General

  • Target

    TestServer.exe

  • Size

    107KB

  • Sample

    241119-c8ry4aygjb

  • MD5

    c133ce6541688d84cfb35186fa8ad88f

  • SHA1

    67d7c34ce8548ffcd1ec4f8608beba7a06b1fb0b

  • SHA256

    9b74a10d6efbf33d56285505ae702947ea333447bfc583537f14018569b62ea6

  • SHA512

    81efaf9f3b580ec37d5237663cca2f0ef8d9683304ee9a679da6be2c30961adad8c7bb38b64b0f1fbd4163667927871e912e0b669de2796cb14c370ea5707d50

  • SSDEEP

    384:N3Mg/bqo2W4fSpJpMDKw/+988Jrr91CvpQHACQIdQepRsva46eLrTH+33M3zJ1oL:3qo2apMDN/NUrr9Ip5epij

Malware Config

Targets

    • Target

      TestServer.exe

    • Size

      107KB

    • MD5

      c133ce6541688d84cfb35186fa8ad88f

    • SHA1

      67d7c34ce8548ffcd1ec4f8608beba7a06b1fb0b

    • SHA256

      9b74a10d6efbf33d56285505ae702947ea333447bfc583537f14018569b62ea6

    • SHA512

      81efaf9f3b580ec37d5237663cca2f0ef8d9683304ee9a679da6be2c30961adad8c7bb38b64b0f1fbd4163667927871e912e0b669de2796cb14c370ea5707d50

    • SSDEEP

      384:N3Mg/bqo2W4fSpJpMDKw/+988Jrr91CvpQHACQIdQepRsva46eLrTH+33M3zJ1oL:3qo2apMDN/NUrr9Ip5epij

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks