Analysis
-
max time kernel
71s -
max time network
7s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17-01-2022 15:54
Static task
static1
Behavioral task
behavioral1
Sample
AZ(DANGEROUS).exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
AZ(DANGEROUS).exe
Resource
win10v2004-en-20220113
General
-
Target
AZ(DANGEROUS).exe
-
Size
549KB
-
MD5
b3858953d8c79049f6a46b254e6eab6b
-
SHA1
e4407979997b5e1000abaac3a75545e82e8a15b9
-
SHA256
6a3e60f725d30ab2660c6c9e6928bafe273583e3e501097934e873593a13aee6
-
SHA512
6c37402f8b3d76320b5b1db246a3376919ac77e48f1f66d666c5c904519e644daf992e7917632e072cd4b7df91cc42fc0a9cdae84892d9125dbbcbaea6f1169f
Malware Config
Extracted
C:\Users\Admin\Desktop\README.txt
https://computernewb.com/wiki/CollabVM
http://gg.gg/NOU2022
Extracted
C:\Users\Admin\Downloads\TraceOpen.txt
ryuk
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1260-54-0x0000000000C70000-0x0000000000CFE000-memory.dmp family_chaos behavioral1/memory/1260-55-0x0000000000C70000-0x0000000000CFE000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\explorer.exe family_chaos C:\Users\Admin\AppData\Roaming\explorer.exe family_chaos behavioral1/memory/320-59-0x0000000000CF0000-0x0000000000D7E000-memory.dmp family_chaos behavioral1/memory/320-60-0x0000000000CF0000-0x0000000000D7E000-memory.dmp family_chaos -
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 524 bcdedit.exe 1260 bcdedit.exe -
Processes:
wbadmin.exepid process 620 wbadmin.exe -
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 320 explorer.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
explorer.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertFromRename.png => C:\Users\Admin\Pictures\ConvertFromRename.png.AZ explorer.exe File renamed C:\Users\Admin\Pictures\ConvertStop.raw => C:\Users\Admin\Pictures\ConvertStop.raw.AZ explorer.exe File renamed C:\Users\Admin\Pictures\DisconnectUpdate.raw => C:\Users\Admin\Pictures\DisconnectUpdate.raw.AZ explorer.exe File renamed C:\Users\Admin\Pictures\ProtectDeny.raw => C:\Users\Admin\Pictures\ProtectDeny.raw.AZ explorer.exe File renamed C:\Users\Admin\Pictures\UninstallExpand.tif => C:\Users\Admin\Pictures\UninstallExpand.tif.AZ explorer.exe -
Drops startup file 3 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.url explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini explorer.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 33 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini explorer.exe File opened for modification C:\Users\Public\Videos\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Music\desktop.ini explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Documents\desktop.ini explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini explorer.exe File opened for modification C:\Users\Public\Documents\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini explorer.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Searches\desktop.ini explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini explorer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini explorer.exe File opened for modification C:\Users\Public\Music\desktop.ini explorer.exe File opened for modification C:\Users\Public\Desktop\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini explorer.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini explorer.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Links\desktop.ini explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini explorer.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ddbjr6nhb.jpg" explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1488 vssadmin.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 928 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 320 explorer.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
AZ(DANGEROUS).exeexplorer.exepid process 1260 AZ(DANGEROUS).exe 1260 AZ(DANGEROUS).exe 320 explorer.exe 320 explorer.exe 320 explorer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
AZ(DANGEROUS).exeexplorer.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 1260 AZ(DANGEROUS).exe Token: SeDebugPrivilege 320 explorer.exe Token: SeBackupPrivilege 1492 vssvc.exe Token: SeRestorePrivilege 1492 vssvc.exe Token: SeAuditPrivilege 1492 vssvc.exe Token: SeIncreaseQuotaPrivilege 1928 WMIC.exe Token: SeSecurityPrivilege 1928 WMIC.exe Token: SeTakeOwnershipPrivilege 1928 WMIC.exe Token: SeLoadDriverPrivilege 1928 WMIC.exe Token: SeSystemProfilePrivilege 1928 WMIC.exe Token: SeSystemtimePrivilege 1928 WMIC.exe Token: SeProfSingleProcessPrivilege 1928 WMIC.exe Token: SeIncBasePriorityPrivilege 1928 WMIC.exe Token: SeCreatePagefilePrivilege 1928 WMIC.exe Token: SeBackupPrivilege 1928 WMIC.exe Token: SeRestorePrivilege 1928 WMIC.exe Token: SeShutdownPrivilege 1928 WMIC.exe Token: SeDebugPrivilege 1928 WMIC.exe Token: SeSystemEnvironmentPrivilege 1928 WMIC.exe Token: SeRemoteShutdownPrivilege 1928 WMIC.exe Token: SeUndockPrivilege 1928 WMIC.exe Token: SeManageVolumePrivilege 1928 WMIC.exe Token: 33 1928 WMIC.exe Token: 34 1928 WMIC.exe Token: 35 1928 WMIC.exe Token: SeIncreaseQuotaPrivilege 1928 WMIC.exe Token: SeSecurityPrivilege 1928 WMIC.exe Token: SeTakeOwnershipPrivilege 1928 WMIC.exe Token: SeLoadDriverPrivilege 1928 WMIC.exe Token: SeSystemProfilePrivilege 1928 WMIC.exe Token: SeSystemtimePrivilege 1928 WMIC.exe Token: SeProfSingleProcessPrivilege 1928 WMIC.exe Token: SeIncBasePriorityPrivilege 1928 WMIC.exe Token: SeCreatePagefilePrivilege 1928 WMIC.exe Token: SeBackupPrivilege 1928 WMIC.exe Token: SeRestorePrivilege 1928 WMIC.exe Token: SeShutdownPrivilege 1928 WMIC.exe Token: SeDebugPrivilege 1928 WMIC.exe Token: SeSystemEnvironmentPrivilege 1928 WMIC.exe Token: SeRemoteShutdownPrivilege 1928 WMIC.exe Token: SeUndockPrivilege 1928 WMIC.exe Token: SeManageVolumePrivilege 1928 WMIC.exe Token: 33 1928 WMIC.exe Token: 34 1928 WMIC.exe Token: 35 1928 WMIC.exe Token: SeBackupPrivilege 1836 wbengine.exe Token: SeRestorePrivilege 1836 wbengine.exe Token: SeSecurityPrivilege 1836 wbengine.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NOTEPAD.EXEpid process 928 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
AZ(DANGEROUS).exeexplorer.execmd.execmd.execmd.exedescription pid process target process PID 1260 wrote to memory of 320 1260 AZ(DANGEROUS).exe explorer.exe PID 1260 wrote to memory of 320 1260 AZ(DANGEROUS).exe explorer.exe PID 1260 wrote to memory of 320 1260 AZ(DANGEROUS).exe explorer.exe PID 320 wrote to memory of 1164 320 explorer.exe cmd.exe PID 320 wrote to memory of 1164 320 explorer.exe cmd.exe PID 320 wrote to memory of 1164 320 explorer.exe cmd.exe PID 1164 wrote to memory of 1488 1164 cmd.exe vssadmin.exe PID 1164 wrote to memory of 1488 1164 cmd.exe vssadmin.exe PID 1164 wrote to memory of 1488 1164 cmd.exe vssadmin.exe PID 1164 wrote to memory of 1928 1164 cmd.exe WMIC.exe PID 1164 wrote to memory of 1928 1164 cmd.exe WMIC.exe PID 1164 wrote to memory of 1928 1164 cmd.exe WMIC.exe PID 320 wrote to memory of 368 320 explorer.exe cmd.exe PID 320 wrote to memory of 368 320 explorer.exe cmd.exe PID 320 wrote to memory of 368 320 explorer.exe cmd.exe PID 368 wrote to memory of 524 368 cmd.exe bcdedit.exe PID 368 wrote to memory of 524 368 cmd.exe bcdedit.exe PID 368 wrote to memory of 524 368 cmd.exe bcdedit.exe PID 368 wrote to memory of 1260 368 cmd.exe bcdedit.exe PID 368 wrote to memory of 1260 368 cmd.exe bcdedit.exe PID 368 wrote to memory of 1260 368 cmd.exe bcdedit.exe PID 320 wrote to memory of 672 320 explorer.exe cmd.exe PID 320 wrote to memory of 672 320 explorer.exe cmd.exe PID 320 wrote to memory of 672 320 explorer.exe cmd.exe PID 672 wrote to memory of 620 672 cmd.exe wbadmin.exe PID 672 wrote to memory of 620 672 cmd.exe wbadmin.exe PID 672 wrote to memory of 620 672 cmd.exe wbadmin.exe PID 320 wrote to memory of 928 320 explorer.exe NOTEPAD.EXE PID 320 wrote to memory of 928 320 explorer.exe NOTEPAD.EXE PID 320 wrote to memory of 928 320 explorer.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\AZ(DANGEROUS).exe"C:\Users\Admin\AppData\Local\Temp\AZ(DANGEROUS).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\explorer.exe"C:\Users\Admin\AppData\Roaming\explorer.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt3⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk.AZ1⤵
- Modifies registry class
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\README.txtMD5
1adb4439f341f75c54015bdd200e53de
SHA16b92c52e2aec7bbf03fc2cce81ea175847adbac3
SHA2564f90e6e474879eb0f650173320c15889a3b7b133656d476f20c792a453316340
SHA51211d91223ddd363425d872032ce40b16e00b2223b81b6e5e7d6a70161ee60fa415808a315d2927adc4b546ee6069e72cc315381b97d7b41ec5fcf70e8c39b94df
-
C:\Users\Admin\AppData\Roaming\explorer.exeMD5
b3858953d8c79049f6a46b254e6eab6b
SHA1e4407979997b5e1000abaac3a75545e82e8a15b9
SHA2566a3e60f725d30ab2660c6c9e6928bafe273583e3e501097934e873593a13aee6
SHA5126c37402f8b3d76320b5b1db246a3376919ac77e48f1f66d666c5c904519e644daf992e7917632e072cd4b7df91cc42fc0a9cdae84892d9125dbbcbaea6f1169f
-
C:\Users\Admin\AppData\Roaming\explorer.exeMD5
b3858953d8c79049f6a46b254e6eab6b
SHA1e4407979997b5e1000abaac3a75545e82e8a15b9
SHA2566a3e60f725d30ab2660c6c9e6928bafe273583e3e501097934e873593a13aee6
SHA5126c37402f8b3d76320b5b1db246a3376919ac77e48f1f66d666c5c904519e644daf992e7917632e072cd4b7df91cc42fc0a9cdae84892d9125dbbcbaea6f1169f
-
memory/320-61-0x000000001AE00000-0x000000001AE02000-memory.dmpFilesize
8KB
-
memory/320-56-0x0000000000000000-mapping.dmp
-
memory/320-59-0x0000000000CF0000-0x0000000000D7E000-memory.dmpFilesize
568KB
-
memory/320-60-0x0000000000CF0000-0x0000000000D7E000-memory.dmpFilesize
568KB
-
memory/368-66-0x0000000000000000-mapping.dmp
-
memory/524-67-0x0000000000000000-mapping.dmp
-
memory/620-70-0x0000000000000000-mapping.dmp
-
memory/672-69-0x0000000000000000-mapping.dmp
-
memory/928-72-0x0000000000000000-mapping.dmp
-
memory/1164-62-0x0000000000000000-mapping.dmp
-
memory/1260-54-0x0000000000C70000-0x0000000000CFE000-memory.dmpFilesize
568KB
-
memory/1260-68-0x0000000000000000-mapping.dmp
-
memory/1260-55-0x0000000000C70000-0x0000000000CFE000-memory.dmpFilesize
568KB
-
memory/1488-63-0x0000000000000000-mapping.dmp
-
memory/1548-64-0x000007FEFC081000-0x000007FEFC083000-memory.dmpFilesize
8KB
-
memory/1928-65-0x0000000000000000-mapping.dmp