General

  • Target

    fixer.bat

  • Size

    15KB

  • Sample

    250317-a4pxtsxrw3

  • MD5

    c401f4c27b32b9b3077b73dfb33b14f0

  • SHA1

    1e4fd86651bff73182ca31337d3db2a1095c4116

  • SHA256

    5024054fa2aba0e4e75d6a08c11a58d9c58e500b2295f1325884d1f5404e6dec

  • SHA512

    dd7bc542947d2e2a94e6ca4c6ab4cbc60e9f19f56d08c692743680e26ec62395e6c0c32e091c6e2f882f82c9f1a4e86c5b26f82fad2f05d0f5571b1dca5ab79d

  • SSDEEP

    384:0B8bpEeo0BVJRcDr4ligg9FllFlMSgxBUXXBcN+P:06bpEeo0PJRSrQiDLl1MtxCXXGN+P

Malware Config

Targets

    • Target

      fixer.bat

    • Size

      15KB

    • MD5

      c401f4c27b32b9b3077b73dfb33b14f0

    • SHA1

      1e4fd86651bff73182ca31337d3db2a1095c4116

    • SHA256

      5024054fa2aba0e4e75d6a08c11a58d9c58e500b2295f1325884d1f5404e6dec

    • SHA512

      dd7bc542947d2e2a94e6ca4c6ab4cbc60e9f19f56d08c692743680e26ec62395e6c0c32e091c6e2f882f82c9f1a4e86c5b26f82fad2f05d0f5571b1dca5ab79d

    • SSDEEP

      384:0B8bpEeo0BVJRcDr4ligg9FllFlMSgxBUXXBcN+P:06bpEeo0PJRSrQiDLl1MtxCXXGN+P

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Blocklisted process makes network request

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks