Overview

overview

10

Static

static

10

2dd3144ab2...b4.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2dd3144ab294d675eae0290d5b2d385d4d7ddb36e0450b982358a1519ba19fb4.zip

  • Size

    2.3MB

  • Sample

    250125-13a1dssjbw

  • MD5

    e3a7e976ffab74d95fadf15c790f18a9

  • SHA1

    1b126605ab7f85764599c19ec2919efcc617a313

  • SHA256

    369d6eb42c0ce2b287402481762de93116e9beb2331a524941e025083c763b1c

  • SHA512

    445fb39782b11f09f9d1e5e85f186d070e95768b82a9742a682fa0cf4117f7f51e08d8e094015f95ea229384d69b73312983c951aebd3c6ca07a476f3322858c

  • SSDEEP

    49152:1BdFCLuUObygZb0VKvIMcmjMgESqujVzfxfE7kiqSSF9jal:1XFQuUNKi324gESq4zZ87kiqSK9jal

Score
10/10
chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\read_it.txt

Ransom Note
Don't worry, you can return all your files! All your files like documents, photos, databases and other important files have been encrypted with military-grade encryption. What guarantees do we give you? You can send 3 of your encrypted files and we will decrypt them for free. You must follow these steps to decrypt your files: 1) Write on our telegram: @RansowHacking 2) Get Bitcoin (you must pay for decryption in any cryptocurrency below: After paying the amount of 500usdt, we will send you the tool that will decrypt all your files.) BTC: bc1qngsfpztnqlvs2jktxdkh53j5mgrty3s003tas5 ETH: 0x75427fC1b7830528748F914951bBF1D6403d072e XMR: 0x082b5a11e1c727F6be2A4a3c1028cD6797370786 TRC20: TB5nxv8hUKRvpfeHjgnNaCEbwXfja73gMb ============================ {PT-BT}============================== Não se preocupe, você pode devolver todos os seus arquivos! Todos os seus arquivos como documentos, fotos, bancos de dados e outros arquivos importantes foram criptografados com uma criptografia de nivel militar. Que garantias lhe damos? Você pode enviar 3 de seus arquivos criptografados e nós os descriptografamos gratuitamente. Você deve seguir estas etapas para descriptografar seus arquivos: 1) Escreva em nosso telegram: @RansowHacking 2) Obtenha Bitcoin (você deve pagar pela descriptografia em qualquer criptomoeda abaixo: Após o pagamento do valor de 500usdt, enviaremos a você a ferramenta que irá descriptografar todos os seus arquivos.) BTC: bc1qngsfpztnqlvs2jktxdkh53j5mgrty3s003tas5 ETH: 0x75427fC1b7830528748F914951bBF1D6403d072e XMR: 0x082b5a11e1c727F6be2A4a3c1028cD6797370786 TRC20: TB5nxv8hUKRvpfeHjgnNaCEbwXfja73gMb

Targets

    • Target

      2dd3144ab294d675eae0290d5b2d385d4d7ddb36e0450b982358a1519ba19fb4.exe

    • Size

      6.3MB

    • MD5

      95be77dac172c472cba318f9876ec444

    • SHA1

      e24fc0a73ff5675a33de6bf033b65fa4b139d85a

    • SHA256

      2dd3144ab294d675eae0290d5b2d385d4d7ddb36e0450b982358a1519ba19fb4

    • SHA512

      4eeefdd69073f33d7369e52a306e812178365322ce26573331c9bfe9b60935e87b1a10b754df7159d87f1767ac945183b178923a53e21b7a5808e31e2af5a0a0

    • SSDEEP

      49152:31WDsGsL5TCvRc46CCGZuoKzzkvhctESbe7t0G8IfPIu3GTJ:

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Chaos family

      chaos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (184) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      defense_evasion

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

4
T1490

Tasks