Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-01-2022 16:53
Static task
static1
Behavioral task
behavioral1
Sample
99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
Resource
win7-en-20211208
General
-
Target
99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
-
Size
101KB
-
MD5
ca6646d85b756664c2c1eb97a91bb8a1
-
SHA1
24b22ffbd61b3533a25fef787bacf3ecdca973ea
-
SHA256
99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0
-
SHA512
d285f0c5a90d80615e74cfd228a221a629721051269078b49b696263c633623e3430aa1d1c1ad0c37454574eac1487641af895b1715bc64647bd08118b46310e
Malware Config
Extracted
C:\Users\Admin\Desktop\read_it.txt
18vhBpgPhZrjJkbuT2ZyUXAnJavaJcTwEd
https://www.coinmama.com
https://www.bitpanda.com
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1668-55-0x0000000000FA0000-0x0000000000FC0000-memory.dmp family_chaos behavioral1/memory/1668-56-0x0000000000FA0000-0x0000000000FC0000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\sdf51ewxzv24d54fg.exe family_chaos C:\Users\Admin\AppData\Roaming\sdf51ewxzv24d54fg.exe family_chaos behavioral1/memory/1848-60-0x00000000013C0000-0x00000000013E0000-memory.dmp family_chaos behavioral1/memory/1848-61-0x00000000013C0000-0x00000000013E0000-memory.dmp family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 896 bcdedit.exe 892 bcdedit.exe -
Processes:
wbadmin.exepid process 1596 wbadmin.exe -
Executes dropped EXE 1 IoCs
Processes:
sdf51ewxzv24d54fg.exepid process 1848 sdf51ewxzv24d54fg.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
sdf51ewxzv24d54fg.exedescription ioc process File renamed C:\Users\Admin\Pictures\RestoreCompare.raw => C:\Users\Admin\Pictures\RestoreCompare.raw.WNBE sdf51ewxzv24d54fg.exe File renamed C:\Users\Admin\Pictures\SearchConnect.png => C:\Users\Admin\Pictures\SearchConnect.png.WNBE sdf51ewxzv24d54fg.exe File renamed C:\Users\Admin\Pictures\ClearSave.tif => C:\Users\Admin\Pictures\ClearSave.tif.WNBE sdf51ewxzv24d54fg.exe File renamed C:\Users\Admin\Pictures\InstallConvertTo.png => C:\Users\Admin\Pictures\InstallConvertTo.png.WNBE sdf51ewxzv24d54fg.exe File renamed C:\Users\Admin\Pictures\RedoLimit.tif => C:\Users\Admin\Pictures\RedoLimit.tif.WNBE sdf51ewxzv24d54fg.exe -
Drops startup file 3 IoCs
Processes:
sdf51ewxzv24d54fg.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdf51ewxzv24d54fg.url sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini sdf51ewxzv24d54fg.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt sdf51ewxzv24d54fg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 33 IoCs
Processes:
sdf51ewxzv24d54fg.exedescription ioc process File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\Searches\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\Videos\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Public\Music\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Public\Desktop\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\Documents\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\Links\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Public\Documents\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Public\Videos\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\Music\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Public\Pictures\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini sdf51ewxzv24d54fg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini sdf51ewxzv24d54fg.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
sdf51ewxzv24d54fg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0u36xsbdn.jpg" sdf51ewxzv24d54fg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 336 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1388 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
sdf51ewxzv24d54fg.exepid process 1848 sdf51ewxzv24d54fg.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exesdf51ewxzv24d54fg.exepid process 1668 99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe 1668 99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe 1848 sdf51ewxzv24d54fg.exe 1848 sdf51ewxzv24d54fg.exe 1848 sdf51ewxzv24d54fg.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exesdf51ewxzv24d54fg.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 1668 99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe Token: SeDebugPrivilege 1848 sdf51ewxzv24d54fg.exe Token: SeBackupPrivilege 816 vssvc.exe Token: SeRestorePrivilege 816 vssvc.exe Token: SeAuditPrivilege 816 vssvc.exe Token: SeIncreaseQuotaPrivilege 1864 WMIC.exe Token: SeSecurityPrivilege 1864 WMIC.exe Token: SeTakeOwnershipPrivilege 1864 WMIC.exe Token: SeLoadDriverPrivilege 1864 WMIC.exe Token: SeSystemProfilePrivilege 1864 WMIC.exe Token: SeSystemtimePrivilege 1864 WMIC.exe Token: SeProfSingleProcessPrivilege 1864 WMIC.exe Token: SeIncBasePriorityPrivilege 1864 WMIC.exe Token: SeCreatePagefilePrivilege 1864 WMIC.exe Token: SeBackupPrivilege 1864 WMIC.exe Token: SeRestorePrivilege 1864 WMIC.exe Token: SeShutdownPrivilege 1864 WMIC.exe Token: SeDebugPrivilege 1864 WMIC.exe Token: SeSystemEnvironmentPrivilege 1864 WMIC.exe Token: SeRemoteShutdownPrivilege 1864 WMIC.exe Token: SeUndockPrivilege 1864 WMIC.exe Token: SeManageVolumePrivilege 1864 WMIC.exe Token: 33 1864 WMIC.exe Token: 34 1864 WMIC.exe Token: 35 1864 WMIC.exe Token: SeIncreaseQuotaPrivilege 1864 WMIC.exe Token: SeSecurityPrivilege 1864 WMIC.exe Token: SeTakeOwnershipPrivilege 1864 WMIC.exe Token: SeLoadDriverPrivilege 1864 WMIC.exe Token: SeSystemProfilePrivilege 1864 WMIC.exe Token: SeSystemtimePrivilege 1864 WMIC.exe Token: SeProfSingleProcessPrivilege 1864 WMIC.exe Token: SeIncBasePriorityPrivilege 1864 WMIC.exe Token: SeCreatePagefilePrivilege 1864 WMIC.exe Token: SeBackupPrivilege 1864 WMIC.exe Token: SeRestorePrivilege 1864 WMIC.exe Token: SeShutdownPrivilege 1864 WMIC.exe Token: SeDebugPrivilege 1864 WMIC.exe Token: SeSystemEnvironmentPrivilege 1864 WMIC.exe Token: SeRemoteShutdownPrivilege 1864 WMIC.exe Token: SeUndockPrivilege 1864 WMIC.exe Token: SeManageVolumePrivilege 1864 WMIC.exe Token: 33 1864 WMIC.exe Token: 34 1864 WMIC.exe Token: 35 1864 WMIC.exe Token: SeBackupPrivilege 1628 wbengine.exe Token: SeRestorePrivilege 1628 wbengine.exe Token: SeSecurityPrivilege 1628 wbengine.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exesdf51ewxzv24d54fg.execmd.execmd.execmd.exedescription pid process target process PID 1668 wrote to memory of 1848 1668 99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe sdf51ewxzv24d54fg.exe PID 1668 wrote to memory of 1848 1668 99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe sdf51ewxzv24d54fg.exe PID 1668 wrote to memory of 1848 1668 99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe sdf51ewxzv24d54fg.exe PID 1848 wrote to memory of 744 1848 sdf51ewxzv24d54fg.exe cmd.exe PID 1848 wrote to memory of 744 1848 sdf51ewxzv24d54fg.exe cmd.exe PID 1848 wrote to memory of 744 1848 sdf51ewxzv24d54fg.exe cmd.exe PID 744 wrote to memory of 336 744 cmd.exe vssadmin.exe PID 744 wrote to memory of 336 744 cmd.exe vssadmin.exe PID 744 wrote to memory of 336 744 cmd.exe vssadmin.exe PID 744 wrote to memory of 1864 744 cmd.exe WMIC.exe PID 744 wrote to memory of 1864 744 cmd.exe WMIC.exe PID 744 wrote to memory of 1864 744 cmd.exe WMIC.exe PID 1848 wrote to memory of 860 1848 sdf51ewxzv24d54fg.exe cmd.exe PID 1848 wrote to memory of 860 1848 sdf51ewxzv24d54fg.exe cmd.exe PID 1848 wrote to memory of 860 1848 sdf51ewxzv24d54fg.exe cmd.exe PID 860 wrote to memory of 896 860 cmd.exe bcdedit.exe PID 860 wrote to memory of 896 860 cmd.exe bcdedit.exe PID 860 wrote to memory of 896 860 cmd.exe bcdedit.exe PID 860 wrote to memory of 892 860 cmd.exe bcdedit.exe PID 860 wrote to memory of 892 860 cmd.exe bcdedit.exe PID 860 wrote to memory of 892 860 cmd.exe bcdedit.exe PID 1848 wrote to memory of 2044 1848 sdf51ewxzv24d54fg.exe cmd.exe PID 1848 wrote to memory of 2044 1848 sdf51ewxzv24d54fg.exe cmd.exe PID 1848 wrote to memory of 2044 1848 sdf51ewxzv24d54fg.exe cmd.exe PID 2044 wrote to memory of 1596 2044 cmd.exe wbadmin.exe PID 2044 wrote to memory of 1596 2044 cmd.exe wbadmin.exe PID 2044 wrote to memory of 1596 2044 cmd.exe wbadmin.exe PID 1848 wrote to memory of 1388 1848 sdf51ewxzv24d54fg.exe NOTEPAD.EXE PID 1848 wrote to memory of 1388 1848 sdf51ewxzv24d54fg.exe NOTEPAD.EXE PID 1848 wrote to memory of 1388 1848 sdf51ewxzv24d54fg.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe"C:\Users\Admin\AppData\Local\Temp\99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\sdf51ewxzv24d54fg.exe"C:\Users\Admin\AppData\Roaming\sdf51ewxzv24d54fg.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\read_it.txtMD5
e362bbe6afacca30ae88aae2c2a47b6b
SHA141029ace8c47b727b59b260956a5b9ec1a2f7a14
SHA25671e1c3f4ba03f7b3e3532c4772ca9772ae73df39ea56b1f353a8eb5cc4170419
SHA5128a947a17820abede11fb5357e6530f5ccad86794303766be1608b5171cad72436b333303470ec6b9956cefe9f61340577e8c3bb731ddab402a2baba7e78f60b6
-
C:\Users\Admin\AppData\Roaming\sdf51ewxzv24d54fg.exeMD5
ca6646d85b756664c2c1eb97a91bb8a1
SHA124b22ffbd61b3533a25fef787bacf3ecdca973ea
SHA25699f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0
SHA512d285f0c5a90d80615e74cfd228a221a629721051269078b49b696263c633623e3430aa1d1c1ad0c37454574eac1487641af895b1715bc64647bd08118b46310e
-
C:\Users\Admin\AppData\Roaming\sdf51ewxzv24d54fg.exeMD5
ca6646d85b756664c2c1eb97a91bb8a1
SHA124b22ffbd61b3533a25fef787bacf3ecdca973ea
SHA25699f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0
SHA512d285f0c5a90d80615e74cfd228a221a629721051269078b49b696263c633623e3430aa1d1c1ad0c37454574eac1487641af895b1715bc64647bd08118b46310e
-
memory/336-64-0x0000000000000000-mapping.dmp
-
memory/744-63-0x0000000000000000-mapping.dmp
-
memory/860-66-0x0000000000000000-mapping.dmp
-
memory/892-68-0x0000000000000000-mapping.dmp
-
memory/896-67-0x0000000000000000-mapping.dmp
-
memory/1388-72-0x0000000000000000-mapping.dmp
-
memory/1596-71-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmpFilesize
8KB
-
memory/1596-70-0x0000000000000000-mapping.dmp
-
memory/1668-55-0x0000000000FA0000-0x0000000000FC0000-memory.dmpFilesize
128KB
-
memory/1668-56-0x0000000000FA0000-0x0000000000FC0000-memory.dmpFilesize
128KB
-
memory/1848-57-0x0000000000000000-mapping.dmp
-
memory/1848-60-0x00000000013C0000-0x00000000013E0000-memory.dmpFilesize
128KB
-
memory/1848-62-0x000000001ADF0000-0x000000001ADF2000-memory.dmpFilesize
8KB
-
memory/1848-61-0x00000000013C0000-0x00000000013E0000-memory.dmpFilesize
128KB
-
memory/1864-65-0x0000000000000000-mapping.dmp
-
memory/2044-69-0x0000000000000000-mapping.dmp