Analysis
-
max time kernel
15s -
max time network
39s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
02-09-2021 20:17
General
-
Target
svchost.exe
-
Size
61KB
-
MD5
9eb958c38bd3d39c55b009f9a200f42f
-
SHA1
b5ab794dd5821d08f7ecd860ba7975a6644dd46d
-
SHA256
b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
-
SHA512
f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\read_it.txt
Ransom Note
All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help. What can I do to get my files back? You can buy our special
decryption software, this software will allow you to recover all of your data and remove the
ransomware from your computer. The price for the software is £50 GBP. Payment can be made in Bitcoin, PayPal.
How do I pay, where do I get Bitcoin?
PayPal: https://paypal.me/GoldenWolf42
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com
Bitpanda - hxxps://www.bitpanda.com
Payment informationAmount: 0.0014 BTC
Bitcoin Address: bc1qu6tharwawwny28z9fj6nrxg5cqftaep9ap6z2v
PayPal: https://paypal.me/GoldenWolf42 (£50, Family And Friends)
URLs
https://paypal.me/GoldenWolf42
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 33 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB