General
-
Target
crynox.exe
-
Size
599KB
-
Sample
241214-p5tpqssncs
-
MD5
f9f3379858516f1ec7c3474dba4cfe13
-
SHA1
2365e729155dad22856e09275cb94369889d4f14
-
SHA256
d36c18499800859f77d6c2462a99b6e5e5e066fff95418dce4d5fdb8d45d0106
-
SHA512
4fcab92050504619a581043023dcbc106a816d1fe134c5f351478295281d08bfc50ab4a77e7c59210aa2bf4b704ffee6b0c27f4d3153703087b86d5a633b2b5b
-
SSDEEP
12288:1Iw6EkPJU2XGyVdEcIf/vbIGSA4Jxv+T:8SJyIP8
Behavioral task
behavioral1
Sample
crynox.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
crynox.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\read_it.txt
https://crynoxaowlkauirfhaaiuefjkebfiaeufaebiefuakbjaiurkjahbfiajkfa.vercel.app/index.html
Targets
-
-
Target
crynox.exe
-
Size
599KB
-
MD5
f9f3379858516f1ec7c3474dba4cfe13
-
SHA1
2365e729155dad22856e09275cb94369889d4f14
-
SHA256
d36c18499800859f77d6c2462a99b6e5e5e066fff95418dce4d5fdb8d45d0106
-
SHA512
4fcab92050504619a581043023dcbc106a816d1fe134c5f351478295281d08bfc50ab4a77e7c59210aa2bf4b704ffee6b0c27f4d3153703087b86d5a633b2b5b
-
SSDEEP
12288:1Iw6EkPJU2XGyVdEcIf/vbIGSA4Jxv+T:8SJyIP8
-
Chaos Ransomware
-
Chaos family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (203) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1