General
-
Target
tmk.scr
-
Size
538KB
-
Sample
240829-xdyhlsxfjp
-
MD5
f257d37c05d29e725071a900ef49f1c9
-
SHA1
11fa3fc864d53a90cd4ed3c4e3e3aba3c7890fae
-
SHA256
aaf3cf701b06ca873f9fdbf5b4ba33722c6ecea49316a344df35926a45bce1fb
-
SHA512
945ce0d2305183bf5ab19a563259d9f8cf39b115608f254c15e8d29cc542807290975d49b8de344400493f106e23a196a92f0197154719a49d5c3ff684cd8fab
-
SSDEEP
3072:6XpAi2YcRVm16Pn6n0H7GMgXuD//bFLAkC8htEyR/x5Zt19r0d/rFLjZkJ:6XpAiWm16yaGMVFLQmEFFL2
Malware Config
Targets
-
-
Target
tmk.scr
-
Size
538KB
-
MD5
f257d37c05d29e725071a900ef49f1c9
-
SHA1
11fa3fc864d53a90cd4ed3c4e3e3aba3c7890fae
-
SHA256
aaf3cf701b06ca873f9fdbf5b4ba33722c6ecea49316a344df35926a45bce1fb
-
SHA512
945ce0d2305183bf5ab19a563259d9f8cf39b115608f254c15e8d29cc542807290975d49b8de344400493f106e23a196a92f0197154719a49d5c3ff684cd8fab
-
SSDEEP
3072:6XpAi2YcRVm16Pn6n0H7GMgXuD//bFLAkC8htEyR/x5Zt19r0d/rFLjZkJ:6XpAiWm16yaGMVFLQmEFFL2
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
4Pre-OS Boot
1Bootkit
1