Overview

overview

10

Static

static

10

0a144c8c7a...56.exe

windows7_x64

10

0a144c8c7a...56.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    178s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    11/02/2022, 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a144c8c7a27b14415064cf3e8a031fa19b59970427c1d00b9bf4a129fc94c56.exe

  • Size

    314KB

  • MD5

    9ccf43bbfaccb1a377e0b87f3f7f538c

  • SHA1

    91d70b30f9232435776d0f6839f6ff7ac4fb586d

  • SHA256

    0a144c8c7a27b14415064cf3e8a031fa19b59970427c1d00b9bf4a129fc94c56

  • SHA512

    64373dc9798701747581c01bb21c4ba672c948e4232b4d1db8ec6a492581147451e31509a3e3f2be647fd4cea95783b4c83f7764f181508ae20c4887001a672c

Score
10/10
chaosransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_me.txt

Ransom Note
----> SHQ is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $42,899.40. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 1337.00 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Drops desktop.ini file(s) 27 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a144c8c7a27b14415064cf3e8a031fa19b59970427c1d00b9bf4a129fc94c56.exe
    "C:\Users\Admin\AppData\Local\Temp\0a144c8c7a27b14415064cf3e8a031fa19b59970427c1d00b9bf4a129fc94c56.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Drops desktop.ini file(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1532
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4228
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3544

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1532-134-0x00007FFE88FA3000-0x00007FFE88FA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4220-130-0x00007FFE88FA3000-0x00007FFE88FA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4220-131-0x00000000005B0000-0x0000000000604000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4228-135-0x0000018C201A0000-0x0000018C201B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4228-136-0x0000018C20720000-0x0000018C20730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4228-137-0x0000018C22E20000-0x0000018C22E24000-memory.dmp

    Filesize

    16KB

    Download