Overview

overview

10

Static

static

10

002.7z

windows11-21h2-x64

10

Resubmissions

14-02-2025 20:11

250214-yypxmsyjf1 10

05-02-2025 09:01

250205-kyy9eszjft 10

15-10-2024 03:47

241015-ecgjlashrh 10

05-08-2024 04:49

240805-ffygys1eke 10

05-08-2024 03:50

240805-eee4jszepd 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    002.7z

  • Size

    11.2MB

  • Sample

    250214-yypxmsyjf1

  • MD5

    82180da2d9ecde4947a618ff1a37fdad

  • SHA1

    ae327ea9229498e86afb337b87cf6d6f4caaa309

  • SHA256

    cc65535243dfd3cd54a9c5ecfcb93c7f918a87c725e9c52925017ab92effe278

  • SHA512

    606ddfb833eb38952403ae10e9eec694d45e3fb2df326d5825f93257d605552868343e80fd6e3a497d690dabe8ed1493b60843118f1aa5412be8cc55a66335a3

  • SSDEEP

    196608:nYcNyJpHBLBc6gKWYZzbK26sqaddXpgPxydfcNQChzHayMxpJ51LipiFe5TZD0B:n5yJ1pB+KWYtbK26sq25GyxcR6yMt51L

Score
10/10
blackcatchaosdjvugandcrablockbitmafiaware666mauimodiloadernjratpandastealervenusadwaredefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\Fucking_it.txt

Ransom Note
----> Us Nexus Hackers . Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com (Your Systeam Hacked By Us Nexus Hackers White Force) ------- Contact Telegram Group The Virus Upload On Your Mother Board Bios Systeam Or Gpu Bios - (-Warning Dont Reset-Factory You Will Reset Your PC Will Be Crash Burn You Cpu Shell-) Contact ---- Gmail- [email protected] ----- Telegram- https://t.me/usnexushacker ----- Telegram-id Hide Contact Gmail Credit White Hackers -------------------- Cyber Security -------------------- Defance All War ---------------------- Website https://www.propub3r6espa33w.onion Dont Visit The Site Payment informationAmount: 0.3 BTC Bitcoin Wallet: 3LrDFbp6fRqkXE45bLipnrQNg9wMKyTR5S
Wallets

3LrDFbp6fRqkXE45bLipnrQNg9wMKyTR5S

URLs

https://t.me/usnexushacker

https://www.propub3r6espa33w.onion

Targets

    • Target

      002.7z

    • Size

      11.2MB

    • MD5

      82180da2d9ecde4947a618ff1a37fdad

    • SHA1

      ae327ea9229498e86afb337b87cf6d6f4caaa309

    • SHA256

      cc65535243dfd3cd54a9c5ecfcb93c7f918a87c725e9c52925017ab92effe278

    • SHA512

      606ddfb833eb38952403ae10e9eec694d45e3fb2df326d5825f93257d605552868343e80fd6e3a497d690dabe8ed1493b60843118f1aa5412be8cc55a66335a3

    • SSDEEP

      196608:nYcNyJpHBLBc6gKWYZzbK26sqaddXpgPxydfcNQChzHayMxpJ51LipiFe5TZD0B:n5yJ1pB+KWYtbK26sq25GyxcR6yMt51L

    Score
    10/10
    chaosadwaredefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Chaos family

      chaos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Downloads MZ/PE file

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

4
T1490

Tasks