Resubmissions
06-08-2024 18:34
240806-w74q2szfrg 106-08-2024 18:34
240806-w7wqfazfre 406-08-2024 18:33
240806-w7lv8szfrb 306-08-2024 18:32
240806-w6ltvazfqa 806-08-2024 18:31
240806-w5952szfpd 306-08-2024 18:29
240806-w5c6bazfmf 806-08-2024 18:17
240806-wxa1zswdlm 1006-08-2024 18:16
240806-wwsjmszdkf 306-08-2024 18:15
240806-wvxrzazcre 406-08-2024 18:12
240806-ws6xvszcmd 8General
-
Target
https://download2339.mediafire.com/s7wz84q67jagLz1e-SoTTsvxb-whPzStMkiFdvMm-vbPetC59GD6ICf1x9TDdReEM-cvpMMdVdK8NJPm8Jrv0A1SIeKtdr2SQp_hRQTw2axEFvAncHVLw8-8bbor6oi0Uhuu1PuxluVPcNgK-ITWjDHyOVzOFWGvI-1etXiu9gO7cFc/jmxcdbcpk7ml8ts/RB_scri%27%2B%27pt_install_x64_x32bit.7z
-
Sample
240806-wxa1zswdlm
Malware Config
Targets
-
-
Target
https://download2339.mediafire.com/s7wz84q67jagLz1e-SoTTsvxb-whPzStMkiFdvMm-vbPetC59GD6ICf1x9TDdReEM-cvpMMdVdK8NJPm8Jrv0A1SIeKtdr2SQp_hRQTw2axEFvAncHVLw8-8bbor6oi0Uhuu1PuxluVPcNgK-ITWjDHyOVzOFWGvI-1etXiu9gO7cFc/jmxcdbcpk7ml8ts/RB_scri%27%2B%27pt_install_x64_x32bit.7z
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
UAC bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
5Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1