Analysis
-
max time kernel
20s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en -
submitted
02-09-2021 20:17
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
svchost.exe
Resource
win10-en
General
-
Target
svchost.exe
-
Size
61KB
-
MD5
9eb958c38bd3d39c55b009f9a200f42f
-
SHA1
b5ab794dd5821d08f7ecd860ba7975a6644dd46d
-
SHA256
b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
-
SHA512
f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954
Malware Config
Extracted
C:\Users\Admin\Desktop\read_it.txt
https://paypal.me/GoldenWolf42
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000400000001ab10-118.dat family_chaos behavioral2/files/0x000400000001ab10-119.dat family_chaos -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid Process 1580 svchost.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc Process File renamed C:\Users\Admin\Pictures\DismountInitialize.tif => C:\Users\Admin\Pictures\DismountInitialize.tif.GoldenWolf42 svchost.exe File renamed C:\Users\Admin\Pictures\SyncExpand.tif => C:\Users\Admin\Pictures\SyncExpand.tif.GoldenWolf42 svchost.exe -
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\i1zwom5gp.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid Process 3964 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid Process 1580 svchost.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
svchost.exesvchost.exepid Process 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe 1580 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exesvchost.exedescription pid Process Token: SeDebugPrivilege 3972 svchost.exe Token: SeDebugPrivilege 1580 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
svchost.exesvchost.exedescription pid Process procid_target PID 3972 wrote to memory of 1580 3972 svchost.exe 76 PID 3972 wrote to memory of 1580 3972 svchost.exe 76 PID 1580 wrote to memory of 3964 1580 svchost.exe 83 PID 1580 wrote to memory of 3964 1580 svchost.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:3964
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d78293ab15ad25b5d6e8740fe5fd3872
SHA151b70837f90f2bff910daee706e6be8d62a3550e
SHA2564d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3
SHA5121127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925
-
MD5
5585e6fc24994e065c4adbac963fc340
SHA13f9cbd088444f7d79c794259ea569a72c94976d8
SHA256eb2bffbb68a9e7b325e1e9313902b4b7d7af2df7732e843ab3786afc819c4095
SHA51282ebe4aecf5f6fb902befc31edb814f0f5cb3ce76b8458a5f13f0412619b093d21b6911d0a08c28273e18afbb3b6dea9b8823d22a1aa5250b627b7ba463a27bb
-
MD5
9eb958c38bd3d39c55b009f9a200f42f
SHA1b5ab794dd5821d08f7ecd860ba7975a6644dd46d
SHA256b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
SHA512f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954
-
MD5
9eb958c38bd3d39c55b009f9a200f42f
SHA1b5ab794dd5821d08f7ecd860ba7975a6644dd46d
SHA256b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
SHA512f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954