General

  • Target

    2dd3144ab294d675eae0290d5b2d385d4d7ddb36e0450b982358a1519ba19fb4.exe

  • Size

    6.3MB

  • Sample

    250107-sxcb9sxjaw

  • MD5

    95be77dac172c472cba318f9876ec444

  • SHA1

    e24fc0a73ff5675a33de6bf033b65fa4b139d85a

  • SHA256

    2dd3144ab294d675eae0290d5b2d385d4d7ddb36e0450b982358a1519ba19fb4

  • SHA512

    4eeefdd69073f33d7369e52a306e812178365322ce26573331c9bfe9b60935e87b1a10b754df7159d87f1767ac945183b178923a53e21b7a5808e31e2af5a0a0

  • SSDEEP

    49152:31WDsGsL5TCvRc46CCGZuoKzzkvhctESbe7t0G8IfPIu3GTJ:

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Updater6\read_it.txt

Ransom Note
Don't worry, you can return all your files! All your files like documents, photos, databases and other important files have been encrypted with military-grade encryption. What guarantees do we give you? You can send 3 of your encrypted files and we will decrypt them for free. You must follow these steps to decrypt your files: 1) Write on our telegram: @RansowHacking 2) Get Bitcoin (you must pay for decryption in any cryptocurrency below: After paying the amount of 500usdt, we will send you the tool that will decrypt all your files.) BTC: bc1qngsfpztnqlvs2jktxdkh53j5mgrty3s003tas5 ETH: 0x75427fC1b7830528748F914951bBF1D6403d072e XMR: 0x082b5a11e1c727F6be2A4a3c1028cD6797370786 TRC20: TB5nxv8hUKRvpfeHjgnNaCEbwXfja73gMb ============================ {PT-BT}============================== Não se preocupe, você pode devolver todos os seus arquivos! Todos os seus arquivos como documentos, fotos, bancos de dados e outros arquivos importantes foram criptografados com uma criptografia de nivel militar. Que garantias lhe damos? Você pode enviar 3 de seus arquivos criptografados e nós os descriptografamos gratuitamente. Você deve seguir estas etapas para descriptografar seus arquivos: 1) Escreva em nosso telegram: @RansowHacking 2) Obtenha Bitcoin (você deve pagar pela descriptografia em qualquer criptomoeda abaixo: Após o pagamento do valor de 500usdt, enviaremos a você a ferramenta que irá descriptografar todos os seus arquivos.) BTC: bc1qngsfpztnqlvs2jktxdkh53j5mgrty3s003tas5 ETH: 0x75427fC1b7830528748F914951bBF1D6403d072e XMR: 0x082b5a11e1c727F6be2A4a3c1028cD6797370786 TRC20: TB5nxv8hUKRvpfeHjgnNaCEbwXfja73gMb

Targets

    • Target

      2dd3144ab294d675eae0290d5b2d385d4d7ddb36e0450b982358a1519ba19fb4.exe

    • Size

      6.3MB

    • MD5

      95be77dac172c472cba318f9876ec444

    • SHA1

      e24fc0a73ff5675a33de6bf033b65fa4b139d85a

    • SHA256

      2dd3144ab294d675eae0290d5b2d385d4d7ddb36e0450b982358a1519ba19fb4

    • SHA512

      4eeefdd69073f33d7369e52a306e812178365322ce26573331c9bfe9b60935e87b1a10b754df7159d87f1767ac945183b178923a53e21b7a5808e31e2af5a0a0

    • SSDEEP

      49152:31WDsGsL5TCvRc46CCGZuoKzzkvhctESbe7t0G8IfPIu3GTJ:

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (184) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks