General

  • Target

    fix1.bat

  • Size

    15KB

  • Sample

    250316-2g4w1s1xhy

  • MD5

    f540b2db2d36695bc8b6655e15064e81

  • SHA1

    28bfa4b51ec5801926d72674f88ca84274ad7bbe

  • SHA256

    75737ef525de64554b57b925ce200912900a171d7cd20bf3480a3f636a99e547

  • SHA512

    d02ad7dea623a9652e2158eb651d12681ba484e2209aedcb9545bf0cc4c47bbad04654cb97aa2a968cca2b90549d017549a24cae1c70297f13f9780314f1c2a8

  • SSDEEP

    384:A0I4GfU0vhYpSCZ/u8OdkVvaOEPjBvaOM2zLewYBvas2vEewbIQBblvAOUPod9tM:A0I4GfU0vOpSCZ/u8OdkVvaOEPjBvaOf

Malware Config

Targets

    • Target

      fix1.bat

    • Size

      15KB

    • MD5

      f540b2db2d36695bc8b6655e15064e81

    • SHA1

      28bfa4b51ec5801926d72674f88ca84274ad7bbe

    • SHA256

      75737ef525de64554b57b925ce200912900a171d7cd20bf3480a3f636a99e547

    • SHA512

      d02ad7dea623a9652e2158eb651d12681ba484e2209aedcb9545bf0cc4c47bbad04654cb97aa2a968cca2b90549d017549a24cae1c70297f13f9780314f1c2a8

    • SSDEEP

      384:A0I4GfU0vhYpSCZ/u8OdkVvaOEPjBvaOM2zLewYBvas2vEewbIQBblvAOUPod9tM:A0I4GfU0vOpSCZ/u8OdkVvaOEPjBvaOf

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Blocklisted process makes network request

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks