Overview

overview

10

Static

static

10

c40400ba63...14.exe

windows7-x64

10

c40400ba63...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2022 14:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c40400ba6365d44e4bb86faf68fdd0ef0a94813b3bab9da213661de3e92cfd14.exe

  • Size

    22KB

  • MD5

    1a2bafc6b806f8ebfc87844f6f29829b

  • SHA1

    e337773bb1e80a51121f78a52d2b86f293453caa

  • SHA256

    c40400ba6365d44e4bb86faf68fdd0ef0a94813b3bab9da213661de3e92cfd14

  • SHA512

    d53bc605620b8d61d0fb9a970fca263d4450a26a1ae842a783891eec1c5a14e2246cb4455be3a497901c059258f19a9d2a0d1cba75f8599cb708829a0f371fdc

  • SSDEEP

    384:C3MLWHn3kI3+PByviFOQConpXlC3AJ+r91Crab5uee:mn3kIqy6qWpU4+r9Sabsee

Score
10/10
chaosransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Ransom Note
All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 33 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c40400ba6365d44e4bb86faf68fdd0ef0a94813b3bab9da213661de3e92cfd14.exe
    "C:\Users\Admin\AppData\Local\Temp\c40400ba6365d44e4bb86faf68fdd0ef0a94813b3bab9da213661de3e92cfd14.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops startup file
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2664

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\read_it.txt
    Filesize

    881B

    MD5

    c4f2d40600d49cf547b3e627607ad6f2

    SHA1

    fd3b8a69a7d661fc3cc2c182cb095de59b67a2fe

    SHA256

    8331cc0f70383289b254912c6180c8df36902513824ad37a23645bd4191f8e6a

    SHA512

    691c2776dd344af33f5e46badb2615d331fe77eb997d786496a484088e83b1b0d8176a48e826000091637b56c6853ea1519dffdbb36da8b23cf8fab283c991c9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    22KB

    MD5

    1a2bafc6b806f8ebfc87844f6f29829b

    SHA1

    e337773bb1e80a51121f78a52d2b86f293453caa

    SHA256

    c40400ba6365d44e4bb86faf68fdd0ef0a94813b3bab9da213661de3e92cfd14

    SHA512

    d53bc605620b8d61d0fb9a970fca263d4450a26a1ae842a783891eec1c5a14e2246cb4455be3a497901c059258f19a9d2a0d1cba75f8599cb708829a0f371fdc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    22KB

    MD5

    1a2bafc6b806f8ebfc87844f6f29829b

    SHA1

    e337773bb1e80a51121f78a52d2b86f293453caa

    SHA256

    c40400ba6365d44e4bb86faf68fdd0ef0a94813b3bab9da213661de3e92cfd14

    SHA512

    d53bc605620b8d61d0fb9a970fca263d4450a26a1ae842a783891eec1c5a14e2246cb4455be3a497901c059258f19a9d2a0d1cba75f8599cb708829a0f371fdc

    Download Submit

  • memory/1548-134-0x0000000000000000-mapping.dmp

    Download

  • memory/1548-138-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1548-141-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2664-139-0x0000000000000000-mapping.dmp

    Download

  • memory/4788-132-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4788-133-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4788-137-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

    Filesize

    10.8MB

    Download