Resubmissions

02/06/2025, 11:39

250602-nsaknazly3 10

13/04/2025, 03:57

250413-ejectayvdz 10

13/04/2025, 01:42

250413-b47y3swm18 10

General

  • Target

    Echo-Scanner.exe

  • Size

    716KB

  • Sample

    250602-nsaknazly3

  • MD5

    818b2d4040e1cd5147936107ae00e2de

  • SHA1

    0c0cecf79650b70548d521351821e3479c6cab77

  • SHA256

    e888bd6a36d2b00ea8f2223e1fe8370cf3f0277f13b83ff57923834fc5608a66

  • SHA512

    c164aa77f7f346d4272309776967406738494cfdc8bde77336d14a22f37e5f0590a41589f6a5b338206db0f328d1d012525f31cb25a63e10b1a7b2f85f3dc921

  • SSDEEP

    12288:UTa97bqHS+cFjdCr7fY7ryQOyXbeB9DN1XPGAovqkdaRSTyZZdoYSJU/vHUemrHl:Jj7+nyCTeavH2

Malware Config

Targets

    • Target

      Echo-Scanner.exe

    • Size

      716KB

    • MD5

      818b2d4040e1cd5147936107ae00e2de

    • SHA1

      0c0cecf79650b70548d521351821e3479c6cab77

    • SHA256

      e888bd6a36d2b00ea8f2223e1fe8370cf3f0277f13b83ff57923834fc5608a66

    • SHA512

      c164aa77f7f346d4272309776967406738494cfdc8bde77336d14a22f37e5f0590a41589f6a5b338206db0f328d1d012525f31cb25a63e10b1a7b2f85f3dc921

    • SSDEEP

      12288:UTa97bqHS+cFjdCr7fY7ryQOyXbeB9DN1XPGAovqkdaRSTyZZdoYSJU/vHUemrHl:Jj7+nyCTeavH2

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v16

Tasks