Overview

overview

10

Static

static

10

dead.exe

windows7_x64

10

dead.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    1598s
  • max time network
    1625s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-05-2022 07:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dead.exe

  • Size

    2.2MB

  • MD5

    b3b5313f4d4d239f5d22a84ef29eb892

  • SHA1

    ac0dd7326305bfee3d19b31ee56c9cbc9b3253f5

  • SHA256

    7df566bbfebbfb07e45989d68668365c56d17d55b013bb30c58de0485d337067

  • SHA512

    c68ead18d282247be06d05c235dc7c07ab9871358b42e9f5756aa2e43bc694dd34a5288b65d1d4d9a0092ca162f3c9aa8d7ca5f6b47ed46973a31b6334a8ba57

Score
10/10
chaosevasionransomwarespywarestealervmprotect

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Ransom Note
All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help. What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is depend. Payment can be made by buying hack and send to me only. How do I pay, where i can buy hack? This one only need the hack from any game (personal fav: Geometry Dash, Minecraft, Roblox, Cookie Run) For Minecraft, there're many hack include: Vape V4, Astolfo + Astolfo: https://www.astolfo.lgbt/ + Vape V4: vape.gg For Geometry Dash, only Mega Hack V7 (Mega Hack Pro): https://absolllute.com/store/view_mega_hack_pro For Roblox, there're many like: Synapse X, Script-Ware,... + Synapse X: https://x.synapse.to/ + Script-Ware: https://script-ware.com/ (Windows or iOS) + Protosmasher: https://protosmasher.net/ (dead) For Cookie Run, please no, i don't need right now. (its not worth it, and not avilable, easy to get banned) Note: JUST ONE HACK, NOT MORE. After you bought one of them, send it via: Discord: Danet#7950 Email: [email protected] I AM THE LAWYER, MY FILE IS ENCRYPTED, NOW GIVE ME BACK- Woah woah woah slow down, i'm sorry lawyer... but you have to proof us you're lawyer and we'll give you an decrypter, good luck. Your public key: uDfsiP4lI2xvhOW/dgdxwvPOOrzBDylv3PcJAXYJh4PZOJaDroaKkDmOQFj2+HXDxd07H6Waqw3v2/y08F/aCiXNwza+600sUYkwxQ7HmyHt+z1q5Me6uVQnbuzbtKqCte2sjAtIxwgcob72cmkTR9ToXrlDYy/6jt8aumzzuRM=
URLs

https://www.astolfo.lgbt/

https://absolllute.com/store/view_mega_hack_pro

https://x.synapse.to/

https://script-ware.com/

https://protosmasher.net/

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 4 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 33 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dead.exe
    "C:\Users\Admin\AppData\Local\Temp\dead.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Roaming\chrome.exe
      "C:\Users\Admin\AppData\Roaming\chrome.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1556
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:624
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:616
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1980
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:940
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:888
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2040
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:552
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1952
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1780
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1420
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1824

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\chrome.exe
        Filesize

        2.2MB

        MD5

        b3b5313f4d4d239f5d22a84ef29eb892

        SHA1

        ac0dd7326305bfee3d19b31ee56c9cbc9b3253f5

        SHA256

        7df566bbfebbfb07e45989d68668365c56d17d55b013bb30c58de0485d337067

        SHA512

        c68ead18d282247be06d05c235dc7c07ab9871358b42e9f5756aa2e43bc694dd34a5288b65d1d4d9a0092ca162f3c9aa8d7ca5f6b47ed46973a31b6334a8ba57

        Download Submit

      • C:\Users\Admin\AppData\Roaming\chrome.exe
        Filesize

        2.2MB

        MD5

        b3b5313f4d4d239f5d22a84ef29eb892

        SHA1

        ac0dd7326305bfee3d19b31ee56c9cbc9b3253f5

        SHA256

        7df566bbfebbfb07e45989d68668365c56d17d55b013bb30c58de0485d337067

        SHA512

        c68ead18d282247be06d05c235dc7c07ab9871358b42e9f5756aa2e43bc694dd34a5288b65d1d4d9a0092ca162f3c9aa8d7ca5f6b47ed46973a31b6334a8ba57

        Download Submit

      • C:\Users\Admin\AppData\Roaming\readme.txt
        Filesize

        1KB

        MD5

        12a0f95a46741c7e7ac4c13c50f5bf53

        SHA1

        538852ccd570c26fd60e27d22f85a0052fe8abb4

        SHA256

        32ce1bdf2a7acac6e7cbefd6c343e798f5238a520a3e7e4ee1e2e72a7ac1f590

        SHA512

        13db34ebdfb9892e71dfe7ac1ebd42da29b4bcc26327ab50d04eb833cf29a43a302db5e450ccc31cdff0bf69e3b035900372c15843056685c855e591d1c95351

        Download Submit

      • memory/552-72-0x0000000000000000-mapping.dmp

        Download

      • memory/616-65-0x0000000000000000-mapping.dmp

        Download

      • memory/624-64-0x0000000000000000-mapping.dmp

        Download

      • memory/888-69-0x0000000000000000-mapping.dmp

        Download

      • memory/940-68-0x0000000000000000-mapping.dmp

        Download

      • memory/1488-66-0x0000000000000000-mapping.dmp

        Download

      • memory/1556-63-0x0000000000000000-mapping.dmp

        Download

      • memory/1980-67-0x0000000000000000-mapping.dmp

        Download

      • memory/1996-60-0x0000000000B70000-0x0000000000EC8000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1996-57-0x0000000000000000-mapping.dmp

        Download

      • memory/2032-54-0x0000000000220000-0x0000000000578000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2040-70-0x0000000000000000-mapping.dmp

        Download

      • memory/2040-71-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp

        Filesize

        8KB

        Download