General

  • Target

    1 (4).7z

  • Size

    40KB

  • Sample

    250313-j3bhgs1qz9

  • MD5

    589888b0ac25400608f4bc087bcc6d95

  • SHA1

    6dcb9186f100ecab1903f024df931f53e9bb41a2

  • SHA256

    680c40e94febf184947b9d4241a81c2f3134c4759600366661163f7f7b7a22f5

  • SHA512

    16f57842d826e2bfe2e9e2ed638b123a1482a0e667ecd81448800e08b2b453dc2b9fc869eb999df5cb80e9892f754f60d2c399936ae0b6863733e7162c8cd564

  • SSDEEP

    768:YCJ2MRRIRRix+OxwO1S9WjWjcDzoVwYhHnijIyj3RjWXeHD8m/t5BnZV9qY1s2Nk:D8ZR1OxocWSIHnifFIuDZ3ZVEYS5

Malware Config

Targets

    • Target

      1.exe

    • Size

      103KB

    • MD5

      79bc52fbe4be7638d393ae7e3e185ea5

    • SHA1

      4e402d19196a444fb78f3597a3cb06bd39aee262

    • SHA256

      d9b2d86086d39cc3edab32a2320b3579c84ee5f67227ca7b16fd1a8cd72d09aa

    • SHA512

      768047ebc60b722a98587c050849a4cf238076220c49ef39d52a3fac3cf60ea4cdec627714df84b744b03a36a48fa29422f7fbff7bf564b4d8bb0cf4c505361c

    • SSDEEP

      1536:WNc9pooe6gq9Whz7mEglaXi2OPTOlkBysc1XDoCaJZUHDrGjy4JHjvET06d:xM6gq9WlybAi2CO6vc1IHUHPhgEd

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      2.exe

    • Size

      103KB

    • MD5

      8fa709ffd1ed8ca2682a7b013fde0e53

    • SHA1

      5a231c2ed922182b25c3b88c88ccece5c95879d5

    • SHA256

      526a87ce682ec831ea656b211dc7d681b0db25cdbcc3972d33fd9f369ff5743f

    • SHA512

      af19e18c965395e8347f67a0d58f14fd144f9057e0b7583256a0a26d5ff8f5baadaa56142c918f4a28796c30efbf20a162952ed2590dc930d0613dc1642e4f40

    • SSDEEP

      1536:WNc9pooe6gq9Whz7mEglaXi2OPTOlkBysc1XDoCaJZUHDrGjy4JHjvET06dS:xM6gq9WlybAi2CO6vc1IHUHPhgEdS

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks