chaos | 99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0

General

Target

99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
Size

101KB
MD5

ca6646d85b756664c2c1eb97a91bb8a1
SHA1

24b22ffbd61b3533a25fef787bacf3ecdca973ea
SHA256

99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0
SHA512

d285f0c5a90d80615e74cfd228a221a629721051269078b49b696263c633623e3430aa1d1c1ad0c37454574eac1487641af895b1715bc64647bd08118b46310e

Score

10^/10

chaos ryuk evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Ransom Note

Attention! All of your files have been encrypted Your computer was infected with WANNABE Ransomware. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $26.65. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - https://www.coinmama.com or Bitpanda - https://www.bitpanda.com Payment informationAmount: 0.00043 BTC Bitcoin Address: 18vhBpgPhZrjJkbuT2ZyUXAnJavaJcTwEd If you're done paying the demand just send a proof that you have done paying the exact amount at email address provided below in order for us to send to your email the decryption software. Email Address: [email protected]

Emails

[email protected]

Wallets

18vhBpgPhZrjJkbuT2ZyUXAnJavaJcTwEd

URLs

https://www.coinmama.com

https://www.bitpanda.com

Extracted

Path

C:\Users\Admin\Documents\AssertEdit.mht

Family

ryuk

Ransom Note

<EncryptedKey>tas8KaXpdM/ws7Qh6bqkw6EIA9fl8255S3pBtgPWUBNiqKdLqzRdtDRO6b8FgQbhU/bf4NgMtxATBcK6XHxoi5w+oU4c3dmNRI0OW3Q+Vrz5J1tcL4rBOegQ7sVeE0lDBEVSIXBFYIwMJcbWWbVKQzClxzsJWP+Sif09Jj7jZag=<EncryptedKey>PyGJ/JH6awSZPkUB0zpDsQcaYr7KLRabbZZA2SQ8FIPIDihatAulR/lGe7zNP/NZPunYvOrVAgMYAa1ctnG8ZMX+5VycXZhaYx5S6LdD1eLxrFpjQgBMpf7wiKKvMDE3YUmowY9UFY6UOZfxw2ryb7EJDFipgZMyblObxopWfQ/XWMZki5lWVfLjdrxxVOKMsElkhoFg4In2fvcZlGMwjV2eKAZA8FxC4g6wYpm5pg31bnyAS/Ip5xJN+UgDZ/DEL80SBzKXej3VcclpxBRUQmIhOfiNnClIaG3s+PmEUfAMTcgiRcSTInGf6iS9jW3FVbcKv/hPL3P12AtW+lVgipIIa5YGWcdJcrMDntYMksmYpQLGMvVRSm6mufp4iThLTa8jUq8izNDSeeGDlNRTwKNYchPXmmkMerUjFCtbomdY8EhUatmwUdV2KfHV0qSavmFseHKUZHUJu7ulDUJsI/MOzN+hCLF5Y9KIxdzDd8ag3YHiYpxWSf0TMWK4OnaFIIhi2Ph5bxaI9aajHBfMv26FU/I3oDMntmq9GAg88kTGIiS2hKAeXeDfkwKCJkx6quN5fB5uf7tIUuIwhVYibj/hnrA1LlAsFMcQNmJBAiZYayC3+ECTbR03zf0EEc/MJ5r3ZQT5MnQDSIkuEOYniPkXQ+oaYNzl+6SlX/Nso0+46wKhDI873m4jrJaRtr/QZN+lnwgU6cNiPmLmdG5ZrJJfJQjsLsYJ/IpNQHTt/2US+ojwD6naQPlbUUPrKNIIsC8PoT+UpK8S1cM+e26xfLIjppNHANIXGnxyiNUNh+bxz7pZWGsBjqUAeuZWNTvtNzcDdgO9uiU/WbX3wDIAhI8rmuOyzu3lZ+8dCtZLO3VLvbUNLuuA5hSSHRxBhS4hax4v/jz900/ojD9Efdt7ae1uQmSzWGkU0iVMig0OqVzk/7IrWeceDGIhUKhIO+Klxy9vQn2OYnJL6eXpDX+/uIuX956VWlsufMSj9brp/gWS1+Vq8wn9ZjXqPD5zp5ormcxutEKnRPocB9RJrsWjsf3QdDgP3Px3/MKyd6r9K1hCvlJWch4eIUP698QrnQhXGBkzd6JQTv47tvRTze4kJtb/jZ9MYswtl31bLKigTG7olWjkXqYm9eK/UALAGc6i21QlUl3OzNxY4wQgNDt1kh9NfHwyHglDA7f4DF59x4roqDOjqzVrsgUlX0S8q+KAvLOqcsXGeFyKbtnbPG+BRtvRxeNqcekoQyDwjfwBjhb5NBpmI5993JfDB/TeIJ9GFHgWoa+WZdCCGRczwK7OxNaDoPKR2SrLdVmW1Lypx0O0pz50LaqB0bzbYMgCcG1xYcRy76ZNR6cGs/ld0io9bQWVxFeXmT510umO/3bJ63WyzPgZaPiCHpFEgYTk31HbqUvPNb1UtTFmaDO4ncMLXnoMqTWQsEuyiS6QLfqQqyiC8cP8wnn1fhFcV7jkZsZltmMB3MTPPBbX08K3FKjmUFNjDR3j57XabGEEfSQ80cmwfIhH6+QOGQzh2y+zeh/fHOdmyzRGmWY2OCv4YJdkcUf9BnfJIXamZzg1gqwV/pnvmDXSFJLW7QRGkayZQdS6Whu1DgTmDcMxFjgjye5hr6WJp4er+WuKSnLJqxlwY0e/KXZ7OjHWoi/D9LSVbx2tNo8YBTaBj58ORnsWz8vonbMJBmv4TEk0SFRJE3zPeaHEOeY3TR7IpOlok1V07qomi6f4WR0DR4h5OiUVohMezzbMF0HOiQrcIP5ZTzPk3GxbunceznMKw+allwzSDaT/2zZgY59+5H4518Ra+l0oJrip4+OPfTaa/hNZhWJCIlKUeTbmk4uBK+6Nzh74cHXWejQ52xVp5Pwc+twaSwg0Uj8f08qtnx3EV3qVCWlMhYbfSo6K9NYBGsGrQh4exR0MWYvXhzHROfxq5YSE6sbUZ+PnnP6y5EVuyNlE1mbiJD6mLcb1tJcCkgAmN13P3rhmZOqQNEzkVYdaWvR2cML3MePpquEhdBddvWv01iSvKAWthZvj0sYmCB1M9ba/Nb7cU1F/DkitCbuxCOJvfOVp+Xy4rztU+97CSa2G/rz4eprP7LraRUxK1aXBJUtoLeds/ccLSUiZI8n2AwiaS2Lv1duZF63XpzHm834Yq09w2DTdTfqzA4jcYuZclGXfiC87e/+6aMCpGF5gXw02ozcXiDbRVxuT6a53dWktoVQgznLr0QEz2cwj5G9idPqeWe7QVG5E0oSh8xr6H0qJVs8ZQphT7X1z8FC2zJ0tLPU43kDXmNwMBKThrU50hbvIWVaXi0O2rHY8eQZ+RDahJMyLyc7WMQgZsMe6w7eF7hnATz0EFDlBIYyp6B0lm8UQh+VLlrvEnynwOB1uinIlkEfy/vsuikrcR6t9hQHwF6YlO3+PHatPd9T+htd4tpOUhrxuoaGRfXPwW4nNhNQrhtvNPIUm1cVfaISEgqUDDTwshzrWsaPfSMZzoG8jgiXg6wZhU4+4c/hTQWJhlosVXc9k+B3CjAKz1JBZ1RZK5mPWb9hc6AHKECHQWsGG7rKcIJFrePL+7l3s3c8jW/B7LGtRqpsTCznNjIVR+3/I/Bcj5Jjl1iLro3hgkEQPlX2OvLuwMN2f0vuFrMmdMSrPCIc8xyZFMXoCCVUrp3qIliEwLe8cMRRMdnzgZmILwYOl4Qu6yBFu9QQJk+FeALNfTota4hXKJNgieuujH0UF7PYLMNIyjJvZcjFl8y4JnH72RD0SZAvLG+hiv+HoxbHHRxuLb8eEiPYIaqVQr0U03HtMWk08oLH2DWRIATeVaxTaci238AQ6sDWFFUrXpxWq4WlVb1FOEOIaWcOC+pLZ3Q/1M9aVUfKLuSYYZ2eriiXDRk1Pk6QOKn2pYLxt7dFUnu7hxdKF8wNY6X7ay9xKjgfhrg5MHnnihRKIvZp69oTBgem2856eHytzYiRKdQgCsBe+gv3J+iTMB22oJty9PqboGH8Gt9gDKvK3AxTnefdlHMRYh2M+D4emTQLJV413KaHbu181HPcwgz8SBUhEWN5dCqfjmqYo0vNz7yptGWNzmSrtFBwUG+xc7s6IES0QuztN4cFE+D98j+1wgTDyL9F+bQ8ZxPvTX2PUhTwiJrBUv5JXkI7RgKF0N5rzJUWAADCezBJlm3J/AiCK9S85OfKAJ3rCZiRu9bV5ywzMklxXLYYHLHCFkaD1p6c4BtHcAxYNBAEfd4gxARh4kZPZjEplb/+DmI2d33cWfE83NfaSPbIggVAI5G46i4Y8v8r6p5t9kdPIjvEpBiAupMmNUeS07/oHL8Hidcvj2ZssxBUmqTPn+2qPm5hxkJZ/slzeJc58R9qO6bP8y/5DxkvFFsWcLRYTse4w5VIO8tvYIPRhyjWuE6S0Ws0MT15BDcqhIN1VnWGDOvQVyHd4V6eCVp4L3iF8hjfMwJb8xDx7NTOSrk1IxkzQor6pKdQAeaEHGBKsI3BBCB2BI7CKW3VsKq/OtFKD3cjMxMvwscxc8cNykmlEP5LTkgrc0F6uREYLkvle2o43lhLOcikThmWaxEs9aLLkamS0ucyJComeIVRkNeDcgfFjTxkE7h6+w5WTidqwZSgXb+lAOcqzKAAelaGLIlDR+JWcqZft1yaHp+7PSPvlFcaV8SDxlmQYVTMlvzSxgI+OKAHshORj4G9HhBsjLUG9iDQ+rtGHtmrNwkKnWCHTpA87HI0V9BZ+kRYY0lqFYbvZl0/bk1RajYRbOWydZUIzdxeh2SkDBuk06DdZ2VHyJodBUBqOaTT51pE0T/rZzcvrrdjh3W4OYck3un3MoVB6HWL8XeckjFsjK3ULTZt98uD6NURFjFjyb43OTIA0Wrt+rY5i3qNeRLIoK0/V1Cuq9IoTSCXrWfu7MBgGCXRzWNFkSlLW/5w2kP9t5JqG0OH/eYBZZLyx15LAtAjh61qMaZzRlHtiLteNmaNwXQTC3pe5dgKxO0SFdt/r0PKXWRQP7cH2BHWzCssluCFOz5xJG5hI37jryC35UwB3B1OhWV1FlfXiQMCN8kZtwUM5P1YTN26x7qkwskXGOOUj23fskn8d8hEwFiRzfRGQ/XHXxg+fBPyWCY3sfEqqx5xRKbCRzyB8x57OXm9iM100mDTxjKBdBMIatkPMZ5bcya1Q8856qlZY1s4lXqi3/d9K/+OtUC85C/qxFAU5s1BUBDGFCq5jZEEpYEcHnTGX8C7S7QLPBkWsKJdNbxOONPyjOjTw/ALZinR/Mh61RBRCoo2co0ABKiPe2fdB7yF8erJEVXIRJbeYNWiW4uVYiS9GPu1er/yhR2Xe5ixwlJSWh2OHE2J1p3pC4U4kPDuicnP8hvtficjnd7JXhG4E0q7k9EyC0toa7P1rq71AW1X68dduRJguvZB3Yg+hdWrxmITVr2b6Tp8nzweyJhe3uAMV8RoH3gI3S68rCJriEhcAc4jvcP8yEV1GSSKWhtaC8PA5K3ylu/vX6J3sOoxXf1DQe1ttw3oGnT8wO1n6HzpvKkVMvvU3kB9rsn0880t+zkUysj9cpZk501WWrVgSf0CFCN69upT+hjB8IYC2ZtHVaCzCMq/bIlkKwzMVS6i4XZmr8MF8kNBBaINcQuN2tG1pXBD4AuG4aG5r2g6RabWmQnWGWhvgtkq47wlRWzxDlMaDxSYdcsGVDCpbgDnYAxzRuBWoSEmr7Pk4fL0+6ZZ1HzCN7yZVuOT3IYtmsZo5oETBWN4wIRPI9V3O3AJht0QJSioYLCzVxarr91fxOekXS4YilhluohKVeLeR/sf5IjI2+sMOT7PgUpcbb6C8+RSL66nay2eqonk96c8enGLhoNQe4URP9/SFi8jFbJuAAwa7V9CgxX9jyrexJVt+4Q7vqENQEEDyR3nThIb2zI6cx/0o8/VQ3BFXOoQA2spFrUqC/ol0PoHuhd1LGPfrw5xMY79xcy+QUpzov+Jgh5OOU5wW5ZMQ9kELtMeeVSjKB/yiri1Ohwj+fzN0qVfQ7RjnR8mSj3i2NeO1b3CZ6YYFyN1JaANsg0Cm3S/uXHK3LtptSclVIe7xVBJtU7m+CKvZGEXw5tD8P91IuuNwXU3Pz1Yy9EiREffVtcz9tQWYEDw4cl1ZfvAqB/AdXC61rg2sv96Rm/T5GNcnlt46GSAegzWoDXycbyYrLaBSXJemotUqARp3wkSmp0t/1DoTLBC4NFrGDbiwTgF43YY+W5YWCmmL97TKKjQ1CH6QZ0lUybVRV2tcyCNrrXEF4sQxdFwxsnAZSFirVHjgR5OqOmVYot7ItVds29jStsR3OtO61MrDdVxeQpwwDYWygT8cfAXXZQr485Ae7Mn+MNqLVcM2jw3NqVm26MQF4bLyN4RF4uBU3+U9cj+KQNUGpuFtiGa1Kwi+s7y33y2E+ClvOWjou7siVmKn7MIBB6LRKXAD7MAF35X4hh8LHccsRLelIa77vVSdVR4tahVFkFRrz1/3ZgGaDhOhchHkDc4Lw/MuJnFVizmPgLOODRvtdYdqvHwdH22RlMdfYa7NHO0vW2Atzc7Vu4SsuHr97/+l9FNoGDk8v1UBo9JjS9rYGeWy4fWkTd0qTXM+oIGiuAIqWsL8RCckbpQktMVsgPFNFBAlTHfJtiLrgTScXFyky72xgmNH1M1S8dtL8PEg9PhA1BszLsUD693efTi3kF8L9OV506Y3g/vigOnmGiP00sIRViauyqWBMWTXryfIBOiItUDxjX1KhZwry+gZ+ZJ2GSqu5iFMhOwtVheC+oeotM8WgunKe9eUBmo0+5Z2wnDg8EilrHQu1Wv//52muT1S3hAZa4fylZRyX3XSloVOlASJt1JzZjMDvrS4GlWTBzQsAF0F1WKqf4xMOBJCeqDqS4/yFcOAMqhKmEKpyai935h/Ezm0Vp4yBbQlB7QxkD8lcWD4qleHTI1+5kHJdeRQVz9yGdwOTFPTJS2m1UrpskNHEYREEmwUQdgcjSy02AJFEvLoqT0+tIvZA/NmWwRFQwdLmQ0v2RmsPt/mn6mgu4kJV29G5dBkQwOLuWsa7L0EN2eXwg9/wxhi2wocOC73+8SZkWgnFmsQlvQLJPkF8dSnxbACTrodCCRKjK5dsh+rFRnXFUPo1zVyPg0o/7Df+Sg3HcW7QcJRCOPqVqeBUWGLyJURG8geiEOA/2ixofNcstogaYwE/pz94nzXg/sUfhBrLoVIYOP/kfuPgN8zCwDG3OzEb3/HIChdgnhgTcvLwahU4Xxuwgh1ZMEjBqzF+9lU/hX2ovccolwRZTBqtaD1S7Gbfu46ltnIDNKLsGFVQa8VIGmHeB3YoLtSRb4WE4iS+wKi2nR3pB4DHCUT9HnQvJNCbnWX3rerr1gQojxQMY/i9xajDK90wcpdTFvAiSNMN+YJLnmogk0R3+bO/xjUYGsYYi7Y0Xg1zH0tb0TR/e08mmcXkm02qXiFgvli+7KLh6vWeOJetbRtQXhfb8zX4KewiEZY3ycnCPQ2jTpLAIzFGcxbPzAv8SAaWykYKoUtEZfauoW+maLEoKte8vvy6YXkMEv0UKdzw6lKTDaumcmflrJyZ8wcGRWo+hPXNAxsn0Wc5a9zzbos2vXAaFXX7smb7PDUO0hUGyb39VbJ7VYxmxo6OEwpucjUJ88FUB3pzMmj9p/Mtc1T8RHbRcEXXThGCfpIbduiEr5Z8dKRZl0lwwAos6dV+16Z9Bd1PiO/SnU/86tDFK5oxZ7IxU0KQlXwT0BmGRWxmx7fIUe5bYJ42ZXAq5ZV0l7S1uQLYesRRWaSeLfCAP1gfWIRwsFVlUtNDRj8I/Rp+rK2mhZOmSLhTAFS62nw1WVVbaRlWBDRbY23R7xDvmUXGYGvqIbkLeA91HIS4SXTlcjj8SGORLQngc0brz3kIBaxC70NFxbW+BWrkLOBhJKv0Hi+VhKBvqXNmksu0LiqMWjIroGEPELL4QahBHAvS/fxfJV7NyQjZuN0kLYhIjEl3Yn7gIMWJHxRO4EfPVmJN7o75cm5xA78pw3amHx1pxPYKJInUZv5SJyzyb2RPhjW4aKtFvnGyL4OoogiBXSZ3ItXg2hL3adB3sbdKjg0YaxkL91rhUrc5LAYjl7rsGOBuyZZcoFMeiT+L86hYJsbcEmOiXDIxwkH2euzno2gHLlbpYW3+j2kyRs/vrtQvaTlepwnVbYJLew/E53aUJcEpX4kJaheEJZxBeyLoyfnnPKuNUNt4Wt4gs4jH/jgg2JXEaxsMdG3EEa0EaGoidC3vK8ajhSLHRNkvgrZC9Z7nt0nEeTYpI7KD6JbXDKxaFvOVyY6S9fhpRZa2yEyyXneCbM3HvwFnyjswUg0Le/Rzzb51im6T4WGo01drTPIOHdUqXBe112eW3bLl8vWADxgVV1ygf78aClmHT2r64cy75wamaGnwftiygOMJwUC8lPrxSPtTMNWz1v3xxhFr+vdo1zlrIn4K4kUNfmzRWQGjAL+J0jZJMyelPC5QTeiWp8DCa81U5zp4ZL9iQAwJUPP9l6gQs5c3KXI45k7etEDtFzaW45+24fAz7YyDvneY34CcKJaVHGhI0fyqfj3ZDnzYjeAv113z8QxhLBn3lAkK+rl6gJ/eq9+uB7znTXudyIdQk3iMZmxp7Wrb/ICb5d6YDgBF5KKJE/nJ+jvtveRZ+1vr6mZrvT15GCMUsT+QaWVjAtGYY9AtBKYgsV7VtG5VCJ2y3oZ5CNbHvRxcmHCYQ9V1qyUWP3zZO52Aon01HwIbYm0daHqLz8mGCrz27N+v17dzB7DLkr6T0UYG6t8lEoj2CJoR/jEaHc6M4RS8sdS9K/ZcnWNJjct63ZRFBw+UI2CS+PE3QE5WxD736JuXQYjjYX2B59FZF+PurP+jj4YTG8wBVlU2mkVutY62jfJ9zOywn/WGSHed1+pNpNcgDnoZ/wuvbXx9Qju7RSZjQsc6l3hx9XEvaKJxd7l9vd+2m0B0PEnykDRp+oPkn6IQozRdt1hSn0FYglz9k9wtHWECxse2e+JaxpVVV1Emnfiaui75PmAr+6siTNk1b/hQlCBMDMul148heFvPzaZQJX2I03UMlamkkj7HiXB2jrlxoveDa9020kb7IDOMAA8Af1V2PfI71zeSNdKucP/p7ZDmlgRjvar5qJUIebgJerpFghtlsFsZjRFKRMCAOL4OIO9iWIyaTYlSkGjQt2rSmKn9cr9AlXapuIZN7f9uHgUzXcsVfD8nJ1iMUo77mmvr4i2ce4jAriCGWzuVAV0HQa4JPA36G7JSeyzQg/YKObyYvMZVaY0kReyvtPSbB3ARlW/Wscj3T/34kOtJKiuR3JUqKMOH2WmvQswUfrhrw7T0SO17lPlTAMEjGtb2kItTR7iSLVFySEEdevm5yCHSQqfNPIF52XHH3lJpXQeA7s6M7JBQ9fhtVJ+LuBJZ3/ItIRED98YShAhDLRUPJDPUChOAOJw+LeraufiS2GeWue3QoTIcnGX/DU6ZlQX34ZfW13yOFhOoLn/vBh3kCndpD0TkzpG6IDq0m9JMDTxaxoj/Z9A+RkvPIi4g4Fok959aDwojKvgtnFzc1Fr6GPyG/lhCCx1Ai3e+BKOJZ5g6oDIxJ/+HXK6mw6g+KK0hO+QjQIc6AxL+9ETolSFIQXUAbrkKhTRMNAiK4fGrjKdsQp2bQep/PhftQ1evZrhsab9lmRvVhSck4EaW6+xq7CFSJDrj8PoQbmGO6a1O2hymsEUqPH02lLeB9EQWMw0s3/2ohfCX0+93BUfKGIbFHivztm0NuyxagBV8CHOI1fqEBQoR+8wJD0mRL0niLw4jAc5DLv5ELuHb129u2kPS8GK8aPME2kA1P+sBQHY5NmKny+/MZMPRj3Dvc62WFixLZY7xUdvdi+dEIdSVWrvxXmH0TkCPdzL3yDED4/9y+MzNxwJIdNtX8s8rfDWDx2LBT/RKqNTVnuL8J74UuYncXIGt+zoVIXDfZYqlY8yxxjOIZn46+A8/jt0UCRZMzy6Y9qrtJLCizgQRePGyil14JulwJzoQS/gE57I2Yqe+Q9pxf+lOpmruHPyaJRZIw+Ooujg2wFXf7ELAUzoeFVfS7AEx1nUDnmGGwUZyOVL5NattZSReI+23/EfqJT2YmNXgLSbfPcp8DGIpOQCi4T6XDNlPnXriPleED3TLOYu/V9PVjWWLZ/8ZEi4VK3uvSFGpyrehRz9dv+M8+TQOQ2FuFnNs/tII3hyYklwTgPx3ZjCbTV5u3H3oSsxpKPp4sH2utNr94omcked8fQcTlix4XaBlxAN+JymfC5sIFk8FlNcVDYY9G283a0LNdLo6q3v+HTEFeYGMMA55CvSZWkwJeMU39UtY+rJRpKvgEeUrJhjjIRHC2Lmh6Ozp00+4njV6Ui4C2ir6LEn/gQSrYzwdDlyy/TAm2yRl8swkxB0r4XI0wfIXvFwdt137XMMtErGJCj5coLMD8zKFmLZuESD02Pg+T2U1m0Q8YevSc0fs2/8FhRSuFdMewhrUQvbuKkGRt48vQj1EG+nxw7NYK/bZLkAuBSYPhj5szQLTcpggnTeWCnz8jxk0ps1ZBtT0tBz5J6w+rn2WXELnoBwMmwghcPCplghbCyu4BeekGD1zSlK52+wVErKdiTE66lg1AMHDbAr3qgGYSo7sOoboRSEseTKvbqD/G7FIAF9yJrPg4P48h9oU6rWJZhXsHOcafsB8kbgG8sWPwXUxF6MN47dVyIr/4xxfYCD3GNi5PSGu+qxllVEx5lsTBsXnGr/fsxEw0Mkkvw/DzbSUp/mfsivqGCSeuIoZxnNTKRsnlmPQ3kxa5MiMw3BJ3JrcEFf2VATVbYrzDycYBcOtVhtqZN1yS685NuCRPYjXuWUpVcCHQieSednnMiQhycOJ9mrsn8p88izxQNoY8alHvdiFrBBNmmjWgfzSU+F1O27xktJSwa2dwpIc6x/n9Xf175CVa4GIsjl4NVbAA5UMhiCXXx8gR/SKu7A2u2+X6KnRU9SYNPT50R3xOIPMjkPz21HNZZsvu7vhGyC66PkgxJ8WQOX+4Y6rNcRmOx9LVAzmnetxCV2J1eomd1M4pMyEZVgEz23fHk69R9Sgi8RyzvBuEgloZISIX8cB+B/JLyxjgKKuIz3oUpVh4Ax4rlbQP2KOQT3o/FEZueISAC6Id/LzAuHqS3uGplVEjgNl4/+8vp7oonh0lRvs7Q6yykQvR92v6SPsMkAkTpDMQqyrk8BorL1Beo1fJy+u1RxQVJbA4MXxffPuCyXAlgkG9P4ipklaMihvSDAyiDVvgPP72/S8QEqKWVmoe9qikRgX7KtYcMgMHCHpg48vR91gpfbspXvIsBKGRQ1AiXtKlKRrYgcPghF22+tfz2iSYGK8pYLI+nK9ObLiYnrRw/EiqwVgY0QXYLLzsMqnT+ws6gpaFSPWP9vJ6JljOO56hcvshKJT6np2T/p+909l4NZS5VYpznePeSdblyMMgohvKBWTl7gDL1S8UpXe0yHX1KWULfEkkg2feRwEUSu+2SUB9MVbUYq5aGtawAPk/W5ZJQGoRS7/FWTPMnnI4rM23HRtMfFqX9nz06gCYspv2P4ggCyifegiP8QQ+nS9K9jhvyi0901sar1kC6NoYclqSisHUAXjkBGpdc7dV+JZGidBEDzi58pDhkn7EzeO322YcnZ0F5FdBoidZn/edB1eSLn9zmoo+8orbnS/NqKqlxJ0MMgutSAviVcNterActZP2cS+qEayoGwqz5S01cVGsHRfSR9cYRNG/FAfg9V7cvjFrjAgehJVAhQTyHH5dVUIE4uW3Vj76uTg64wlyMGfAlH73OEqpXIoN5oWZi8b/A3O7NpHl2hDQYDryqtxssE3fiqzUstdRAixp2cKzZj7pQlLKiApYrI/LOTFAflCUZttrdSpQdUozZBwGJelK2cvQ89NEC4MBrWhtGJj5LP0DEnE+algR8/WRht50M9Y+1gyZbv3bpQ5WqD46H+FXT6BT/0lZ9CUsE16nG+pzEqg50h/12wGkWHX30Nm3Y+Z3CLWhQOFU3fCKIZ0rV6O0+kh+m3iLfi/1zgHo7jUVrvqcAvQGKSqQDm71XqkB2/T5A2zi8IArFp0B5A/dUeUMi+agE7EFQIBO51bHQ27MN9Y4rBJqQ6ypByP5jUDuQggQmab6ZRtsU4IP1ET5dI/WhQR3u12hvvTAJLbfZEf6XCxWNTHBA9bL/A0S07O9mZLcVJnYO6STQC+gc+JqXwixScfm8MCKeTjhk0ZKnakcbQQfK3Z58BgEBAIapcP4SkYgcii1qs7r6aQqvft4p8R3MW5w2y+UAfh3I9xbddgbl+RbfKRCkUhCs8z9TtoRfsKmI5C0fwtvlNUVwUsmEo9XdEoFaX6nNgLWw/5D7nAu1bkfhjfiXtt38+t/8fiIlubgF8je/Jpm+YTnsCgzKojlTtlm5h2TJ8T+24KnN5wFjgbtW44SdZSjdHcgHdQacyxw06YMVRRmxCMvaSx8Qiqe5lJ2c5sh8n2/x9HzV/bkA1RBnleyXp9+wf59eAeSjogeikNnqOu09gbrkcSd60yNrffiql+IaDJosS2w5sb7Xf8aS3T1Ha+/3caQPRisS3LdpbfYP3KXew9zVKpdzkhQQIF3kkoifngZFwOE8QdLqCq6xheDy29tuYJd57ITR0l7mhnahVlOr5xG7bfWyA5tI11sQ1J61OyDrWDDfe836evmDnm12t2g2wVy7D7ZB8wXJQhn+WU0GTXJT/gTnXbN9QnHBYoHZLFt87o3KUmxshU2xQ9ay/MeZOljVKvFdtl9ZQEyx4SqDzRdf7sHej3mMXNmgP2MgGP2oBk+b6YpNtv1dzfHf3c4NVIjp2Xu9fZ+I0/w30Ukk2e7m9jXGWUFnI6tsybRrOa47fzK8oR39YcEvHsvYbh1qKP5bzLMba1i3CnWrmKXa6aAU72JlxfDYF4b2f0GXAvuBkJRMucP7fRRwJ1e6ViAxKjZCD/8C2klekTfWXkGyBWf+GR2mrn93otPKN+5wIbXzaTi/JdZJMov4SS82DJmI6kXWHml4ynwH1GGX1gLrzbTGKQSbDkGtw23PfZMnNZCQwPU1JM+OR/8Yeh9zk/LVmAsJbi03DSEVetF1HESxO3ZKpwTRADbn0L96oHx1ropUPNr3RPDUUlT3h665IKyebL0VwF+zWeMp01O3pfsjKQl+Ef1bWCC+0M9yHDeCijgKXsmql+WCcg2Vjpzl5FMtywPIpyGaltHW1eBlIM5Ad0AoTIZuVnSvkuKqVn4n3ez0auU7J/0yBV8ws8LzTQZLqbnc8BJUEZquGGjrgFUW6/zEmXWQuntjqlCg7HeqJkxVA4hyQQaz+L1MNY/mA+LDjS0PJ3vpUqvHSyxjOWyOx2JxzowQwZ/GRjpiSFOhYBlJIrwZ0HTn9fuWTlLQRZXPhjBi+xjZD2xeGjUpsRYQhr9w53xXSQubuVPSkBt7WuJnU8RRpTVuYze7S3YXu3NPlc5B20hZ9KGX2OR9xAcHKsAUbiqDqoIG1Alzd4MZ8zZM9+QAWe94VzcguVuFTtjhWMktiW0vsNUDcz/+7gSdCU4d7AEub9DRspscd/UKbeQuuNhWqPksNGY2KaBclw1CkSPifhRvZVLrsA2TbcBr41DK8KYgIJkO+cayoRyWed5hPr/XjRYnpd1vL+y5R/jPVgBPkS0pCFsLcxHB6e9QGfp/ueeXPjgzHM8GjtEaVZg955nJltaEe272Z5ZLjeKSgmywnZG4XPNGGHnartc3tzp0tib1XuGkBa9ucR9mmFXx1/K6SUBJHUxu7mIJRzJIe/GHjTZrD5swz0D4fWITjqO5HCc6ZGROn8kN0OsXZoMQWjsfSSCcWlkhlY+MchJRT9jlHLkHhlvsv8/GmHMQQxws9tMRc04jE/TYeZdZz0aWdcKArEJ2VItXLjok/4PRXkip4GEE51H6wdlaxFCwcpXah93KzgT0RwTNBskBh+b//UGB0Nyxe3+wGSFSV3a0vt4GL7/ESMIc6veB6gj6D277vaQ+IT1sWhjOwBSENG1ST98BniIXisiBfIFwP77El+2/ejEeFOSIzvv24n7l9O+n+VIc5vz7BaAtjielHCE6d1wtZqGdr+3953Sguf+DHEEl4dqadLCkCQS7f2/2Qq8Q0SYIG+uUnXDEP98xkL7kWAy2Tj0p9V52Z6zw33Xu/6lEhdHiMf8p1QJ3x+wI+lfEs9aiZ3k7ndcq1RjC3ALaJKvSjBxEHBbunfVSqvTM1/Csa8qe4pekIJ2LmHTKK/FK1ivGj/sofV/NkC9fcZe8CVBFJQ4F6RWx0KNb91BYOPsWOZpKOOQYQ4p7svEMHma5V4w6DcwxuOxR1RtQQBfwcJ8Fg60lyvQMtSBWmZDdMVCRCdu80g1jwQe7NFdkpzuzrLTmfnAZu2O+7WaQS3uAwlvHkRrK9Vf2EYHokAazu54i96kpUvg8GMGfOUQCWvH4VGN+8sADHaOC7ECfdJ63ItQocBOaOVmMRV0avRK7x15mfp9lPbHp9BhpS44Q0O54MW46Cxz5Fl5ObBD90CLE79f87Tjz8Q+L7y1CHwpimUpsVPEOIKNrnxfOYTCuPAywXD8lSuVrwE+IVhf2CUsIGjP+1thWhTefZz6l190hJ/0Y4lvxA+IFgt/i50DleRGEl49V74iTNKT7cQG2xPK7XCKIGLYeI2TirBHBprtSRlllw1Zz7qC9juxMLOw8acAwaVtMVeDfCs7AN9ytRSNFE4jzAFmrv7qMC360o4vIXHx/WvN2lBLYqjXhok1gWBOMXju72EsxY07KJg0ZbJ8QnmSDYE1cuY83DG+ikqwNsKR0ctwb7K5JDBRxlIlQBiuMB2ezMDKVE8gaaIvfSx9R949EEz5Vl9Di/UeeNlIN1U/doX/PBCmzwfGWMxHN5PLQWVolbseaGWTLMCAv0baLKCLmJFyqAIUH3RME11qF4C6XUss8GLCbdGQjyZkPBa+bmENNb13ZJ4sTJ/Zu9rzzzyz0KyZKnYzPOt6Xjdes2OW2W7R/8RZpUXjJgN26s9oxyu6ifmJceYawXTzmaFQ0qWPoqplfgTpu0iO9r3KC8XGcQ4FK5hQl62gLaLt6mzn76MO4/BfGsHHX8BCOPpmwDtpuWheHD3Jodp9YDjTWhuhtQDmpH44QzPgF0nbJhEnY6egChFZo8D5VTpVDok+JcvuBEZyHaEXD6/kI9QJezeK2oT7Cv0inzbQu6lkldqzDXCs47Qss+p+F8SAL0QgFOP3g5Okh5hi67h3ag99aYIIoaY8984aIiG9gpOUVL3LSatsdzPxz/pcIx1X4a2d5cn8X/uKUNj9144LWVL/nVPQU/7VxqwdDViUZlR44k/oR2dHxWqWzTHazXvXasa2J852QYmhNsXnGftkTCVRRIaMviznlx43/NNY+vL4VCP7d3dzyaWCIDi2sF4gdyRv47O1w3VKH38wxbI9unhwHUnewTNKugpmjdGk79xVVV0tknQr7ZcMsTDZKAjP8MlvbToaZURna1hiWtc9DK5iEGAMEqHppl3up3Lt2L1aYtk0LxRO0WiUCR1aDxFBBu6bWD4mz0rz2tMF5dN+7ZOoXzaUjuy3BM53+GLdKDh2eDdyDFThfzSoC+bd7ij/5fr+1J3bGs5hjaJCd0kbA6uvmX1JMvfBJ18UI55OYxo9uI/LYiX42Xd9FGeV4sRQrCRGWifj7StzjBB7B5IZJahgLsQF+1aTPfzV4fndOLx5jRse4Z89NRoGGPJ3BtOfsYAV7vCaARpLIOF5SX4m7M7JuNz3bX+g59PwDY7XyB+72WEDFcqNrFzkaksvi+TW8IxgHHJkp0Q3SRvDx2u11/dsvhVp45L8yoCNhRqWV9RlVSaJTo0ptIK73+ZJkD4x38bogLDpnywLoDd3yxZ10+X3XGprc4KYbhZX+c/Ck0FdfR2+QpNMYARcxnpgS4Q8Hd2CAXVFZdnedtzrWHLWxIm+Q04HAc8vnCT3+uD0brklzmQmZ7wt2ZAfV2WxdJ9dyvEmWaN7Zucbz10/b0Flic3V6U9ywnbK+7swHbSzVKu6oY8X/Yc3IFHJM2JWlq/rv1mAswaWm3Vq/JCvmfobol6TkuIi3GjArwKoyiDQlrXykR9sMTgYmAbTgW0akgVN2YoInDkAJqlSGT4XDH2++CgZdAz4qas/Fw67WHyQtXgRjAgUZ4Pkrv+5sU6jFmTJbvpvm0Hnqt8xRvl143drNlW4syhBXXpuSFgOWJtisnHGwABfpl6JUtDFf9GcVV7nQdhBpvy7e33tPTr3o8LrIMPqanJpoKR94IquLLZootMUyPs/Z+hWKvpHtQ6vhwMQn3BxOCJ7wCMr4+ohKcQP+2snkCLZc1TOBTeRdYjOL52VjbbGCmnryUfkG5WRV8z5IOc3wBF5fK3ZNBrmQdmvt0wDZ76gnimEWT4uV2Dtpk78xASIzbGzc+ZEzlBnr+NkgJnCs96RtLaog6GGoDIgE+t9DzOal/sKYlUb9wwsmSl8tAI41AH7eERmNUkF8gJlVBlsbKW+cmWiw5IaElVKClacVeguRA6aVpPbUintVTmIq2EQYtYwzDbPGpiwS2F1psybVRxfEx++RMEAntrd0A+X+pMkJlztXAz3NncTYwUHAZ2TvB8ERuS5Zk3p3XtA3dSlxmYF+4ZeHRugwdjHgDrReYKYqzeT9Zxhoox5+vsJuM7saOX8P9AMK33T6GK1ws84O+rotl9PQYPsctTp6raQQwb7uMimoGP3BVhD83GRsG+PcJBn9YOk36nviFbjcRl2+h0tTzBc3WVHdLvt8/ibf6L9XRmiHCH9N+iw4K32fl9+mxoVfujD8HqZiudnlhpe0zfBL/mkWBGGmUpuZcG1CZeWgYPpXRkO9W9aoDoPg3LmMy2qWiLRGKjlIQv6D2YCB9RRgREmi6uhUpFcI16lZb3tUKSYan3hB9wwMJiV32cZpinx2GXF9ekk1e5+VXF6t0NEaYJG7lhPBMfvyiz9XDUeIUhTpnIw3VM5hm3yDD7VZBo52XQGmEP1WXZz4eP9O3X+dTwOD550BdJjMv2f/IDvf1Zb9NGajHbc+Fgbxg19LK75Mc3agKDCPliCcmPJ9deLdFROEuOz7rkJJRDYxgGw2yN3uKXR666J9n2oOd0Ow6IqxeMJ/0DNFf

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2848-115-0x00000000000D0000-0x00000000000F0000-memory.dmp	family_chaos
behavioral2/memory/2848-116-0x00000000000D0000-0x00000000000F0000-memory.dmp	family_chaos
C:\Users\Admin\AppData\Roaming\sdf51ewxzv24d54fg.exe	family_chaos
C:\Users\Admin\AppData\Roaming\sdf51ewxzv24d54fg.exe	family_chaos
behavioral2/memory/1164-120-0x0000000000200000-0x0000000000220000-memory.dmp	family_chaos
behavioral2/memory/1164-121-0x0000000000200000-0x0000000000220000-memory.dmp	family_chaos

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2404 bcdedit.exe
4036 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1480 wbadmin.exe
Executes dropped EXE 1 IoCs

Processes:

sdf51ewxzv24d54fg.exe

pid process

1164 sdf51ewxzv24d54fg.exe

pid	process
2404	bcdedit.exe
4036	bcdedit.exe

pid	process
1480	wbadmin.exe

pid	process
1164	sdf51ewxzv24d54fg.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sdf51ewxzv24d54fg.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UnregisterUninstall.raw => C:\Users\Admin\Pictures\UnregisterUninstall.raw.WNBE	sdf51ewxzv24d54fg.exe
File renamed	C:\Users\Admin\Pictures\ClearUnblock.tif => C:\Users\Admin\Pictures\ClearUnblock.tif.WNBE	sdf51ewxzv24d54fg.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromWatch.tif => C:\Users\Admin\Pictures\ConvertFromWatch.tif.WNBE	sdf51ewxzv24d54fg.exe
File renamed	C:\Users\Admin\Pictures\ConvertUndo.raw => C:\Users\Admin\Pictures\ConvertUndo.raw.WNBE	sdf51ewxzv24d54fg.exe
File renamed	C:\Users\Admin\Pictures\GetConvert.raw => C:\Users\Admin\Pictures\GetConvert.raw.WNBE	sdf51ewxzv24d54fg.exe

Drops startup file 3 IoCs

Processes:

sdf51ewxzv24d54fg.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdf51ewxzv24d54fg.url	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	sdf51ewxzv24d54fg.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	sdf51ewxzv24d54fg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 34 IoCs

Processes:

sdf51ewxzv24d54fg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	sdf51ewxzv24d54fg.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	sdf51ewxzv24d54fg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

sdf51ewxzv24d54fg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\t3hpl13tn.jpg"	sdf51ewxzv24d54fg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

560 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

sdf51ewxzv24d54fg.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings sdf51ewxzv24d54fg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

512 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

sdf51ewxzv24d54fg.exe

pid process

1164 sdf51ewxzv24d54fg.exe

pid	process
560	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	sdf51ewxzv24d54fg.exe

pid	process
512	NOTEPAD.EXE

pid	process
1164	sdf51ewxzv24d54fg.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exesdf51ewxzv24d54fg.exe

pid	process
2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
1164	sdf51ewxzv24d54fg.exe
1164	sdf51ewxzv24d54fg.exe
1164	sdf51ewxzv24d54fg.exe
1164	sdf51ewxzv24d54fg.exe
1164	sdf51ewxzv24d54fg.exe
1164	sdf51ewxzv24d54fg.exe
1164	sdf51ewxzv24d54fg.exe
1164	sdf51ewxzv24d54fg.exe
1164	sdf51ewxzv24d54fg.exe
1164	sdf51ewxzv24d54fg.exe
1164	sdf51ewxzv24d54fg.exe
1164	sdf51ewxzv24d54fg.exe
1164	sdf51ewxzv24d54fg.exe
1164	sdf51ewxzv24d54fg.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exesdf51ewxzv24d54fg.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
Token: SeDebugPrivilege	1164	sdf51ewxzv24d54fg.exe
Token: SeBackupPrivilege	2912	vssvc.exe
Token: SeRestorePrivilege	2912	vssvc.exe
Token: SeAuditPrivilege	2912	vssvc.exe
Token: SeIncreaseQuotaPrivilege	692	WMIC.exe
Token: SeSecurityPrivilege	692	WMIC.exe
Token: SeTakeOwnershipPrivilege	692	WMIC.exe
Token: SeLoadDriverPrivilege	692	WMIC.exe
Token: SeSystemProfilePrivilege	692	WMIC.exe
Token: SeSystemtimePrivilege	692	WMIC.exe
Token: SeProfSingleProcessPrivilege	692	WMIC.exe
Token: SeIncBasePriorityPrivilege	692	WMIC.exe
Token: SeCreatePagefilePrivilege	692	WMIC.exe
Token: SeBackupPrivilege	692	WMIC.exe
Token: SeRestorePrivilege	692	WMIC.exe
Token: SeShutdownPrivilege	692	WMIC.exe
Token: SeDebugPrivilege	692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	692	WMIC.exe
Token: SeRemoteShutdownPrivilege	692	WMIC.exe
Token: SeUndockPrivilege	692	WMIC.exe
Token: SeManageVolumePrivilege	692	WMIC.exe
Token: 33	692	WMIC.exe
Token: 34	692	WMIC.exe
Token: 35	692	WMIC.exe
Token: 36	692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	692	WMIC.exe
Token: SeSecurityPrivilege	692	WMIC.exe
Token: SeTakeOwnershipPrivilege	692	WMIC.exe
Token: SeLoadDriverPrivilege	692	WMIC.exe
Token: SeSystemProfilePrivilege	692	WMIC.exe
Token: SeSystemtimePrivilege	692	WMIC.exe
Token: SeProfSingleProcessPrivilege	692	WMIC.exe
Token: SeIncBasePriorityPrivilege	692	WMIC.exe
Token: SeCreatePagefilePrivilege	692	WMIC.exe
Token: SeBackupPrivilege	692	WMIC.exe
Token: SeRestorePrivilege	692	WMIC.exe
Token: SeShutdownPrivilege	692	WMIC.exe
Token: SeDebugPrivilege	692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	692	WMIC.exe
Token: SeRemoteShutdownPrivilege	692	WMIC.exe
Token: SeUndockPrivilege	692	WMIC.exe
Token: SeManageVolumePrivilege	692	WMIC.exe
Token: 33	692	WMIC.exe
Token: 34	692	WMIC.exe
Token: 35	692	WMIC.exe
Token: 36	692	WMIC.exe
Token: SeBackupPrivilege	2240	wbengine.exe
Token: SeRestorePrivilege	2240	wbengine.exe
Token: SeSecurityPrivilege	2240	wbengine.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exesdf51ewxzv24d54fg.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2848 wrote to memory of 1164	2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe	sdf51ewxzv24d54fg.exe
PID 2848 wrote to memory of 1164	2848	99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe	sdf51ewxzv24d54fg.exe
PID 1164 wrote to memory of 3424	1164	sdf51ewxzv24d54fg.exe	cmd.exe
PID 1164 wrote to memory of 3424	1164	sdf51ewxzv24d54fg.exe	cmd.exe
PID 3424 wrote to memory of 560	3424	cmd.exe	vssadmin.exe
PID 3424 wrote to memory of 560	3424	cmd.exe	vssadmin.exe
PID 3424 wrote to memory of 692	3424	cmd.exe	WMIC.exe
PID 3424 wrote to memory of 692	3424	cmd.exe	WMIC.exe
PID 1164 wrote to memory of 1468	1164	sdf51ewxzv24d54fg.exe	cmd.exe
PID 1164 wrote to memory of 1468	1164	sdf51ewxzv24d54fg.exe	cmd.exe
PID 1468 wrote to memory of 2404	1468	cmd.exe	bcdedit.exe
PID 1468 wrote to memory of 2404	1468	cmd.exe	bcdedit.exe
PID 1468 wrote to memory of 4036	1468	cmd.exe	bcdedit.exe
PID 1468 wrote to memory of 4036	1468	cmd.exe	bcdedit.exe
PID 1164 wrote to memory of 1364	1164	sdf51ewxzv24d54fg.exe	cmd.exe
PID 1164 wrote to memory of 1364	1164	sdf51ewxzv24d54fg.exe	cmd.exe
PID 1364 wrote to memory of 1480	1364	cmd.exe	wbadmin.exe
PID 1364 wrote to memory of 1480	1364	cmd.exe	wbadmin.exe
PID 1164 wrote to memory of 512	1164	sdf51ewxzv24d54fg.exe	NOTEPAD.EXE
PID 1164 wrote to memory of 512	1164	sdf51ewxzv24d54fg.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe
"C:\Users\Admin\AppData\Local\Temp\99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Users\Admin\AppData\Roaming\sdf51ewxzv24d54fg.exe
"C:\Users\Admin\AppData\Roaming\sdf51ewxzv24d54fg.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:560

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
3⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:2404

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:4036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:1480

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1916

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\read_it.txt

MD5
e362bbe6afacca30ae88aae2c2a47b6b

SHA1
41029ace8c47b727b59b260956a5b9ec1a2f7a14

SHA256
71e1c3f4ba03f7b3e3532c4772ca9772ae73df39ea56b1f353a8eb5cc4170419

SHA512
8a947a17820abede11fb5357e6530f5ccad86794303766be1608b5171cad72436b333303470ec6b9956cefe9f61340577e8c3bb731ddab402a2baba7e78f60b6

Download Submit
C:\Users\Admin\AppData\Roaming\sdf51ewxzv24d54fg.exe

MD5
ca6646d85b756664c2c1eb97a91bb8a1

SHA1
24b22ffbd61b3533a25fef787bacf3ecdca973ea

SHA256
99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0

SHA512
d285f0c5a90d80615e74cfd228a221a629721051269078b49b696263c633623e3430aa1d1c1ad0c37454574eac1487641af895b1715bc64647bd08118b46310e

Download Submit
C:\Users\Admin\AppData\Roaming\sdf51ewxzv24d54fg.exe

MD5
ca6646d85b756664c2c1eb97a91bb8a1

SHA1
24b22ffbd61b3533a25fef787bacf3ecdca973ea

SHA256
99f9ffc5e0e9769e9be3c184b828ff8bf4d63cade2492aca281cf3f30891bac0

SHA512
d285f0c5a90d80615e74cfd228a221a629721051269078b49b696263c633623e3430aa1d1c1ad0c37454574eac1487641af895b1715bc64647bd08118b46310e

Download Submit
memory/512-131-0x0000000000000000-mapping.dmp

Download
memory/560-124-0x0000000000000000-mapping.dmp

Download
memory/692-125-0x0000000000000000-mapping.dmp

Download
memory/1164-120-0x0000000000200000-0x0000000000220000-memory.dmp

Filesize
128KB

Download
memory/1164-121-0x0000000000200000-0x0000000000220000-memory.dmp

Filesize
128KB

Download
memory/1164-122-0x000000001AD80000-0x000000001AD82000-memory.dmp

Filesize
8KB

Download
memory/1164-117-0x0000000000000000-mapping.dmp

Download
memory/1364-129-0x0000000000000000-mapping.dmp

Download
memory/1468-126-0x0000000000000000-mapping.dmp

Download
memory/1480-130-0x0000000000000000-mapping.dmp

Download
memory/2404-127-0x0000000000000000-mapping.dmp

Download
memory/2848-115-0x00000000000D0000-0x00000000000F0000-memory.dmp

Filesize
128KB

Download
memory/2848-116-0x00000000000D0000-0x00000000000F0000-memory.dmp

Filesize
128KB

Download
memory/3424-123-0x0000000000000000-mapping.dmp

Download
memory/4036-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads