Overview

overview

10

Static

static

10

svchost.exe

windows7_x64

10

svchost.exe

windows10_x64

10

Analysis

  • max time kernel
    20s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    02-09-2021 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost.exe

  • Size

    61KB

  • MD5

    9eb958c38bd3d39c55b009f9a200f42f

  • SHA1

    b5ab794dd5821d08f7ecd860ba7975a6644dd46d

  • SHA256

    b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956

  • SHA512

    f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954

Score
10/10
chaosransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Ransom Note
All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help. What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer. The price for the software is £50 GBP. Payment can be made in Bitcoin, PayPal. How do I pay, where do I get Bitcoin? PayPal: https://paypal.me/GoldenWolf42 Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.0014 BTC Bitcoin Address: bc1qu6tharwawwny28z9fj6nrxg5cqftaep9ap6z2v PayPal: https://paypal.me/GoldenWolf42 (£50, Family And Friends)
URLs

https://paypal.me/GoldenWolf42

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1580
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
    MD5

    d78293ab15ad25b5d6e8740fe5fd3872

    SHA1

    51b70837f90f2bff910daee706e6be8d62a3550e

    SHA256

    4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3

    SHA512

    1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

    Download Submit
  • C:\Users\Admin\AppData\Roaming\read_it.txt
    MD5

    5585e6fc24994e065c4adbac963fc340

    SHA1

    3f9cbd088444f7d79c794259ea569a72c94976d8

    SHA256

    eb2bffbb68a9e7b325e1e9313902b4b7d7af2df7732e843ab3786afc819c4095

    SHA512

    82ebe4aecf5f6fb902befc31edb814f0f5cb3ce76b8458a5f13f0412619b093d21b6911d0a08c28273e18afbb3b6dea9b8823d22a1aa5250b627b7ba463a27bb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    MD5

    9eb958c38bd3d39c55b009f9a200f42f

    SHA1

    b5ab794dd5821d08f7ecd860ba7975a6644dd46d

    SHA256

    b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956

    SHA512

    f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954

    Download Submit
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    MD5

    9eb958c38bd3d39c55b009f9a200f42f

    SHA1

    b5ab794dd5821d08f7ecd860ba7975a6644dd46d

    SHA256

    b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956

    SHA512

    f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954

    Download Submit
  • memory/1580-117-0x0000000000000000-mapping.dmp
    Download
  • memory/1580-123-0x000000001C202000-0x000000001C203000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3964-124-0x0000000000000000-mapping.dmp
    Download
  • memory/3972-115-0x0000000000680000-0x0000000000681000-memory.dmp
    Filesize

    4KB

    Download