Analysis

  • max time kernel
    109s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2022 15:20

General

  • Target

    b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe

  • Size

    423KB

  • MD5

    5aa991c89a6564a3c6351052e157f9d8

  • SHA1

    f481e3cd126a429c33568070c2ff56d27c41a8ce

  • SHA256

    b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979

  • SHA512

    a2c84b4d4a2c27a1baee0fbed0d7b24ca1b1e2ddde6caad078236ecd931e0a2095fe0561ecc57e83830c4f52462d054d10105cc0aafe657c822515da5ec0f21b

  • SSDEEP

    6144:H8JsLcpjzTDDmHayakLkrb4NSarQWtT+tG1XRHOGU9gXIodHShK:8zxzTDWikLSb4NS7ET+tG1X/Fh

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 10 IoCs
  • Detected Xorist Ransomware 6 IoCs
  • Xorist Ransomware

    Xorist is a ransomware first seen in 2020.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Drops file in Drivers directory 8 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops startup file 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 33 IoCs
  • Drops file in System32 directory 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe
    "C:\Users\Admin\AppData\Local\Temp\b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Drops desktop.ini file(s)
        • Sets desktop wallpaper using registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1064
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:980
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:1800
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1948
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1752
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1904
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:940
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1940
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            5⤵
            • Deletes backup catalog
            PID:1916
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\РАСШИФРОВАТЬ ФАЙЛЫ.txtРАСШИФРОВАТЬ ФАЙЛЫ.txt
          4⤵
            PID:1132
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        PID:560
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1236
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:768
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1568
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:1408

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe

          Filesize

          57KB

          MD5

          bc9b44d8e5eb1543a26c16c2d45f8ab7

          SHA1

          6486e7f0a5a6fdd35913f790af2e3effc42ee994

          SHA256

          767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce

          SHA512

          50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe

          Filesize

          57KB

          MD5

          bc9b44d8e5eb1543a26c16c2d45f8ab7

          SHA1

          6486e7f0a5a6fdd35913f790af2e3effc42ee994

          SHA256

          767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce

          SHA512

          50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

          Filesize

          141KB

          MD5

          acea7e35f8878aea046a7eb35d0b8330

          SHA1

          16df89d9ab87b2e0473b284bcd808109a1d5c830

          SHA256

          8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe

          SHA512

          99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

          Filesize

          141KB

          MD5

          acea7e35f8878aea046a7eb35d0b8330

          SHA1

          16df89d9ab87b2e0473b284bcd808109a1d5c830

          SHA256

          8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe

          SHA512

          99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe.huis_bn

          Filesize

          141KB

          MD5

          98dff88098831ace45f0b21d27cfcdcf

          SHA1

          c4f6736a7966280592c77345d0f2b2d4ff0cf3fe

          SHA256

          2f96e2ed6569d0b94ca86181cd51e4f5505a5e54e02a6662adea60d2a6b87d7b

          SHA512

          823183b8b4b76b46b76e08871b3823006eca74f7b54377f22fc5fa954eab53007869b2804282e913ac30872ffc8d7e78207623e4831030dd6608ab9399b0b0e7

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\HOW TO DECRYPT FILES.txt

          Filesize

          336B

          MD5

          6157e19d642c3e0d5fd57b3705c40dbc

          SHA1

          f00d9d256216460aeef54ce40aad64082a231097

          SHA256

          7c811eb04128fd2a13d5746dcc15494e2593e635b64e474ad40a63ee3524bbf8

          SHA512

          e3ab76dd999232c0c02ab8de2b2eb9334b347d0734a34ddb075c9a7d28459a6dd0b6f1099892bbed0bd57d6e758540dafcf67f96e833dfa17006d3b001e15772

        • C:\Users\Admin\AppData\Roaming\svchost.exe

          Filesize

          141KB

          MD5

          acea7e35f8878aea046a7eb35d0b8330

          SHA1

          16df89d9ab87b2e0473b284bcd808109a1d5c830

          SHA256

          8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe

          SHA512

          99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71

        • C:\Users\Admin\AppData\Roaming\svchost.exe

          Filesize

          141KB

          MD5

          acea7e35f8878aea046a7eb35d0b8330

          SHA1

          16df89d9ab87b2e0473b284bcd808109a1d5c830

          SHA256

          8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe

          SHA512

          99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71

        • C:\Users\Admin\AppData\Roaming\РАСШИФРОВАТЬ ФАЙЛЫ.txtРАСШИФРОВАТЬ ФАЙЛЫ.txt

          Filesize

          331B

          MD5

          2257eeabd7acd4f3fce17525c2ba93e3

          SHA1

          8807bb45e47534f928a08f20520b97eaea254fff

          SHA256

          b0d70f954eff523a253f4811051b149529b8e8a93e721e4c26cb399953b24117

          SHA512

          4f9d73cdbbf9e743df442d8f87153d869be1911953a92ee4d572135ac01cd8f1fc6a962e494c4429b22da7efaf8192d5bea5614c09039a0aadd3e24b253a50fa

        • \Users\Admin\AppData\Local\Temp\RarSFX0\1.exe

          Filesize

          57KB

          MD5

          bc9b44d8e5eb1543a26c16c2d45f8ab7

          SHA1

          6486e7f0a5a6fdd35913f790af2e3effc42ee994

          SHA256

          767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce

          SHA512

          50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e

        • \Users\Admin\AppData\Local\Temp\RarSFX0\1.exe

          Filesize

          57KB

          MD5

          bc9b44d8e5eb1543a26c16c2d45f8ab7

          SHA1

          6486e7f0a5a6fdd35913f790af2e3effc42ee994

          SHA256

          767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce

          SHA512

          50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e

        • \Users\Admin\AppData\Local\Temp\RarSFX0\1.exe

          Filesize

          57KB

          MD5

          bc9b44d8e5eb1543a26c16c2d45f8ab7

          SHA1

          6486e7f0a5a6fdd35913f790af2e3effc42ee994

          SHA256

          767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce

          SHA512

          50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e

        • \Users\Admin\AppData\Local\Temp\RarSFX0\1.exe

          Filesize

          57KB

          MD5

          bc9b44d8e5eb1543a26c16c2d45f8ab7

          SHA1

          6486e7f0a5a6fdd35913f790af2e3effc42ee994

          SHA256

          767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce

          SHA512

          50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e

        • \Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

          Filesize

          141KB

          MD5

          acea7e35f8878aea046a7eb35d0b8330

          SHA1

          16df89d9ab87b2e0473b284bcd808109a1d5c830

          SHA256

          8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe

          SHA512

          99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71

        • \Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

          Filesize

          141KB

          MD5

          acea7e35f8878aea046a7eb35d0b8330

          SHA1

          16df89d9ab87b2e0473b284bcd808109a1d5c830

          SHA256

          8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe

          SHA512

          99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71

        • \Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

          Filesize

          141KB

          MD5

          acea7e35f8878aea046a7eb35d0b8330

          SHA1

          16df89d9ab87b2e0473b284bcd808109a1d5c830

          SHA256

          8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe

          SHA512

          99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71

        • \Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

          Filesize

          141KB

          MD5

          acea7e35f8878aea046a7eb35d0b8330

          SHA1

          16df89d9ab87b2e0473b284bcd808109a1d5c830

          SHA256

          8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe

          SHA512

          99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71

        • memory/560-71-0x0000000000000000-mapping.dmp

        • memory/940-80-0x0000000000000000-mapping.dmp

        • memory/980-75-0x0000000000000000-mapping.dmp

        • memory/1064-63-0x0000000000000000-mapping.dmp

        • memory/1064-66-0x0000000000AA0000-0x0000000000ACA000-memory.dmp

          Filesize

          168KB

        • memory/1132-84-0x0000000000000000-mapping.dmp

        • memory/1280-54-0x0000000075601000-0x0000000075603000-memory.dmp

          Filesize

          8KB

        • memory/1752-78-0x0000000000000000-mapping.dmp

        • memory/1800-76-0x0000000000000000-mapping.dmp

        • memory/1904-79-0x0000000000000000-mapping.dmp

        • memory/1916-82-0x0000000000000000-mapping.dmp

        • memory/1916-83-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

          Filesize

          8KB

        • memory/1940-81-0x0000000000000000-mapping.dmp

        • memory/1948-77-0x0000000000000000-mapping.dmp

        • memory/2036-62-0x0000000001170000-0x000000000119A000-memory.dmp

          Filesize

          168KB

        • memory/2036-59-0x0000000000000000-mapping.dmp