Overview
overview
10Static
static
100778d2ae60...93.exe
windows10-2004-x64
102005110ee8...24.exe
windows10-2004-x64
10290072a9e1...51.exe
windows10-2004-x64
103998d0e987...7f.exe
windows10-2004-x64
10435844f4e1...2b.exe
windows10-2004-x64
3495fbfecbc...72.exe
windows10-2004-x64
1542c157186...88.exe
windows10-2004-x64
10561d7f0505...35.exe
windows10-2004-x64
10617364875d...bb.exe
windows10-2004-x64
36312ac9176...d8.exe
windows10-2004-x64
1063545fa195...8a.exe
windows10-2004-x64
106555038a04...42.exe
windows10-2004-x64
10677393ff5e...59.exe
windows10-2004-x64
1680caf0e30...75.exe
windows10-2004-x64
1070192d461c...8b.exe
windows10-2004-x64
376199c2662...6d.exe
windows10-2004-x64
38727091cbb...44.exe
windows10-2004-x64
1091450f9e8a...dc.exe
windows10-2004-x64
993386ea79c...b9.exe
windows10-2004-x64
6942bc9e43e...7c.exe
windows10-2004-x64
10ac7a29cb82...b8.exe
windows10-2004-x64
10baa851154b...1f.exe
windows10-2004-x64
10bb5ca9d8de...69.exe
windows10-2004-x64
10c15e2ffa84...07.exe
windows10-2004-x64
10c743ba0861...26.exe
windows10-2004-x64
cfda742c2d...e5.exe
windows10-2004-x64
10d1d74ec103...34.exe
windows10-2004-x64
1d765e722e2...b9.exe
windows10-2004-x64
10daa41f5230...de.exe
windows10-2004-x64
9ed12ea76d0...0a.exe
windows10-2004-x64
10f062577b68...e0.exe
windows10-2004-x64
10f244a04265...35.exe
windows10-2004-x64
10General
-
Target
New fol76der (2).7z
-
Size
13.9MB
-
Sample
240713-lxcvgawdmn
-
MD5
98ceaf94ea13b449faa32b08b1b7ae12
-
SHA1
746943a01e944ec3d80e469d3f17307194e972ee
-
SHA256
0d9fcb8894240750cb5e4222ea78572aba6618eb5297c2069588ceb979d52d8b
-
SHA512
d463c4ed99b7b687ad7fabeb8d4da68042cc1d495cc558fb5c8548efd19b1cae5b733192899de9dcb67417ca5bef3349945cef6e6fa9748d3f739a5f973bf05f
-
SSDEEP
393216:nUwf43Cv30IES/FQeIrZ8ozAxcY04KZ7ZwMFniW:NbcQTILscY/KZ7biW
Behavioral task
behavioral1
Sample
0778d2ae6074545731b471360877b58c89ba0aaca6a0ffdb25694340c910cc93.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
2005110ee806a4fb40e00fe6c76af3527e3d66cd828723ee39529942812b8924.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
290072a9e1cf3872487cf586a592be534abc894d20ffd1121fe8338f1b52b451.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
3998d0e987accc2837c6bf87fdb2796d0170ae2a79383b78fd778531410e337f.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
435844f4e1a57fbfa40edf039ac0b29fab6c4115adbaba2ff2907c921a6aac2b.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral6
Sample
495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
542c157186bae766dd3e2df424e9c25251d71086b99cc9df121bc9bf50462688.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral8
Sample
561d7f05055800d3eb9d9e150969e2c84a71dc82a362fb3e1a224af420e53b35.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
617364875d331ab132bac1e63fb9b5a00ac5a33a22b93749dd6ee384ed435dbb.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral10
Sample
6312ac91761037de7a7afc7323671a004db71b31a69499178437bdf939fa9dd8.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral12
Sample
6555038a04997404d48cf866ebb81f134082ef1613408779cf2a589068312a42.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
677393ff5efc9f6f050b4b5ed62579f2f050eeec53e7a17cb51c31c148546f59.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral14
Sample
680caf0e30b204544971d053b635ed0e3f1dee3332d9eab8a08b3f04cd7ecd75.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
70192d461c98da3d6d9734663dfee8d121b2739e9868f28b1fa67794ba3c9a8b.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral16
Sample
76199c26622c58fa0a22355d710ef06d86e3cce56def3d9a3c38ea395e48066d.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
8727091cbb89e5e31eeb2503ffaa242601c8840eee0973fd62fedf1b4b58ab44.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral18
Sample
91450f9e8aeb0361867cdefc0bb7e5bad8941b5081db549d34a91072df4db5dc.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral20
Sample
942bc9e43e40e01694365aced2331634257727783353c7d49d940abcc215a17c.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
ac7a29cb82b7b3e50d8aaa0da5e431f0b466de07dad241e5b6090cf71963e3b8.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral22
Sample
baa851154b7492b20ea71c068f77e7e2b91d347fb97e5e05999af153e3fd0f1f.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
bb5ca9d8de51734dbd14dc081c7c892d819cd14fafd7ccd62849d70f9e679369.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral24
Sample
c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
c743ba08610d442531bb897a35748ba6fe897e730cea6e29377ba21141901326.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral26
Sample
cfda742c2de7706171af64a89806656a107069e1677aa4ce0583e696f954fde5.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
d1d74ec1039ff5aab99faf99bf70fb07f6b4c763a0c2fbc08b702ec9dcb03834.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral28
Sample
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral30
Sample
ed12ea76d03b8255f361975cebd5c579491dacc60c52e03373e7bf509523820a.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
f062577b6879fb42fbf7fef1c2a21f96d4d372f1424c1c77f255d13fb60bfae0.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral32
Sample
f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\C68DE18F-1307-4A05-B9C1-59F89A4D8AE4\SkynetData.txt
Extracted
C:\RESTORE_FILES_INFO.txt
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
Extracted
quasar
1.4.0.0
Office04
67.213.221.18:7812
KFoYp486ql6lO6U0qI
-
encryption_key
OtItMK9boIZNOQTejUzg
-
install_name
Windows Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Windows Services
Extracted
C:\Users\Admin\Documents\PLEASEREAD.txt
Extracted
C:\Users\Admin\Documents\read_it.txt
Extracted
C:\Users\Admin\Desktop\read_it.txt
chaos
Extracted
C:\Users\Admin\Desktop\read_me.txt
chaos
Targets
-
-
Target
0778d2ae6074545731b471360877b58c89ba0aaca6a0ffdb25694340c910cc93.exe
-
Size
328KB
-
MD5
b00f66d6e5f0c0daa86a03f1106920f8
-
SHA1
f7444b3934ce61c65c658a06c3a98aa9f08729e6
-
SHA256
0778d2ae6074545731b471360877b58c89ba0aaca6a0ffdb25694340c910cc93
-
SHA512
da18b638ec68a706a92d06551eed74afaa9da3a3d1f7e11361b50413c06b26fd5df862fb36a8e4290c3a8dead12fcfb8692d2a0e667bcf3355a614efdc9a0899
-
SSDEEP
6144:eGEjbL0hiIO18+LDCvzCnQHw67feMv8KiPuTL94:eZJIOG+vCvnJ8tPuF4
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
2005110ee806a4fb40e00fe6c76af3527e3d66cd828723ee39529942812b8924.exe
-
Size
1.9MB
-
MD5
f0fd67c94f25de71c2fcdff4af0d2889
-
SHA1
2f4884f4e241d0bda353dc074ea1752e0b79af8c
-
SHA256
2005110ee806a4fb40e00fe6c76af3527e3d66cd828723ee39529942812b8924
-
SHA512
13986923eaef12dcbe1a0ce71ca47829ab1209df761c077c83981685fa61d01320372fb9a68d5b6622b597f443dccb125a2033aaf82857c873b1ec2b3e5ebdb0
-
SSDEEP
24576:6SndG2iSNjN2w9Os9cRfO/d8mT6c6aVqwPhUMelv1:/fJqsgXmgyJP
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
290072a9e1cf3872487cf586a592be534abc894d20ffd1121fe8338f1b52b451.exe
-
Size
3.8MB
-
MD5
3566f930e73eacee6933e672c1085d98
-
SHA1
d6c5408fabbf943721946073c80049c3c65f8c8d
-
SHA256
290072a9e1cf3872487cf586a592be534abc894d20ffd1121fe8338f1b52b451
-
SHA512
09e5edcc5fe7a8e6dac63690eb1c8674541993c5a10130db7ed3cee90d802705dc07a0b13612c6326b9462145dcac35e136b12555096e0ee8577e00c3aab69af
-
SSDEEP
24576:TbnWYoXXBzGmL53TaX+vnyuNMOCig82RfVL0K1RWLghaPZUwB74amJl4aOLW6u3r:/W3XXBzhaWBq8Yy8kZmzJ/m
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
3998d0e987accc2837c6bf87fdb2796d0170ae2a79383b78fd778531410e337f.exe
-
Size
153KB
-
MD5
4c19104c6df0817095be0846b1607de6
-
SHA1
ae3bf7a043cb10e8b206261af6af1558fc3d518b
-
SHA256
3998d0e987accc2837c6bf87fdb2796d0170ae2a79383b78fd778531410e337f
-
SHA512
d1ac86c12068192fe1dafd16a6c73e1dbabf0be5ca8c59ba3eeb6290c6061a207c0f91b77f42b190d4f8ebdee4a33a7dc596c7883c451cb039c3c2a0f37e8e4c
-
SSDEEP
3072:o3kkKmAr9iVE3E04sMsXVpBWwLJwvkywY2ZDja9eIBdvhGkJJ9QuxIMb68J5K:y8r9it04XYVBIkNYcaeUvkkD9QRMb6
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
435844f4e1a57fbfa40edf039ac0b29fab6c4115adbaba2ff2907c921a6aac2b.exe
-
Size
1.1MB
-
MD5
75ad544ceac0f47859e0f5417b950889
-
SHA1
5e4976f34abe798ec40087d4a4831e60040cd7dc
-
SHA256
435844f4e1a57fbfa40edf039ac0b29fab6c4115adbaba2ff2907c921a6aac2b
-
SHA512
cd9b17097d4f3d878966ef3f6f8269db3cf96ae517d593b3521761de4ee0fc3b8c8a2e1f603b90ffe73f6426bd5648f9d2f0dbecf6904f96568909745cb9db95
-
SSDEEP
24576:BiIxSqmMEiPPHxXaUHtauiIxLmKPPH3paUS:NSqmKPvxqUHIOLmKPvgUS
Score3/10 -
-
-
Target
495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72.exe
-
Size
2.6MB
-
MD5
9756b1c7d0001100fdde3efefb7e086f
-
SHA1
55de88118fe8abefb29dec765df7f78785908621
-
SHA256
495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72
-
SHA512
d9497cd0af40cc3149db52aee1ba333e8261232ff00e6e7208eaac639fba533d6931828823c3c3211bddf083260904d77d595d877070eb218075b1f631e13f07
-
SSDEEP
49152:kNJLuf3HJrb/TfvO90d7HjmAFd4A64nsfJjogr1n3wSmZD1UCu5ErgXpS/IXF+9c:Tf3SvEoDY95e
Score1/10 -
-
-
Target
542c157186bae766dd3e2df424e9c25251d71086b99cc9df121bc9bf50462688.exe
-
Size
341KB
-
MD5
ffdefa247d3bb4429558e8b334f4f2ae
-
SHA1
af9f3af31889b55552a5721244184d0a115be74c
-
SHA256
542c157186bae766dd3e2df424e9c25251d71086b99cc9df121bc9bf50462688
-
SHA512
0f4b5534179a690bbaa5333fbf4b11e881d2b60c37f3ade95ebf6b481bbf58b76a17bf4945883babadd8b5b9681c4710ddb2ab4380cd27cf73430e8609d0b9d7
-
SSDEEP
6144:Drbwc9N+fwvDIK9LpXXXXXXXXXXXXXXXXQGuFFM5:dWwbLpXXXXXXXXXXXXXXXX5uw5
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
561d7f05055800d3eb9d9e150969e2c84a71dc82a362fb3e1a224af420e53b35.exe
-
Size
240KB
-
MD5
66e01e1ac0e274c1b4d909e70668a6ad
-
SHA1
fe5a8fa628bbf960010c28625aa58e87d2800978
-
SHA256
561d7f05055800d3eb9d9e150969e2c84a71dc82a362fb3e1a224af420e53b35
-
SHA512
39ebdc7542e255ca9f47d9730fa2fc36e29719a84894522c71a5dcfc9da757563b1b47e3d72ab58db94cfe11d3efc37046f833ce5c03b3f0f3ac309eadc39474
-
SSDEEP
3072:Rmrhm1eibcR+uiUg6p4FLlG4tlL/+mmCSHFZxoHEo3m:REgoZiZhLlG4immCm
Score10/10-
Sets desktop wallpaper using registry
-
-
-
Target
617364875d331ab132bac1e63fb9b5a00ac5a33a22b93749dd6ee384ed435dbb.exe
-
Size
304KB
-
MD5
b634be3c5eb62c87ebbf90f655581e96
-
SHA1
089c2c51a4768925cf5dd0e88726d8a88e861795
-
SHA256
617364875d331ab132bac1e63fb9b5a00ac5a33a22b93749dd6ee384ed435dbb
-
SHA512
090e9dbd685b31818a0a157b042d042e519a43008e4b94ddacf479b34c3c24de7b938a8baf51a8bc0bb3a11a6852ca6ad95988b75c77fa82aef30f7fd8e062fe
-
SSDEEP
3072:6SuVNqRgZRUA0S9tRtd6V+h8Rtt05NkkbjyGez1c:6SaNFZRdnxS++rt07kkbmt+
Score3/10 -
-
-
Target
6312ac91761037de7a7afc7323671a004db71b31a69499178437bdf939fa9dd8.exe
-
Size
400KB
-
MD5
47e14a46326791625b67704d4329bed6
-
SHA1
01e0e607678a36d8e7e23d1fb11f8d7aa2c20581
-
SHA256
6312ac91761037de7a7afc7323671a004db71b31a69499178437bdf939fa9dd8
-
SHA512
e979fb4537a7fadbc6583a5cd537ce533111ea4a596bd8486b9fbf551ed7b390271a6218ccf71cd052d4270c1fe1957ec0aae4527c9613a0cdbc0e24641a19a2
-
SSDEEP
6144:cMr9/U806q0jnjCyc1rIGruapfd7ggZqLuID/pFZwVZ3j:a806qwjCycpIGRpfd8cqCITpFZwD3
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe
-
Size
390KB
-
MD5
5b7e6e352bacc93f7b80bc968b6ea493
-
SHA1
e686139d5ed8528117ba6ca68fe415e4fb02f2be
-
SHA256
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a
-
SHA512
9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6
-
SSDEEP
12288:ef/X4NTS/x9jNG+w+9OqFoK323qdQYKU3:EXATS/x9jNg+95vdQa
Score10/10-
mimikatz is an open source tool to dump credentials on Windows
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
6555038a04997404d48cf866ebb81f134082ef1613408779cf2a589068312a42.exe
-
Size
97KB
-
MD5
b5de1cca5ec8047847717b01c268509a
-
SHA1
c463d7aa1e69a591ef75db3f0e4b08dcc2901c1e
-
SHA256
6555038a04997404d48cf866ebb81f134082ef1613408779cf2a589068312a42
-
SHA512
a28cc345e4cbff344ec0aef7cdfe231ae9b1ac3f99a5dae6d9aa3f807fe3da9cf64b826bf1b72f3a697a13089d8370d42dbd60ea79e1a0469508647185dd80c9
-
SSDEEP
3072:YrnY2lU8KdD5/Ut6VToG9o+8DtRzpytcpRf9EI4Ixe:/fNdO7f9T4Ix
-
Renames multiple (193) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Modifies file permissions
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
677393ff5efc9f6f050b4b5ed62579f2f050eeec53e7a17cb51c31c148546f59.exe
-
Size
426KB
-
MD5
b532d352685523141305fa9135192256
-
SHA1
fa0e364afa99bca61d747e23a04eddc5b10ffdb2
-
SHA256
677393ff5efc9f6f050b4b5ed62579f2f050eeec53e7a17cb51c31c148546f59
-
SHA512
16fd0ff50df7aefed9ebb4e221b86bd72e6e73c9b761216f37f7c26d328ca577e58d70e68b249cfe873e6073a5d258bcb4a88d4214bade8817de9b7376e09eda
-
SSDEEP
6144:LL0IMdpqDpE9TWvZqtMNXzhTqm8jjyhNYIa/19zTD8WGLA+m4dZvR5SE+v8BW5:LfrDp6TgZqtklvNiHPD8WS8yBb8
Score1/10 -
-
-
Target
680caf0e30b204544971d053b635ed0e3f1dee3332d9eab8a08b3f04cd7ecd75.exe
-
Size
439KB
-
MD5
8f808bb54b422500304dfc68b87198fc
-
SHA1
24ebeb615f0bdcaa3980722100d6fc42111b62ec
-
SHA256
680caf0e30b204544971d053b635ed0e3f1dee3332d9eab8a08b3f04cd7ecd75
-
SHA512
46ce4cde81607819e360b0efc424c4b5602c7515661a88e6a0d66cd9e88dcc68219f0a85200e6c40cc34bcac0e5ab652e6db4b4b1c1b913ad351061dae880e99
-
SSDEEP
6144:vwLRSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkuVB8:v/4AZrg7g9zVGkllbko
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
70192d461c98da3d6d9734663dfee8d121b2739e9868f28b1fa67794ba3c9a8b.exe
-
Size
155KB
-
MD5
179b38c276e09d3b8a79854ba7232094
-
SHA1
bc218f468367b4cf127b10a02d2a62f28f35216a
-
SHA256
70192d461c98da3d6d9734663dfee8d121b2739e9868f28b1fa67794ba3c9a8b
-
SHA512
367c52c5f8ed2166f3d1e6edf564feefa50f46b8bbdbe1b3ab7007eec02db9d4a806e2f32757ea349a86fded9d4586ff0ae5c8e2403f2ace84083dc05253fad7
-
SSDEEP
3072:S5K/B0toLQSNJwlxwsx89TSdBgjMqqDL2/TOKyRG:ScytwtLTTSdBgQqqDL6SKN
Score3/10 -
-
-
Target
76199c26622c58fa0a22355d710ef06d86e3cce56def3d9a3c38ea395e48066d.exe
-
Size
362KB
-
MD5
e52021298206c71590c27392abb94691
-
SHA1
9f9dbed14bee77d30afe99fc7a395259a9cded27
-
SHA256
76199c26622c58fa0a22355d710ef06d86e3cce56def3d9a3c38ea395e48066d
-
SHA512
50408bf9c4276a4683a1e8bcbea142347dd82b20c21398c16391203dbb68094cb9198e9a9dc68bac7f81c54c27b71b1f0aa2478db1af339e4e1cc3dc7c7a7667
-
SSDEEP
6144:xii9gD+iITRy1fGN/ekNymaSszzRm663xjxc6BN/47Ar68SdQtqcK7:Hgi/GfGpJCR+3547Ar6tdb/
Score3/10 -
-
-
Target
8727091cbb89e5e31eeb2503ffaa242601c8840eee0973fd62fedf1b4b58ab44.exe
-
Size
953KB
-
MD5
adb3dde4a25e596c16ced4cdfc6ff8dd
-
SHA1
7934e6bc9489933c0af8dfe7bdff482fc6759bdc
-
SHA256
8727091cbb89e5e31eeb2503ffaa242601c8840eee0973fd62fedf1b4b58ab44
-
SHA512
f14c27892ed4d11bdd46a130abc7fa40ae8c4577bcd45c3af7c5928b82f27c3646b906fda880e5c9df623071edaab8de82fd46af8f3194f33d7d46c2c3d1d587
-
SSDEEP
12288:vEPMLC814R2hig4tHkg2W+AU+R2TjsPvEpv8LpgUO4EP3SL98l0zmWHQuTwYzzjc:/ztQE1ov2AZ9HjkftWy3P
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (178) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
91450f9e8aeb0361867cdefc0bb7e5bad8941b5081db549d34a91072df4db5dc.exe
-
Size
53KB
-
MD5
c5b0f786fe68a4312307535890ba01e4
-
SHA1
ca15010a195cdfdf0af95f2c2543930311142994
-
SHA256
91450f9e8aeb0361867cdefc0bb7e5bad8941b5081db549d34a91072df4db5dc
-
SHA512
b510164ff1c47c198945ab51d8fa2b9d77ebf44b817286c031514554273f7b7d82a85f8932c2b33bd564e7a86277f056689cd33603b5b1d52a37c39dad6b8b55
-
SSDEEP
1536:zNPTkHhFRy2/NSTEj1FVl1Ft9N1FVl1FVFS0TztlY27VqmSVzyqYvd0bRPp24dfv:hIHhFR//NSTXYztlY27VqmSVzyqYvd0j
Score9/10-
Renames multiple (87) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
-
-
Target
93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9.exe
-
Size
361KB
-
MD5
7be37dff77a6257da2b430ab7c483612
-
SHA1
028356262caa0076adb3c0a0ad87e4418d386ec8
-
SHA256
93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9
-
SHA512
09dae1c1cb5b07dd4099d21db53f3d08a5ac354777086e666bd872532a37539a67455c35768e78cfc4e181f03bd67ba546aace35d2b50c7aa68a2433c317634a
-
SSDEEP
3072:6pbgo3vg+rJrkQVOUPrxLExK08A+MQ20AFHxH32Hdxkq51:Ubf3vg+rOgOyrNEI3AxQUHK
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
942bc9e43e40e01694365aced2331634257727783353c7d49d940abcc215a17c.exe
-
Size
286KB
-
MD5
ca1c3c08b1291ee31fb47f039ad08129
-
SHA1
629446ad19eb04f6edb8c576bf007facf4ff249c
-
SHA256
942bc9e43e40e01694365aced2331634257727783353c7d49d940abcc215a17c
-
SHA512
e1b49a9738d44666dd93f248844e6bfb331db16c171f05af8333852a99e9c335c527effab61e8de796bed9d9199dfccc9c8f0199fc0eb5998eec9e758bb272fa
-
SSDEEP
384:123MLWHn3kIt/F6Y0p9dpTWJpr91CznHZN0eNQ6Jki2xC5:En3kIX6rp9j+pr9inHD0eNh5
Score10/10-
Chaos Ransomware
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
-
-
Target
ac7a29cb82b7b3e50d8aaa0da5e431f0b466de07dad241e5b6090cf71963e3b8.exe
-
Size
325KB
-
MD5
9a4827a78e363d84ea0e334e842ab039
-
SHA1
a0d222d2fd9cf90a47a134ef571232ee482a45f7
-
SHA256
ac7a29cb82b7b3e50d8aaa0da5e431f0b466de07dad241e5b6090cf71963e3b8
-
SHA512
0f20fbf72e254155f0b2403488f5d8262c98138335380f3267afed6b79b91f2c9198924853dccb5b60bc9075876a700e12fc7b8509075bdb3b13776d3514ad0c
-
SSDEEP
6144:9dCr9fPhxhdsVFGEeRJk8nrKfQhCd/hAxno0yu:TEhxbsVFGEeRJk8mQE7Axqu
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (217) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
baa851154b7492b20ea71c068f77e7e2b91d347fb97e5e05999af153e3fd0f1f.exe
-
Size
35KB
-
MD5
d7a77d7d1657b93fc7270895e86dff74
-
SHA1
700448723acc915ad6ec8d7f9009f9305f642818
-
SHA256
baa851154b7492b20ea71c068f77e7e2b91d347fb97e5e05999af153e3fd0f1f
-
SHA512
7d90dff4e81e8ad2dcb75c5ac58f875a332e62db9654d89261013007c5211f5a4dcf208fda5e13f1d5220e179cd557cf8212314578ec03691a3b0dfb6843137b
-
SSDEEP
768:sn3kIE69pYIlfr9ixbceEz0pmc+33t7gG:a3kIr3fr9ivEzog39
Score10/10-
Chaos Ransomware
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
-
-
Target
bb5ca9d8de51734dbd14dc081c7c892d819cd14fafd7ccd62849d70f9e679369.exe
-
Size
205KB
-
MD5
62e53bc5aa5f2a70a54e328bff51505f
-
SHA1
e7deceee97a09d539d81eb91f988ece5e2a2ff51
-
SHA256
bb5ca9d8de51734dbd14dc081c7c892d819cd14fafd7ccd62849d70f9e679369
-
SHA512
a676dd284188271be1760ed1edd3320341713662aba1c615481f256007e614e58756a7b6a565beed777230c2ae829c561e3bf3510921ad6495d3776cfdfaa793
-
SSDEEP
6144:+B4mr9NzqHW7V5V9w/UIRZizI1aqebq/lsyp:+B40qHW7nU/pZmiXqy
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (217) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
-
-
Target
c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07.exe
-
Size
89KB
-
MD5
77bd76f4e4b9481432022ab3b10c89c0
-
SHA1
8213a974f617ee9b191e605856e776ab96ff4382
-
SHA256
c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07
-
SHA512
ad30bb25260f959f2d3db823b2ca65b06cdfa6dc5d27527b053e4b5526ed6363519e6fd137c33f53371d8d4df2bcd6ac49aeab2631b106c891db41d0478e70ce
-
SSDEEP
768:yuqo2ptMp1g4+kR7Er9jJxbXeqxSIHTe9dLTdp:yto2ug417Er9jJsqjHs1
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
-
-
Target
c743ba08610d442531bb897a35748ba6fe897e730cea6e29377ba21141901326.exe
-
Size
164KB
-
MD5
a881838937a145cab27e5c9b439a1ff5
-
SHA1
4cac0241e3d0e1636a174134a623a879adb2a86b
-
SHA256
c743ba08610d442531bb897a35748ba6fe897e730cea6e29377ba21141901326
-
SHA512
888a3f2f45cdc81bc766c66079e250100a3d0641883ecbcf2bcf6deec1ad7c7b2d0e96e466a2b64ae5867afb3c75071763b408250f190a60f69f79a502b5c604
-
SSDEEP
1536:muW0xpn7JWWkH7Jx1Q3j1OefTixyvYZKmWuz82HnJq0Wm03O8gOo:s0TIVAJOHxyCKmW12q0WmG4
Score1/10 -
-
-
Target
cfda742c2de7706171af64a89806656a107069e1677aa4ce0583e696f954fde5.exe
-
Size
125KB
-
MD5
a0f62032cb73a15dd8f3d3165e29cbe5
-
SHA1
099e4d118e111e8fdf0d2ad1fba8e62b7edf80f1
-
SHA256
cfda742c2de7706171af64a89806656a107069e1677aa4ce0583e696f954fde5
-
SHA512
96e6ecd312cc6f44091a177865c87ba03ad7009f373195c8a0c73c9fd39030a785c34e80d203d5382082d496e6ccfc9356bea6c30da46ca296ac82a6c071c70e
-
SSDEEP
768:qn3kIQok/p54NwJfKXRu+r9iPe+FdbJVqB+QPE2IikqKs:Q3kInkH42IU+r9i2+F1Jok
Score10/10-
Chaos Ransomware
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
-
-
Target
d1d74ec1039ff5aab99faf99bf70fb07f6b4c763a0c2fbc08b702ec9dcb03834.exe
-
Size
10.9MB
-
MD5
a82df55a03a3dc038985a30f797cef24
-
SHA1
fd30147c88f65ee9c83da7fc98c75c02a2fa7b8f
-
SHA256
d1d74ec1039ff5aab99faf99bf70fb07f6b4c763a0c2fbc08b702ec9dcb03834
-
SHA512
d587cb272e28d8142a1e62fb926637c9b3be348984f17afa390b29fe04c726286de95a2f881b22b187881d2e1a440306306cb91ce16f1cdfb1f6fc5c368194b9
-
SSDEEP
98304:xnwgVIXh9xYacrRyyVyGHAeBSut+aFNnLlPLeqNZ8hY/LKbxabdDkEduupRlQgWm:u/YaolX+aFFLlPKQ8hY/RkQWslX4ge+
Score1/10 -
-
-
Target
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe
-
Size
338KB
-
MD5
04fb36199787f2e3e2135611a38321eb
-
SHA1
65559245709fe98052eb284577f1fd61c01ad20d
-
SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
-
SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
SSDEEP
6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv
Score10/10-
Deletes itself
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe
-
Size
1.9MB
-
MD5
93d4eb996675019ed856d0b8c5c46515
-
SHA1
a9f67e260a098a55252f0eba7b9333c1cf5b8374
-
SHA256
daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde
-
SHA512
518d24574201e262fc31c1ec6ea07af1285ba4f93805e34f9e8cee472376a7cc5f597020dc702ea165c159c5abc6ae91209dce8250f90766ffc3410615cc1e91
-
SSDEEP
24576:tnxLSUXY7WSIGgjlvYaxKMiZA+yH6uw1ECvGX6H7O3YpPNaG:txOUpSIZZv1xim+y6HLOO3
-
Renames multiple (8720) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Possible privilege escalation attempt
-
Deletes itself
-
Executes dropped EXE
-
Modifies file permissions
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
ed12ea76d03b8255f361975cebd5c579491dacc60c52e03373e7bf509523820a.exe
-
Size
458KB
-
MD5
72ea584eebe5705ea1fd5a02dbfe86a1
-
SHA1
f6d6cdef7eb41e9c201ee52832036bd8a68d0e44
-
SHA256
ed12ea76d03b8255f361975cebd5c579491dacc60c52e03373e7bf509523820a
-
SHA512
e928592dd7061388957c3f1acc82dfd8e105de486e8cbd4835029f7d302f71dcdcb8d9dfd0b2a5b53fbd2679dcc6f8559487e1e5767d26431fc67348d1f4ab08
-
SSDEEP
12288:GJaHnpS22Yh6Nesa6rZvvihw61SLQkY5Pa1uLkB3gE88uY2:DpSosXaYhVZVMVm2
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
f062577b6879fb42fbf7fef1c2a21f96d4d372f1424c1c77f255d13fb60bfae0.exe
-
Size
205KB
-
MD5
2430019335d88321467e82ab8f51546b
-
SHA1
7d233a893492e0efd4d7e919941325b5d44abeb7
-
SHA256
f062577b6879fb42fbf7fef1c2a21f96d4d372f1424c1c77f255d13fb60bfae0
-
SHA512
6ee56eabe77caf05bde12e9e8fbe97703cccee33cfbe09c38e0a0a397a3f93221751bbcd2ad2261f6a11839ef2741689478578ed3cd9ae2d781c3fffee3c2e7b
-
SSDEEP
6144:+B4Ir9NzqHW7V5V9w/UIRZizI1aqebq/lsyp:+B4uqHW7nU/pZmiXqy
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (237) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
-
-
Target
f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35.exe
-
Size
3.8MB
-
MD5
15995b0b1fc5dd82f1c3ba1b7b40c5d4
-
SHA1
3b6a4a5b8b1107854e35b01cd28b4cce7a003413
-
SHA256
f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35
-
SHA512
4ebe82a5d5d499eab10c9049647283976d95f102b24b2113bd59309ea107fb6cf8671640651e7d7cf13435e516c6d2dcbfe3a2fc8a8ed917398b3d86f6a77781
-
SSDEEP
49152:aApBOr1sU6uEgjhlOCDw8mEFAuYg2OWpTMqBx+fdTmG2Y4MT9ffD+CzKcbmoivTN:
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
4Pre-OS Boot
1Bootkit
1