Overview

overview

10

Static

static

3

e75c2dd0e0...3a.exe

windows7-x64

10

e75c2dd0e0...3a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e75c2dd0e0e65646911805705bbef7300f2af8f6086608572f6a665667558a3a

  • Size

    337KB

  • Sample

    241021-e35dcaybmd

  • MD5

    38bc06d7e66386671deb9829275b262f

  • SHA1

    32fbedbb51026b46ce5d1397289f31f18385a1c0

  • SHA256

    e75c2dd0e0e65646911805705bbef7300f2af8f6086608572f6a665667558a3a

  • SHA512

    c7019f0888c91cbd7ad287bfd41203af0cd4d2e68a093700f3dbf442a437bb8236ffb146e3d1d11e804f5f4471042876e1f3f8eaf6e852c4213b80d45c65176b

  • SSDEEP

    6144:SE+yclwQKjdn+WPtYVJIoBfv2X+t4xWoub:SBdlwHRn+WlYV+W2X+t4xWP

Score
10/10
chaosdefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
All of your files have been stolen and encrypted. in a nutshell you're Hacked You can try whatever you wanna try but don't modify the files, they'll be damaged and impossible to decrypt. it's nothing personal, it's all about money. have a great day. Payment information Non payment will result in your data being published. YOU HAVE 7 DAYS, AFTER 3 DAYS THE MONEY DOUBLES. Bitcoin Address: bc1qpn32q8a3jykzpfnrv6crqulk7wguaryhxzadqa You must contact us using Tox messenger, download it here> https://tox.chat/download.html. Invite us on Tox, Our Tox ID : EEC1A34EA55C1DBC63D8BCC4779D93BB64FC9036C82210467DEB1948A3ABC2248CE1CAB7A181 You need contact us and decrypt one file for free on TOX messenger with your personal DECRYPTION ID 10212
URLs

https://tox.chat/download.html

Targets

    • Target

      e75c2dd0e0e65646911805705bbef7300f2af8f6086608572f6a665667558a3a

    • Size

      337KB

    • MD5

      38bc06d7e66386671deb9829275b262f

    • SHA1

      32fbedbb51026b46ce5d1397289f31f18385a1c0

    • SHA256

      e75c2dd0e0e65646911805705bbef7300f2af8f6086608572f6a665667558a3a

    • SHA512

      c7019f0888c91cbd7ad287bfd41203af0cd4d2e68a093700f3dbf442a437bb8236ffb146e3d1d11e804f5f4471042876e1f3f8eaf6e852c4213b80d45c65176b

    • SSDEEP

      6144:SE+yclwQKjdn+WPtYVJIoBfv2X+t4xWoub:SBdlwHRn+WlYV+W2X+t4xWP

    Score
    10/10
    chaosdefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks