Overview

overview

10

Static

static

10

AZ(DANGEROUS).exe

windows7_x64

10

AZ(DANGEROUS).exe

windows10-2004_x64

10

Resubmissions

17-01-2022 15:57

220117-tealdsbac4 10

17-01-2022 15:54

220117-tcfdvsbab7 10

Analysis

  • max time kernel
    4265012s
  • max time network
    63s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    17-01-2022 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AZ(DANGEROUS).exe

  • Size

    549KB

  • MD5

    b3858953d8c79049f6a46b254e6eab6b

  • SHA1

    e4407979997b5e1000abaac3a75545e82e8a15b9

  • SHA256

    6a3e60f725d30ab2660c6c9e6928bafe273583e3e501097934e873593a13aee6

  • SHA512

    6c37402f8b3d76320b5b1db246a3376919ac77e48f1f66d666c5c904519e644daf992e7917632e072cd4b7df91cc42fc0a9cdae84892d9125dbbcbaea6f1169f

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README.txt

Ransom Note
All of your files have been encrypted Your computer was infected with The Arizona Ransomware. Your files have been encrypted and you won't be able to decrypt them without my help. Lisen to our FAQ for more information ----FAQ---- Q: How do I pay? Where do i get bitcoin? A: You cant pay with bitcoin, but you can email us here to unlock your computer, ----> [email protected] Q: The cactus squad is here A: Fake, you know that isint real silly! Q: What is the cost of the decryptor? A: It's Free, as no Bitcoin is required. Q: What is CollabVM? A: Read here ---> https://computernewb.com/wiki/CollabVM Q: What is UserVM A: Same as above, only that users like YOU host the VM's Q: Furries are here A: I dont care, i have alot of defenses set up such as using rick astley to defeat you! (Go To http://gg.gg/NOU2022 For Free Decryption Program) Q: SOMEBODY ONCE TOLD ME I GOT DECRYPTOR A: No, just no ----FAQ END----- DECRYPT NOW! You Have 6 days to do so!
URLs

https://computernewb.com/wiki/CollabVM

http://gg.gg/NOU2022

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 6 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 33 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AZ(DANGEROUS).exe
    "C:\Users\Admin\AppData\Local\Temp\AZ(DANGEROUS).exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Roaming\explorer.exe
      "C:\Users\Admin\AppData\Roaming\explorer.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks computer location settings
      • Drops startup file
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2928
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:8
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3900
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3104
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1780
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1316
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1312
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2688
  • C:\Windows\system32\MusNotification.exe
    C:\Windows\system32\MusNotification.exe
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:2176
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2368
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1240
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:952
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3972

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2100-131-0x0000000000970000-0x00000000009FE000-memory.dmp

      Filesize

      568KB

      Download

    • memory/2100-130-0x0000000000970000-0x00000000009FE000-memory.dmp

      Filesize

      568KB

      Download

    • memory/3496-137-0x00000000025B0000-0x00000000025B2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3496-136-0x0000000000480000-0x000000000050E000-memory.dmp

      Filesize

      568KB

      Download

    • memory/3496-135-0x0000000000480000-0x000000000050E000-memory.dmp

      Filesize

      568KB

      Download