General

  • Target

    Velocity Bootstrapper.exe

  • Size

    358KB

  • Sample

    250316-18f4lavlx3

  • MD5

    1a887dd7df677a1c64c46ef238e7058b

  • SHA1

    677b7dac16dd44a89cb72d17435861f75e5c07ca

  • SHA256

    1b9c33152da1189582a6dd2b3c6a6e8f265999eef7f5dcef124a140957e6fb84

  • SHA512

    2dffbfb2b29c3d3d3827f9a1f41db86a98dbbf9a95902123a430a5be498f36c985ad0d7a164f02acc9201422c76621817b8dc3d8579af8872ccdcf2e1be7255d

  • SSDEEP

    3072:ZXBEq9jcQ15B8XJBwEa8//64HXoxSAdhtd+SHDtIaxyp2/pUY6HAnOb0O:7Eq9QQ15qJBwEa8/yEAxd+ah/xEoUoD

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\READ_ME.txt

Ransom Note
----- YOUR FILES HAVE BEEN ENCRYPTED ----- Hello, Your important files have been encrypted using a highly secure algorithm. Without the decryption key, you will not be able to access any of your documents, apps, photos, databases, or other personal files. We are the only ones who can restore your files. ----- How do I get my files back? ----- 1. Pay the ransom of $100. You have 48 hours to make the payment. Only bitcoin is accepted. 2. Send the payment to the following address: bc1q0a2az59et9lymfa77drzr5vvm6grl27kfdhsuj 3. After payment, we will send you the decryption key to restore your files. ----- WARNING ----- Failure to pay within 48 hours will result in the permanent deletion of your files. No one can help you, not the police, not your IT team, and not anyone else. This is your only chance. We advise you to follow these instructions carefully. We will be monitoring for payment. If you attempt to contact us through any other method or try to bypass our system, you will lose your files forever. We suggest you act quickly to avoid further damage.

Targets

    • Target

      Velocity Bootstrapper.exe

    • Size

      358KB

    • MD5

      1a887dd7df677a1c64c46ef238e7058b

    • SHA1

      677b7dac16dd44a89cb72d17435861f75e5c07ca

    • SHA256

      1b9c33152da1189582a6dd2b3c6a6e8f265999eef7f5dcef124a140957e6fb84

    • SHA512

      2dffbfb2b29c3d3d3827f9a1f41db86a98dbbf9a95902123a430a5be498f36c985ad0d7a164f02acc9201422c76621817b8dc3d8579af8872ccdcf2e1be7255d

    • SSDEEP

      3072:ZXBEq9jcQ15B8XJBwEa8//64HXoxSAdhtd+SHDtIaxyp2/pUY6HAnOb0O:7Eq9QQ15qJBwEa8/yEAxd+ah/xEoUoD

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks