Analysis

  • max time kernel
    112s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2022 15:20

General

  • Target

    b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe

  • Size

    423KB

  • MD5

    5aa991c89a6564a3c6351052e157f9d8

  • SHA1

    f481e3cd126a429c33568070c2ff56d27c41a8ce

  • SHA256

    b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979

  • SHA512

    a2c84b4d4a2c27a1baee0fbed0d7b24ca1b1e2ddde6caad078236ecd931e0a2095fe0561ecc57e83830c4f52462d054d10105cc0aafe657c822515da5ec0f21b

  • SSDEEP

    6144:H8JsLcpjzTDDmHayakLkrb4NSarQWtT+tG1XRHOGU9gXIodHShK:8zxzTDWikLSb4NS7ET+tG1X/Fh

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 5 IoCs
  • Detected Xorist Ransomware 2 IoCs
  • Xorist Ransomware

    Xorist is a ransomware first seen in 2020.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Drops file in Drivers directory 8 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 33 IoCs
  • Drops file in System32 directory 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 11 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe
    "C:\Users\Admin\AppData\Local\Temp\b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Checks computer location settings
        • Drops startup file
        • Drops desktop.ini file(s)
        • Sets desktop wallpaper using registry
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4444
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:960
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:224
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3128
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1376
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:3848
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3676
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            5⤵
            • Deletes backup catalog
            PID:3664
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\РАСШИФРОВАТЬ ФАЙЛЫ.txtРАСШИФРОВАТЬ ФАЙЛЫ.txt
          4⤵
            PID:2672
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        PID:4952
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1392
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3756
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:4188
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:2620

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe

        Filesize

        57KB

        MD5

        bc9b44d8e5eb1543a26c16c2d45f8ab7

        SHA1

        6486e7f0a5a6fdd35913f790af2e3effc42ee994

        SHA256

        767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce

        SHA512

        50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe

        Filesize

        57KB

        MD5

        bc9b44d8e5eb1543a26c16c2d45f8ab7

        SHA1

        6486e7f0a5a6fdd35913f790af2e3effc42ee994

        SHA256

        767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce

        SHA512

        50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

        Filesize

        141KB

        MD5

        acea7e35f8878aea046a7eb35d0b8330

        SHA1

        16df89d9ab87b2e0473b284bcd808109a1d5c830

        SHA256

        8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe

        SHA512

        99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

        Filesize

        141KB

        MD5

        acea7e35f8878aea046a7eb35d0b8330

        SHA1

        16df89d9ab87b2e0473b284bcd808109a1d5c830

        SHA256

        8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe

        SHA512

        99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71

      • C:\Users\Admin\AppData\Local\Temp\a9odwg20k.jpg

        Filesize

        44KB

        MD5

        3773fa0f5897ea585a8c07c4030b0b83

        SHA1

        5f9c1ce9b5a00a8c219f89faa018581a37be12d2

        SHA256

        75151aece601ec9160c3a006d187837cadedc95382502e19431b776042d7f12c

        SHA512

        b25b382f99e757d64dd663fa817d9cd5f773aa04986d817fdb0ca6d658cae65f9531e8d83c52d7b5c77b37e4421451fd2f745defcb05146bbdab37b06a4f9f15

      • C:\Users\Admin\AppData\Roaming\svchost.exe

        Filesize

        141KB

        MD5

        acea7e35f8878aea046a7eb35d0b8330

        SHA1

        16df89d9ab87b2e0473b284bcd808109a1d5c830

        SHA256

        8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe

        SHA512

        99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71

      • C:\Users\Admin\AppData\Roaming\svchost.exe

        Filesize

        141KB

        MD5

        acea7e35f8878aea046a7eb35d0b8330

        SHA1

        16df89d9ab87b2e0473b284bcd808109a1d5c830

        SHA256

        8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe

        SHA512

        99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71

      • C:\Users\Admin\AppData\Roaming\РАСШИФРОВАТЬ ФАЙЛЫ.txtРАСШИФРОВАТЬ ФАЙЛЫ.txt

        Filesize

        331B

        MD5

        2257eeabd7acd4f3fce17525c2ba93e3

        SHA1

        8807bb45e47534f928a08f20520b97eaea254fff

        SHA256

        b0d70f954eff523a253f4811051b149529b8e8a93e721e4c26cb399953b24117

        SHA512

        4f9d73cdbbf9e743df442d8f87153d869be1911953a92ee4d572135ac01cd8f1fc6a962e494c4429b22da7efaf8192d5bea5614c09039a0aadd3e24b253a50fa

      • memory/224-147-0x0000000000000000-mapping.dmp

      • memory/960-146-0x0000000000000000-mapping.dmp

      • memory/1376-149-0x0000000000000000-mapping.dmp

      • memory/2672-154-0x0000000000000000-mapping.dmp

      • memory/2768-144-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

        Filesize

        10.8MB

      • memory/2768-153-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

        Filesize

        10.8MB

      • memory/2768-137-0x0000000000000000-mapping.dmp

      • memory/3128-148-0x0000000000000000-mapping.dmp

      • memory/3208-132-0x0000000000000000-mapping.dmp

      • memory/3208-140-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

        Filesize

        10.8MB

      • memory/3208-136-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

        Filesize

        10.8MB

      • memory/3208-135-0x00000000005A0000-0x00000000005CA000-memory.dmp

        Filesize

        168KB

      • memory/3664-152-0x0000000000000000-mapping.dmp

      • memory/3676-151-0x0000000000000000-mapping.dmp

      • memory/3848-150-0x0000000000000000-mapping.dmp

      • memory/4444-145-0x0000000000000000-mapping.dmp

      • memory/4952-141-0x0000000000000000-mapping.dmp