfEC+:BSy6PX3PpM+P5IdF+

    Score
    10/10
    chaosneshtadefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral15

    • Target

      4c0153b979e65346c1d6f863086082ec5ef103cbf6b0f5e8652d61da678a8ca5.exe

    • Size

      390KB

    • MD5

      8c64181ff0dc12c87e443aae94bf6650

    • SHA1

      e91d7ebd17912785caa3e71ef1571dc01b1cd854

    • SHA256

      4c0153b979e65346c1d6f863086082ec5ef103cbf6b0f5e8652d61da678a8ca5

    • SHA512

      4854565b054297dffc13b659a53059ee8731dca02f3027501254551cb4af20b68fb121d03e528151cf910238b49bf00a3827e74e4bb68faf85ebc50d02ad5c17

    • SSDEEP

      12288:ef/X4NTn/xVkNG+w+9OqFoK323qdQYKU3:EXATn/xVkNg+95vdQa

    Score
    10/10
    mimikatzbootkitpersistencespywarestealer

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • mimikatz is an open source tool to dump credentials on Windows

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral16

    • Target

      4ded976d2e5474b5ce1562ceb032981e23f170e7d6ec07fadd131aea82715a5a.exe

    • Size

      2.6MB

    • MD5

      ca1e56a26f9b7b8e18a5f627bd946d53

    • SHA1

      80f9a9afa9a115acabd32ddbd0339a17d261e90c

    • SHA256

      4ded976d2e5474b5ce1562ceb032981e23f170e7d6ec07fadd131aea82715a5a

    • SHA512

      d48549c184754f7d7e3c5b35c14aab50766aaa00eb8ce62d326a44ce9ccfc0b40bc94e33fa00c8b7594dfc0585f0c6530597d1222d8cb03edcb701de203af679

    • SSDEEP

      12288:jOU/d7WQvyPWa4DQFu/U3buRKlemZ9DnGAevjdMOU/d7WQvyPWa4DQFu/U3buRKO:7/JRyuN5e/JRyuN

    Score
    10/10
    zeppelinransomware

    • Detects Zeppelin payload

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

      ransomwarezeppelin
    behavioral17

    • Target

      4ee95ee6271482c7939ce3b9db210ffb7a73ceebb6500b978fa3e6fe1d6ea168.exe

    • Size

      2.8MB

    • MD5

      aa5c75d313a98f3284d7ef52236d2d46

    • SHA1

      085b7906df9bb7c07b254e9f1dd3c1015b581d8b

    • SHA256

      4ee95ee6271482c7939ce3b9db210ffb7a73ceebb6500b978fa3e6fe1d6ea168

    • SHA512

      0302c54bc87cc38f28e7d3b428fc51256f828831501e341e720e9b477d24241071e402675fc6e73d12daf4917f25a874a4a4b614f15b12d8d7be210e15ea19ac

    • SSDEEP

      24576:WS4lQMNWi3VesNY8106qPN4K3P0QcejoMZLyiTtiFfkOfEgl:WSy6PX3PpM+P5Idtl

    Score
    10/10
    chaosneshtadefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral18

    • Target

      5b439daac4faa9078a6973301eaeed339f77bbbbcdaa46f3452c1fc90499a4d7.exe

    • Size

      25KB

    • MD5

      d2623fa5d0ce3b4746b1803caed0fdf6

    • SHA1

      339883e34e0cbc23f4c7a6ddb2376b420066fa1f

    • SHA256

      5b439daac4faa9078a6973301eaeed339f77bbbbcdaa46f3452c1fc90499a4d7

    • SHA512

      3140427772552c53ceafa9f745f6349f170401d6b3ae72d641d3004b5b4cfca82b04c30e6734f1b1fec97dcdbc452a36d2ffca4a014eb5851ea2c0f6bf4969f7

    • SSDEEP

      384:a3MLWHn3kI3fcSxlR2WpOYsBNakQJgr91Czxb5fe6uaVyZK:+n3kIE69pCYgr9ixbZe6PVyk

    Score
    10/10
    chaosransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral19

    • Target

      67df6d4554cb4c82c8f41d8257174c8c39059cd386744fc0f36ef84faede1478.exe

    • Size

      2.0MB

    • MD5

      eba1ad16bc2fa284adae07cbebef8f7f

    • SHA1

      225163dfd08838ae6bfec6e27994b92955013576

    • SHA256

      67df6d4554cb4c82c8f41d8257174c8c39059cd386744fc0f36ef84faede1478

    • SHA512

      909a8663ee28f43e7737f36707ee1a0195cd73e441dc4d2e6497d6bd7dad67465e21cdb0dd0e07511313673c1f8847c7a85966876165d197566dbbae8f34459b

    • SSDEEP

      49152:iFOLMMFExN0CZb979qfWqcWMT2I9tH2gpNcjsUnlww3GJIV4p:gOIMqvTF9qf5cWMT99tH2s4sUnKoo

    Score
    3/10
    behavioral20

    • Target

      6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe

    • Size

      145KB

    • MD5

      9f16d35de8c312ba0b6f9efd558487fe

    • SHA1

      93040ad968110a6c96c9e2f74f6902aa52b71057

    • SHA256

      6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e

    • SHA512

      1534d12e38937d0c9597f67540b1c849728a637eb7dcd1286e28c9bd72a463bdbc492247beffd16e47986157323134edc84eb1d1f2e857d5c4a136427fe99699

    • SSDEEP

      1536:6Cpb2XbbPD1c2lB4a9wL7vkYq0Hk5rR5JkVJ4y/uU/rLV9YYccquTrX7YeOzk+7J:ZyXbt4aEcTrR5OVZ/rLV9Yrcqu3

    Score
    7/10
    persistenceransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral21

    • Target

      6df64a0a921bd65006968d7eb146f7ceb60ffc1345575d39edec0eded41eb4fe.exe

    • Size

      6.0MB

    • MD5

      7f97b34a113170d02ff8008c2bbc7745

    • SHA1

      fe00b8cfc0896d6d23ff3628af8c406a7683d707

    • SHA256

      6df64a0a921bd65006968d7eb146f7ceb60ffc1345575d39edec0eded41eb4fe

    • SHA512

      a899eb8481c02d0c983c7761ca9962ffdea22354cdef6cefeadbdf0ac96d43a54c02ea72e89b8b5c2bdefed38ecdd960a8d267e3fc15545286844baf40ac9e93

    • SSDEEP

      49152:LwLwHt4Ihqew+96PoBjYs5ngToDEZwTFgN+1TtI1VjFF3PBTqJQkYUjeAb3WUpPb:L9fhqezRobVjFyEUqA6Sp+ZIogCxfwis

    Score
    10/10
    gandcrabbackdoorransomware
    behavioral22

    • Target

      75b45fea6000b6cb5e88b786e164c777c410e11fdcf1ff99b66b43096223d734.exe

    • Size

      2.7MB

    • MD5

      024f23eff975f6989dd2dc4340886961

    • SHA1

      d553862c0cb3ab3ad5cba7654c038c966ebc9a00

    • SHA256

      75b45fea6000b6cb5e88b786e164c777c410e11fdcf1ff99b66b43096223d734

    • SHA512

      4c62ebc36cca4ef4ff9d59e8497047436a7f9f51d78d9dc6d29a657052b997479378d46fc5616150bc62cb7211e623c2012fdd7cca2b4e96f54e64d61975e98a

    • SSDEEP

      24576:s1S4lQMNWi3VesNY8106qPN4K3P0QcejoMZLyiTtiFfkOfE:s1Sy6PX3PpM+P5Id

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral23

    • Target

      82e6b71b99a6ec602cfbdc00e0bbaf34c719d7b6879b6e384004886d491ad45a.exe

    • Size

      270KB

    • MD5

      14ea366be5cb691078be2c302590f435

    • SHA1

      84e562bb99249a58849f6f82b29a7746dd144900

    • SHA256

      82e6b71b99a6ec602cfbdc00e0bbaf34c719d7b6879b6e384004886d491ad45a

    • SHA512

      9be5097295010fa04e04fcae578b19ab43935b09a70d8b31a038fd1ef7ed89dcd9143b82400e8d31913bf32a7a18628557dfaa1f4d37c1e7c8062d7a7368afb9

    • SSDEEP

      6144:r02q9t3hysg2+00aHYHjdCoD5oa+S/dIm:Aj3hBg/00aHYDd3DCO/dI

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral24

    • Target

      8a6aa9e5d58784428d0b1641e99f024438b20747993039e16b8d262f3f5fd347.exe

    • Size

      604KB

    • MD5

      697deef7b2ca6b79c3608ebdf9c70977

    • SHA1

      64fb76029f4d7b3aa06646f286182daf4de2a27a

    • SHA256

      8a6aa9e5d58784428d0b1641e99f024438b20747993039e16b8d262f3f5fd347

    • SHA512

      18870c02d0193349748447d92eb1fd2540ad02d54b736e9ce42dbe275acee5cbaa09d4f95e188a94d29e69f9349ff0bbe60e937880a867d4573847d93f7b2f8e

    • SSDEEP

      12288:/g1YsKMSiS9SW35dmhqoeBsGJGKlOD4BZXu3lKG3pHLb4:/gd5QSW3rQqoeBsGJGTyG3JLk

    Score
    10/10
    defense_evasionexecutionimpactransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral25

    • Target

      8bcfb607330063b60948c0520fe2ccbce3562a9cc43a55ea45f16878fc6a9bfd.exe

    • Size

      2.8MB

    • MD5

      7db89ef8195831eb737b0a13cfbd8c60

    • SHA1

      3c8d54c374bda8cc955cfc7477f9e385f24e9592

    • SHA256

      8bcfb607330063b60948c0520fe2ccbce3562a9cc43a55ea45f16878fc6a9bfd

    • SHA512

      537ce51e4351fdd8fed8a1cc3e497097847bd84c1d7e058d6e5672c1cc419cbdfb98c5af822af167fff2761127a33070fc65f2f724116cca206b56b3e8df267f

    • SSDEEP

      24576:BS4lQMNWi3VesNY8106qPN4K3P0QcejoMZLyiTtiFfkOfEzQ:BSy6PX3PpM+P5IdYQ

    Score
    10/10
    chaosneshtadefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral26

    • Target

      8bf1319fd0f77cd38f85d436e044f2d9e93e3f33844f20737117230b73b60f6c.exe

    • Size

      3.3MB

    • MD5

      acd46f88a6f90143090c342c10544ccf

    • SHA1

      bb90bed3b0d747feeac32536d75c6d153b34be0b

    • SHA256

      8bf1319fd0f77cd38f85d436e044f2d9e93e3f33844f20737117230b73b60f6c

    • SHA512

      82e91a14b2a7bfb659a566df7caf7f8dc28b61a14c504dd6ca23166ff2bb142114a43c5a3c70309022d813f34fb3aa63d321d964f3b6178e42b650ac0e56e84f

    • SSDEEP

      24576:v54IAnWrfdt2Zj1vpo4ajyKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKI:CIAWjdAp1PagjLuSh3i+FtvkMzT+

    Score
    10/10
    mafiaware666ransomware

    • Detect MafiaWare666 ransomware

    • MafiaWare666 Ransomware

      MafiaWare666 is ransomware written in C# with multiple variants.

      ransomwaremafiaware666

    • Renames multiple (3359) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Drops desktop.ini file(s)

    behavioral27

    • Target

      8d76a9a577ea5ad52555a2824db6f5872548fe4bcc47d476cae57603386c4720.exe

    • Size

      128KB

    • MD5

      85db480564216a2842299723f2537f57

    • SHA1

      97f5a29bb43312689de4c043dbea6a424319f407

    • SHA256

      8d76a9a577ea5ad52555a2824db6f5872548fe4bcc47d476cae57603386c4720

    • SHA512

      c413c3c7dd57abacf2ea431127ddbb89884604dcbcf0a34f74de6b78dc30036602b0c36300eda1169470583a02bd34abf0371a12a6791c300fef0154fe6708c0

    • SSDEEP

      768:8Jqo2zIpszlgqr91OC/ehhegFH4MkaL5PEs:8co21lgqr91OzhvH4QL5cs

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (194) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral28

    • Target

      8dd283ca012e7a70a2673d2cc211c6a616ff23bc5bd3599a1da077ba946a044c.exe

    • Size

      131KB

    • MD5

      807b3c16e4b836511f326750bd175189

    • SHA1

      b24792703c3f05e07a668b4c1b701799b7e6fb6b

    • SHA256

      8dd283ca012e7a70a2673d2cc211c6a616ff23bc5bd3599a1da077ba946a044c

    • SHA512

      844c26ecc56929ca444344d22265e6e02debe1713c99a732c80cbee3474852b48aa359567a1e3e78cc165441177dd9f8880b8213806d69aac0e8df4352cf969b

    • SSDEEP

      3072:KFk4WBCsljJ8lSATxHt2bFZQhdFC7UtrK:KFkNCstGwATxN2bkFC

    Score
    10/10
    evasionexecutionpersistence

    • Disables service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Modifies WinLogon

      persistence
    behavioral29

    • Target

      8edaee2550dde9df1fe2e8c26965be3817f0d66ba13510ac281bfdc8dde1dde7.exe

    • Size

      353KB

    • MD5

      74236c89b9fcb1194bcf19cf5920f3e3

    • SHA1

      7954ff64d20eae792a36ca2cf10a17da35cfbf27

    • SHA256

      8edaee2550dde9df1fe2e8c26965be3817f0d66ba13510ac281bfdc8dde1dde7

    • SHA512

      fbf08ee1017ec6a497a468a5fcfb618bddab57b9bf087f1d478187410458e3922e9d48e9bb872098a0a912bcd3c096c11075ba8142df64cf3cdaaa833504ad83

    • SSDEEP

      6144:G1/ZVevGFi0Xx6HQpNnCnoed+wBlO18eDKO3wexcXQVkcoHnq9Bx:WeUjNHCFkw3OCMpxcXiPoK9

    Score
    10/10
    defense_evasionevasionexecutionimpactpersistenceransomwaretrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral30

    • Target

      9bff71afadddb02956bd74c517b4de581885b0d6ff007796d00d3c2190c30275.exe

    • Size

      976KB

    • MD5

      52e77b6c313dccdf3e013b86a8cdd915

    • SHA1

      72051bf592b4da79b44d704b675a810ad387a549

    • SHA256

      9bff71afadddb02956bd74c517b4de581885b0d6ff007796d00d3c2190c30275

    • SHA512

      7a9e397af4f1963e742c1125e55c9808b1e90b077c98be374638d06bccce2106e6c436e4629b6a5233f22adc451a9f351b99a8f45a2a86802a0d21c73860b4da

    • SSDEEP

      12288:hUFOlD+3ryYy5zOuMEXyfrznawAmcCh7axyK9E3+ez2pSqxnBPrAM+zwbRU3i+yF:/a0rbpZ7mi+y

    Score
    10/10
    chaosransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral31

    • Target

      9d7fb7050cf315639502f812d25d49c19b14c93948827484c2514bbc87261920.exe

    • Size

      164KB

    • MD5

      44f3a9311b23d84f336cc5b856f16682

    • SHA1

      45e9f3c9836926822d4164848dad0dc6d5fd22d5

    • SHA256

      9d7fb7050cf315639502f812d25d49c19b14c93948827484c2514bbc87261920

    • SHA512

      858d16972a6fece4dd3a30b77f7415433c994a4edaa0064282b5f2b2027d8d0d31e21ac66583e270d7c0cfc42d1bd56cdd506fdf86d67994c78275be58282f6b

    • SSDEEP

      3072:k3kw4Rlr9i0uIYGSKrG8yaJYCZWKuzfo5dXuZRodZXJvPbtH:64Pr9i00GrtUwJj1hH

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

File and Directory Permissions Modification

1
T1222

Impair Defenses

4
T1562

Disable or Modify Tools

3
T1562.001

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

10
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Query Registry

5
T1012

Remote System Discovery

1
T1018

System Information Discovery

6
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

4
T1490

Service Stop

2
T1489

Tasks

static1

ransomwarechaosneshtazeppelinlegionlockerblackcatmafiaware666modiloader
Score
10/10

behavioral1

defense_evasionevasionexecutionimpactransomwaretrojan
Score
10/10

behavioral2

defense_evasionexecutionimpactpersistenceransomware
Score
9/10

behavioral3

defense_evasionevasionexecutionimpactpersistenceransomwaretrojan
Score
10/10

behavioral4

defense_evasionexecutionimpactpersistenceransomware
Score
9/10

behavioral5

persistenceransomware
Score
9/10

behavioral6

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral7

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral8

Score
7/10

behavioral9

chaospersistenceransomwarespywarestealer
Score
10/10

behavioral10

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral11

persistence
Score
10/10

behavioral12

chaosransomwarespywarestealer
Score
10/10

behavioral13

discoveryexploitpersistenceransomwarespywarestealer
Score
9/10

behavioral14

Score
1/10

behavioral15

chaosneshtadefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral16

mimikatzbootkitpersistencespywarestealer
Score
10/10

behavioral17

zeppelinransomware
Score
10/10

behavioral18

chaosneshtadefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral19

chaosransomwarespywarestealer
Score
10/10

behavioral20

Score
3/10

behavioral21

persistenceransomware
Score
7/10

behavioral22

gandcrabbackdoorransomware
Score
10/10

behavioral23

chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral24

chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral25

defense_evasionexecutionimpactransomware
Score
10/10

behavioral26

chaosneshtadefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral27

mafiaware666ransomware
Score
10/10

behavioral28

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral29

evasionexecutionpersistence
Score
10/10

behavioral30

defense_evasionevasionexecutionimpactpersistenceransomwaretrojan
Score
10/10

behavioral31

chaosransomwarespywarestealer
Score
10/10

behavioral32

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10