Analysis
-
max time kernel
20s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en -
submitted
02-09-2021 20:17
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
svchost.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
General
-
Target
svchost.exe
-
Size
61KB
-
MD5
9eb958c38bd3d39c55b009f9a200f42f
-
SHA1
b5ab794dd5821d08f7ecd860ba7975a6644dd46d
-
SHA256
b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
-
SHA512
f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\read_it.txt
Ransom Note
All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help. What can I do to get my files back? You can buy our special
decryption software, this software will allow you to recover all of your data and remove the
ransomware from your computer. The price for the software is £50 GBP. Payment can be made in Bitcoin, PayPal.
How do I pay, where do I get Bitcoin?
PayPal: https://paypal.me/GoldenWolf42
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com
Bitpanda - hxxps://www.bitpanda.com
Payment informationAmount: 0.0014 BTC
Bitcoin Address: bc1qu6tharwawwny28z9fj6nrxg5cqftaep9ap6z2v
PayPal: https://paypal.me/GoldenWolf42 (£50, Family And Friends)
URLs
https://paypal.me/GoldenWolf42
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral2/files/0x000400000001ab10-118.dat family_chaos behavioral2/files/0x000400000001ab10-119.dat family_chaos -
Executes dropped EXE 1 IoCs
pid Process 1580 svchost.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\DismountInitialize.tif => C:\Users\Admin\Pictures\DismountInitialize.tif.GoldenWolf42 svchost.exe File renamed C:\Users\Admin\Pictures\SyncExpand.tif => C:\Users\Admin\Pictures\SyncExpand.tif.GoldenWolf42 svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\i1zwom5gp.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3964 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1580 svchost.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3972 svchost.exe Token: SeDebugPrivilege 1580 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3972 wrote to memory of 1580 3972 svchost.exe 76 PID 3972 wrote to memory of 1580 3972 svchost.exe 76 PID 1580 wrote to memory of 3964 1580 svchost.exe 83 PID 1580 wrote to memory of 3964 1580 svchost.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:3964
-
-