chaos

General

Target

operative.exe
Size

1.2MB
Sample

240923-3ethyavdnf
MD5

6a8bc83d53a47a0ec1cc68630f20aae2
SHA1

08fe5f2cf413274173ce6bd4b2c6b6057a81ed77
SHA256

1aeea420fd7ad08f55a074277be26a36a98959a78da830c5ad6cee38c002cdf6
SHA512

e3728db0ee56ee1b899ff49a10ed2aedca9e4df15e6ef8786ad8d5d5bfaf251a18e1d04bf0ca239395d69110375ac479a45e699db8f58d1391b9d7caf9ae49dd
SSDEEP

24576:qGIqWDuqh8ObW465lbXZAeJWBi++fprWhX5jWvKb6YdgCKttD7+4:gRKqKObWpH8i++4hzmYuttfl

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\DECRYPTION INSTRUCTIONS.txt

Ransom Note

All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $300. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - https://www.coinmama.com Bitpanda - https://www.bitpanda.com Payment informationAmount: 0.0051 BTC Bitcoin Address: bc1q909n8v9tmhfnh5ptrfjqjum2tp9tuucag6ldvm

URLs

https://www.coinmama.com

https://www.bitpanda.com

Targets

- Target
  
  operative.exe
- Size
  
  1.2MB
- MD5
  
  6a8bc83d53a47a0ec1cc68630f20aae2
- SHA1
  
  08fe5f2cf413274173ce6bd4b2c6b6057a81ed77
- SHA256
  
  1aeea420fd7ad08f55a074277be26a36a98959a78da830c5ad6cee38c002cdf6
- SHA512
  
  e3728db0ee56ee1b899ff49a10ed2aedca9e4df15e6ef8786ad8d5d5bfaf251a18e1d04bf0ca239395d69110375ac479a45e699db8f58d1391b9d7caf9ae49dd
- SSDEEP
  
  24576:qGIqWDuqh8ObW465lbXZAeJWBi++fprWhX5jWvKb6YdgCKttD7+4:gRKqKObWpH8i++4hzmYuttfl
Score

10^/10

chaos defense_evasion discovery evasion execution impact persistence ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (195) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2