General
-
Target
06f70e1b456e0eb7054e2b341ff9c6feb562e3d584ca127680b9fc6b9cf065f8N.exe
-
Size
308KB
-
Sample
241216-l79besxjdk
-
MD5
726620b8147063804324e16bf7e847b0
-
SHA1
0c4831ee49e3114bfd590dbd77b66890af172869
-
SHA256
06f70e1b456e0eb7054e2b341ff9c6feb562e3d584ca127680b9fc6b9cf065f8
-
SHA512
f907c5afae6b20e4d9d837d9a970b256ae405a88d0fbc5dd391133865fc80e37cdba95c907c9b6009bc2e61bc0182d904622c6b4535776ada90c4f9d0519572e
-
SSDEEP
3072:k12QKc97OFo+p2afIyTBjMnuNjg710OpYVm/+FbN/damWsJ9gUev+Tvx:c2rc9Af2qIuNLiapdz1Jqdv+T
Behavioral task
behavioral1
Sample
06f70e1b456e0eb7054e2b341ff9c6feb562e3d584ca127680b9fc6b9cf065f8N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
06f70e1b456e0eb7054e2b341ff9c6feb562e3d584ca127680b9fc6b9cf065f8N.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\Decrypt_My_File.txt
https://crynoxaowlkauirfhaaiuefjkebfiaeufaebiefuakbjaiurkjahbfiajkfa.vercel.app/decryptor.html
Targets
-
-
Target
06f70e1b456e0eb7054e2b341ff9c6feb562e3d584ca127680b9fc6b9cf065f8N.exe
-
Size
308KB
-
MD5
726620b8147063804324e16bf7e847b0
-
SHA1
0c4831ee49e3114bfd590dbd77b66890af172869
-
SHA256
06f70e1b456e0eb7054e2b341ff9c6feb562e3d584ca127680b9fc6b9cf065f8
-
SHA512
f907c5afae6b20e4d9d837d9a970b256ae405a88d0fbc5dd391133865fc80e37cdba95c907c9b6009bc2e61bc0182d904622c6b4535776ada90c4f9d0519572e
-
SSDEEP
3072:k12QKc97OFo+p2afIyTBjMnuNjg710OpYVm/+FbN/damWsJ9gUev+Tvx:c2rc9Af2qIuNLiapdz1Jqdv+T
-
Chaos Ransomware
-
Chaos family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (210) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1