Resubmissions

15-09-2024 12:50

240915-p3e4kavfmn 10

15-09-2024 10:12

240915-l8y7vaygnm 10

General

  • Target

    Encrypt.exe

  • Size

    1.2MB

  • Sample

    240915-l8y7vaygnm

  • MD5

    8728ba233fcb020a6a2eaabb90df630c

  • SHA1

    c6dc576f2e0423e8a0f36bba51fa7c65e1e281e7

  • SHA256

    b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286

  • SHA512

    24e494c64647794fc9aa91da6975117d27984b4bb21859dbf0c60faba5b7f0ec26c26ebbe1ad57f185e1d7ecd4b797d530639d287456ac9bc2930a111fd4613a

  • SSDEEP

    24576:GnsJ39LyjbJkQFMhmC+6GD9gbU4+Il2L1ywD:GnsHyjtk2MYC5GD+P6

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\read_it.txt

Ransom Note
Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our Number :+66 970417453 ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Targets

    • Target

      Encrypt.exe

    • Size

      1.2MB

    • MD5

      8728ba233fcb020a6a2eaabb90df630c

    • SHA1

      c6dc576f2e0423e8a0f36bba51fa7c65e1e281e7

    • SHA256

      b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286

    • SHA512

      24e494c64647794fc9aa91da6975117d27984b4bb21859dbf0c60faba5b7f0ec26c26ebbe1ad57f185e1d7ecd4b797d530639d287456ac9bc2930a111fd4613a

    • SSDEEP

      24576:GnsJ39LyjbJkQFMhmC+6GD9gbU4+Il2L1ywD:GnsHyjtk2MYC5GD+P6

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Suspicious Office macro

      Office document equipped with macros.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks