Analysis
-
max time kernel
43s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 23:49
Behavioral task
behavioral1
Sample
e654d76dadfd3cefd9052a116afd0e00.exe
Resource
win7-20220901-en
General
-
Target
e654d76dadfd3cefd9052a116afd0e00.exe
-
Size
1.1MB
-
MD5
e654d76dadfd3cefd9052a116afd0e00
-
SHA1
0774c3f2cdf2ef9760d1cacaeb9464e6f59cf745
-
SHA256
ca452d795d8a7055e429e57205ff2b3a2083d28fe97dbb1ba591a3178df3a1a4
-
SHA512
5c85e2aea0db6a2fb9e1ad9960f5c42cb7db62d0089c635ae71e1d029dab83b96116770e054e8633ebeb1e0144120f937e4381b1fa1c04fe8a045aff38cfbf47
-
SSDEEP
12288:+kN2/snXKG+LtGEUSVH+9drewoSVKxXtP2qdhGAqU1HkYXUHtv7E3vyepAyvuUY0:+kN2/sjDzAPvhuv4Tgqea0nRhO
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1816-54-0x0000000000EB0000-0x0000000000FDC000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos behavioral1/memory/892-58-0x0000000001090000-0x00000000011BC000-memory.dmp family_chaos -
Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 544 bcdedit.exe 1456 bcdedit.exe -
Processes:
wbadmin.exepid process 1700 wbadmin.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 892 svchost.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertUninstall.tif => C:\Users\Admin\Pictures\ConvertUninstall.tif.SEX3 svchost.exe File renamed C:\Users\Admin\Pictures\LimitDismount.raw => C:\Users\Admin\Pictures\LimitDismount.raw.SEX3 svchost.exe File renamed C:\Users\Admin\Pictures\MountDisable.raw => C:\Users\Admin\Pictures\MountDisable.raw.SEX3 svchost.exe File renamed C:\Users\Admin\Pictures\ResetSearch.tif => C:\Users\Admin\Pictures\ResetSearch.tif.SEX3 svchost.exe File renamed C:\Users\Admin\Pictures\UpdateLimit.tif => C:\Users\Admin\Pictures\UpdateLimit.tif.SEX3 svchost.exe -
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!satana!.txt svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 33 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1u53gb033.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 632 vssadmin.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid process 892 svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
e654d76dadfd3cefd9052a116afd0e00.exesvchost.exepid process 1816 e654d76dadfd3cefd9052a116afd0e00.exe 892 svchost.exe 892 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
e654d76dadfd3cefd9052a116afd0e00.exesvchost.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 1816 e654d76dadfd3cefd9052a116afd0e00.exe Token: SeDebugPrivilege 892 svchost.exe Token: SeBackupPrivilege 424 vssvc.exe Token: SeRestorePrivilege 424 vssvc.exe Token: SeAuditPrivilege 424 vssvc.exe Token: SeIncreaseQuotaPrivilege 964 WMIC.exe Token: SeSecurityPrivilege 964 WMIC.exe Token: SeTakeOwnershipPrivilege 964 WMIC.exe Token: SeLoadDriverPrivilege 964 WMIC.exe Token: SeSystemProfilePrivilege 964 WMIC.exe Token: SeSystemtimePrivilege 964 WMIC.exe Token: SeProfSingleProcessPrivilege 964 WMIC.exe Token: SeIncBasePriorityPrivilege 964 WMIC.exe Token: SeCreatePagefilePrivilege 964 WMIC.exe Token: SeBackupPrivilege 964 WMIC.exe Token: SeRestorePrivilege 964 WMIC.exe Token: SeShutdownPrivilege 964 WMIC.exe Token: SeDebugPrivilege 964 WMIC.exe Token: SeSystemEnvironmentPrivilege 964 WMIC.exe Token: SeRemoteShutdownPrivilege 964 WMIC.exe Token: SeUndockPrivilege 964 WMIC.exe Token: SeManageVolumePrivilege 964 WMIC.exe Token: 33 964 WMIC.exe Token: 34 964 WMIC.exe Token: 35 964 WMIC.exe Token: SeIncreaseQuotaPrivilege 964 WMIC.exe Token: SeSecurityPrivilege 964 WMIC.exe Token: SeTakeOwnershipPrivilege 964 WMIC.exe Token: SeLoadDriverPrivilege 964 WMIC.exe Token: SeSystemProfilePrivilege 964 WMIC.exe Token: SeSystemtimePrivilege 964 WMIC.exe Token: SeProfSingleProcessPrivilege 964 WMIC.exe Token: SeIncBasePriorityPrivilege 964 WMIC.exe Token: SeCreatePagefilePrivilege 964 WMIC.exe Token: SeBackupPrivilege 964 WMIC.exe Token: SeRestorePrivilege 964 WMIC.exe Token: SeShutdownPrivilege 964 WMIC.exe Token: SeDebugPrivilege 964 WMIC.exe Token: SeSystemEnvironmentPrivilege 964 WMIC.exe Token: SeRemoteShutdownPrivilege 964 WMIC.exe Token: SeUndockPrivilege 964 WMIC.exe Token: SeManageVolumePrivilege 964 WMIC.exe Token: 33 964 WMIC.exe Token: 34 964 WMIC.exe Token: 35 964 WMIC.exe Token: SeBackupPrivilege 796 wbengine.exe Token: SeRestorePrivilege 796 wbengine.exe Token: SeSecurityPrivilege 796 wbengine.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
e654d76dadfd3cefd9052a116afd0e00.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 1816 wrote to memory of 892 1816 e654d76dadfd3cefd9052a116afd0e00.exe svchost.exe PID 1816 wrote to memory of 892 1816 e654d76dadfd3cefd9052a116afd0e00.exe svchost.exe PID 1816 wrote to memory of 892 1816 e654d76dadfd3cefd9052a116afd0e00.exe svchost.exe PID 892 wrote to memory of 588 892 svchost.exe cmd.exe PID 892 wrote to memory of 588 892 svchost.exe cmd.exe PID 892 wrote to memory of 588 892 svchost.exe cmd.exe PID 588 wrote to memory of 632 588 cmd.exe vssadmin.exe PID 588 wrote to memory of 632 588 cmd.exe vssadmin.exe PID 588 wrote to memory of 632 588 cmd.exe vssadmin.exe PID 588 wrote to memory of 964 588 cmd.exe WMIC.exe PID 588 wrote to memory of 964 588 cmd.exe WMIC.exe PID 588 wrote to memory of 964 588 cmd.exe WMIC.exe PID 892 wrote to memory of 1572 892 svchost.exe cmd.exe PID 892 wrote to memory of 1572 892 svchost.exe cmd.exe PID 892 wrote to memory of 1572 892 svchost.exe cmd.exe PID 1572 wrote to memory of 1456 1572 cmd.exe bcdedit.exe PID 1572 wrote to memory of 1456 1572 cmd.exe bcdedit.exe PID 1572 wrote to memory of 1456 1572 cmd.exe bcdedit.exe PID 1572 wrote to memory of 544 1572 cmd.exe bcdedit.exe PID 1572 wrote to memory of 544 1572 cmd.exe bcdedit.exe PID 1572 wrote to memory of 544 1572 cmd.exe bcdedit.exe PID 892 wrote to memory of 1120 892 svchost.exe cmd.exe PID 892 wrote to memory of 1120 892 svchost.exe cmd.exe PID 892 wrote to memory of 1120 892 svchost.exe cmd.exe PID 1120 wrote to memory of 1700 1120 cmd.exe wbadmin.exe PID 1120 wrote to memory of 1700 1120 cmd.exe wbadmin.exe PID 1120 wrote to memory of 1700 1120 cmd.exe wbadmin.exe PID 892 wrote to memory of 324 892 svchost.exe NOTEPAD.EXE PID 892 wrote to memory of 324 892 svchost.exe NOTEPAD.EXE PID 892 wrote to memory of 324 892 svchost.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e654d76dadfd3cefd9052a116afd0e00.exe"C:\Users\Admin\AppData\Local\Temp\e654d76dadfd3cefd9052a116afd0e00.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:632
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:1120
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:1572
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\!satana!.txt3⤵PID:324
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:424
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet1⤵
- Deletes backup catalog
PID:1700
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:796
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no1⤵
- Modifies boot configuration data using bcdedit
PID:544
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1896
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures1⤵
- Modifies boot configuration data using bcdedit
PID:1456
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
485B
MD54a69a5b8e518e19e288f56e02e85ff06
SHA17e468e1a3239a9f943e2f4286afb7df61d6a8567
SHA256e9a25108a7253da4b02a86cdff843fc991566e53c05889bcfd0ddd006669de08
SHA51287afc6879173b6012fb4c456c255ccb0cbede4e4942d5c48b4e998cb58df8c69b00d6e626bb5d6df51a479135f7aee6b0cd1a2b13d67741cdcc413b0c3a155db
-
Filesize
1.1MB
MD5e654d76dadfd3cefd9052a116afd0e00
SHA10774c3f2cdf2ef9760d1cacaeb9464e6f59cf745
SHA256ca452d795d8a7055e429e57205ff2b3a2083d28fe97dbb1ba591a3178df3a1a4
SHA5125c85e2aea0db6a2fb9e1ad9960f5c42cb7db62d0089c635ae71e1d029dab83b96116770e054e8633ebeb1e0144120f937e4381b1fa1c04fe8a045aff38cfbf47
-
Filesize
1.1MB
MD5e654d76dadfd3cefd9052a116afd0e00
SHA10774c3f2cdf2ef9760d1cacaeb9464e6f59cf745
SHA256ca452d795d8a7055e429e57205ff2b3a2083d28fe97dbb1ba591a3178df3a1a4
SHA5125c85e2aea0db6a2fb9e1ad9960f5c42cb7db62d0089c635ae71e1d029dab83b96116770e054e8633ebeb1e0144120f937e4381b1fa1c04fe8a045aff38cfbf47