Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25/04/2022, 22:15
Static task
static1
Behavioral task
behavioral1
Sample
a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b.exe
Resource
win10v2004-20220414-en
General
-
Target
a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b.exe
-
Size
26KB
-
MD5
cf6ff9e0403b8d89e42ae54701026c1f
-
SHA1
a4f5cb11b9340f80a89022131fb525b888aa8bc6
-
SHA256
a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b
-
SHA512
dca369de908ff4d8a6b095243d8837ad9eb885c78544565586196451f99303e9beb8635e01254514b485f22298b3eaf69afb3666b6032959ae3e9567e78dc575
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/memory/1012-54-0x0000000000B60000-0x0000000000B6C000-memory.dmp family_chaos behavioral1/files/0x000a000000003c9f-56.dat family_chaos behavioral1/files/0x000a000000003c9f-57.dat family_chaos behavioral1/memory/1928-58-0x0000000001220000-0x000000000122C000-memory.dmp family_chaos -
Executes dropped EXE 1 IoCs
pid Process 1928 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1720 1928 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1012 a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b.exe 1928 svchost.exe 1928 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1012 a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b.exe Token: SeDebugPrivilege 1928 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1012 wrote to memory of 1928 1012 a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b.exe 28 PID 1012 wrote to memory of 1928 1012 a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b.exe 28 PID 1012 wrote to memory of 1928 1012 a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b.exe 28 PID 1928 wrote to memory of 1720 1928 svchost.exe 29 PID 1928 wrote to memory of 1720 1928 svchost.exe 29 PID 1928 wrote to memory of 1720 1928 svchost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b.exe"C:\Users\Admin\AppData\Local\Temp\a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1928 -s 5683⤵
- Program crash
PID:1720
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD5cf6ff9e0403b8d89e42ae54701026c1f
SHA1a4f5cb11b9340f80a89022131fb525b888aa8bc6
SHA256a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b
SHA512dca369de908ff4d8a6b095243d8837ad9eb885c78544565586196451f99303e9beb8635e01254514b485f22298b3eaf69afb3666b6032959ae3e9567e78dc575
-
Filesize
26KB
MD5cf6ff9e0403b8d89e42ae54701026c1f
SHA1a4f5cb11b9340f80a89022131fb525b888aa8bc6
SHA256a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b
SHA512dca369de908ff4d8a6b095243d8837ad9eb885c78544565586196451f99303e9beb8635e01254514b485f22298b3eaf69afb3666b6032959ae3e9567e78dc575