Overview

overview

10

Static

static

10

aaaa/enc.exe

windows7-x64

10

aaaa/info.docx

windows7-x64

4

aaaa/wiper.exe

windows7-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Зарядипабратски(!!!!!Вирусяка)_infected.zip

  • Size

    1.7MB

  • Sample

    241023-h8859szcrp

  • MD5

    9bd5551dc72550a01b27bf9d30947acb

  • SHA1

    397e58e72e5987293533c19c644cb28ba1588a15

  • SHA256

    674e91e0c3a04ceb11086fd104774bf5dc9056b2b9804cdf82fa4b8042c22ef6

  • SHA512

    6b059b73a24d5a5b05bf171e2c8b30903542b8fea1b48fa7101f616c5241c4f9e24aa2538161d0b332507cc51fcac44b3d01a025e644195a9a59a9b07cf9deed

  • SSDEEP

    49152:iUsorL9sjKQ8pDp+6R93yjCMbVpdHVJ48F+PbIbXTv/Q8rg+BROwI/F:iCrWxuDQ6R930vXMQ+2Dv/BpTG9

Score
10/10
chaosbootkitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      aaaa/enc.exe

    • Size

      779KB

    • MD5

      646a228c774409c285c256a8faa49bde

    • SHA1

      e8fd96815fa181b40e3b1597b817c9905df9da59

    • SHA256

      35f7fa926804c2a9a49b25d6709de2d018bc32333df2e51471a69c55cbf072a0

    • SHA512

      7f73a607602e06d8f3126a5fad88c0c7cc8ff58fed28e7840ca47ecf50f575c8d8b751441b4c7ac7aa48e65226c1219c7afa543db9f553bef1173330a3f64c13

    • SSDEEP

      12288:bCyAGey4UN8Pn55NRi9Q2i8xLmLCNWyReZsk0Clrbk68zn2fVCBLhjuxWhn8+klX:juy0cXzVRnjfioO5mX/

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

    • Target

      aaaa/info.docx

    • Size

      9KB

    • MD5

      ef6a809323b25b2659285678ec36fe11

    • SHA1

      bdfc3482363328091fc8622a0ec7dc9b9c41d887

    • SHA256

      10010fb1bf9dad2ea268165bcb2260254ad9683f0c1868e96fd1473e2902dcd0

    • SHA512

      2958bc972d92ee51f79bdbe5dd890ccb79b822a2502e1b7012e9ee9e14bf17992f2efac0603069cc1127444462cefc9ccf069f3bc71f6ff881c71fba51de93c2

    • SSDEEP

      192:6ILMNhGcBBeNp9Y64ccp7MyqFQvXzmpOIT8wN4lYglv69DqkygyXMY:6+MNhtc9L+JFvapr84AYC6dqkjyXMY

    Score
    4/10
    discovery
    behavioral2

    • Target

      aaaa/wiper.exe

    • Size

      2.4MB

    • MD5

      ed5815ddad8188c198e0e52114173cb6

    • SHA1

      4a0b8c5fac5820a410670c01f41912094d7a5134

    • SHA256

      63a0a75c6b2e4bf8582578a1da1daeeb9d713dafbc2dbb690fefd84fd05994fa

    • SHA512

      fab3129ee8e1aaa19006c09757ef4eb2af4af58eec978ee2ab8a18ae848affc871e522b47d4f59314b15978c88255da9198639f74343f24da2550eff3ff9db3d

    • SSDEEP

      49152:TyKnmL7yc3OaL+rb/TnvO90d7HjmAFd4A64nsfJLSKYgy2YgDgvrAD1GYUI8NEVN:2N3OaFZEEV/eL2

    Score
    6/10
    bootkitpersistence

    • Drops desktop.ini file(s)

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

4
T1490

Tasks