General
-
Target
ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe
-
Size
18.5MB
-
Sample
240905-b7kyqasara
-
MD5
59e4c8cd9cd8b169a7f7a1dfc6c5bffc
-
SHA1
a6465ab1188bbcfe23c3c81ed4c023235855f05a
-
SHA256
ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c
-
SHA512
67851f5d64a23291a2b158b589dfc4901da5b7b657a6c381293b3b16d0f65b30f3795e1493d898c924b136b9906a2952887908f1d9c1daf17cded640dffde8ba
-
SSDEEP
393216:xLzGo9tdxASne3v0i6E9+3rE0PmtF0CwJcYHJPDl+XFJ1a3MObmrrCq21t1:MFSe/eE9+40PjN6Ypx+Xs3MOQ
Malware Config
Targets
-
-
Target
ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe
-
Size
18.5MB
-
MD5
59e4c8cd9cd8b169a7f7a1dfc6c5bffc
-
SHA1
a6465ab1188bbcfe23c3c81ed4c023235855f05a
-
SHA256
ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c
-
SHA512
67851f5d64a23291a2b158b589dfc4901da5b7b657a6c381293b3b16d0f65b30f3795e1493d898c924b136b9906a2952887908f1d9c1daf17cded640dffde8ba
-
SSDEEP
393216:xLzGo9tdxASne3v0i6E9+3rE0PmtF0CwJcYHJPDl+XFJ1a3MObmrrCq21t1:MFSe/eE9+40PjN6Ypx+Xs3MOQ
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (176) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3