Analysis
-
max time kernel
15s -
max time network
39s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
02-09-2021 20:17
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
svchost.exe
Resource
win10-en
General
-
Target
svchost.exe
-
Size
61KB
-
MD5
9eb958c38bd3d39c55b009f9a200f42f
-
SHA1
b5ab794dd5821d08f7ecd860ba7975a6644dd46d
-
SHA256
b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
-
SHA512
f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954
Malware Config
Extracted
C:\Users\Admin\Desktop\read_it.txt
https://paypal.me/GoldenWolf42
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1972 svchost.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertFromFind.tif => C:\Users\Admin\Pictures\ConvertFromFind.tif.GoldenWolf42 svchost.exe File renamed C:\Users\Admin\Pictures\DenyCheckpoint.raw => C:\Users\Admin\Pictures\DenyCheckpoint.raw.GoldenWolf42 svchost.exe File renamed C:\Users\Admin\Pictures\EnableRemove.raw => C:\Users\Admin\Pictures\EnableRemove.raw.GoldenWolf42 svchost.exe File renamed C:\Users\Admin\Pictures\ReadMount.png => C:\Users\Admin\Pictures\ReadMount.png.GoldenWolf42 svchost.exe File renamed C:\Users\Admin\Pictures\ReadSuspend.png => C:\Users\Admin\Pictures\ReadSuspend.png.GoldenWolf42 svchost.exe -
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 33 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8lmytu09o.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1540 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid process 1972 svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
svchost.exesvchost.exepid process 1824 svchost.exe 1824 svchost.exe 1972 svchost.exe 1972 svchost.exe 1972 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 1824 svchost.exe Token: SeDebugPrivilege 1972 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
svchost.exesvchost.exedescription pid process target process PID 1824 wrote to memory of 1972 1824 svchost.exe svchost.exe PID 1824 wrote to memory of 1972 1824 svchost.exe svchost.exe PID 1824 wrote to memory of 1972 1824 svchost.exe svchost.exe PID 1972 wrote to memory of 1540 1972 svchost.exe NOTEPAD.EXE PID 1972 wrote to memory of 1540 1972 svchost.exe NOTEPAD.EXE PID 1972 wrote to memory of 1540 1972 svchost.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1540
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5585e6fc24994e065c4adbac963fc340
SHA13f9cbd088444f7d79c794259ea569a72c94976d8
SHA256eb2bffbb68a9e7b325e1e9313902b4b7d7af2df7732e843ab3786afc819c4095
SHA51282ebe4aecf5f6fb902befc31edb814f0f5cb3ce76b8458a5f13f0412619b093d21b6911d0a08c28273e18afbb3b6dea9b8823d22a1aa5250b627b7ba463a27bb
-
MD5
9eb958c38bd3d39c55b009f9a200f42f
SHA1b5ab794dd5821d08f7ecd860ba7975a6644dd46d
SHA256b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
SHA512f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954
-
MD5
9eb958c38bd3d39c55b009f9a200f42f
SHA1b5ab794dd5821d08f7ecd860ba7975a6644dd46d
SHA256b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
SHA512f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954