General
-
Target
fix.bat
-
Size
2KB
-
Sample
250317-dsdbfa1rt6
-
MD5
160b408ccc1bd513057cba516f4436e7
-
SHA1
0deecfee13ebc656eecc6aaab2a8978bc93268d0
-
SHA256
50c4082ed4c65e96649e53ba20fec89ead550d4774901dcccaf562db79a9e3e4
-
SHA512
74777e896abd4ca6f4282a1dff09c133f95ecd17f1bb48140fce2f2cca615e5be034950cdf8d3ad3846338f442c8e326fac69ef1b18104bd344e7cd33bdec933
Static task
static1
Behavioral task
behavioral1
Sample
fix.bat
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
fix.bat
Resource
win10v2004-20250314-en
Malware Config
Targets
-
-
Target
fix.bat
-
Size
2KB
-
MD5
160b408ccc1bd513057cba516f4436e7
-
SHA1
0deecfee13ebc656eecc6aaab2a8978bc93268d0
-
SHA256
50c4082ed4c65e96649e53ba20fec89ead550d4774901dcccaf562db79a9e3e4
-
SHA512
74777e896abd4ca6f4282a1dff09c133f95ecd17f1bb48140fce2f2cca615e5be034950cdf8d3ad3846338f442c8e326fac69ef1b18104bd344e7cd33bdec933
-
Chaos Ransomware
-
Chaos family
-
StormKitty payload
-
Stormkitty family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Blocklisted process makes network request
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Ignore Process Interrupts
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1