Analysis

  • max time kernel
    43s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 23:49

General

  • Target

    e654d76dadfd3cefd9052a116afd0e00.exe

  • Size

    1.1MB

  • MD5

    e654d76dadfd3cefd9052a116afd0e00

  • SHA1

    0774c3f2cdf2ef9760d1cacaeb9464e6f59cf745

  • SHA256

    ca452d795d8a7055e429e57205ff2b3a2083d28fe97dbb1ba591a3178df3a1a4

  • SHA512

    5c85e2aea0db6a2fb9e1ad9960f5c42cb7db62d0089c635ae71e1d029dab83b96116770e054e8633ebeb1e0144120f937e4381b1fa1c04fe8a045aff38cfbf47

  • SSDEEP

    12288:+kN2/snXKG+LtGEUSVH+9drewoSVKxXtP2qdhGAqU1HkYXUHtv7E3vyepAyvuUY0:+kN2/sjDzAPvhuv4Tgqea0nRhO

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 4 IoCs
  • Satana

    Ransomware family which also encrypts the system's Master Boot Record (MBR).

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 33 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e654d76dadfd3cefd9052a116afd0e00.exe
    "C:\Users\Admin\AppData\Local\Temp\e654d76dadfd3cefd9052a116afd0e00.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:588
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:632
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:964
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1120
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1572
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\!satana!.txt
        3⤵
          PID:324
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:424
    • C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      1⤵
      • Deletes backup catalog
      PID:1700
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:796
    • C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      1⤵
      • Modifies boot configuration data using bcdedit
      PID:544
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1896
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        1⤵
        • Modifies boot configuration data using bcdedit
        PID:1456
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:1984

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\!satana!.txt

          Filesize

          485B

          MD5

          4a69a5b8e518e19e288f56e02e85ff06

          SHA1

          7e468e1a3239a9f943e2f4286afb7df61d6a8567

          SHA256

          e9a25108a7253da4b02a86cdff843fc991566e53c05889bcfd0ddd006669de08

          SHA512

          87afc6879173b6012fb4c456c255ccb0cbede4e4942d5c48b4e998cb58df8c69b00d6e626bb5d6df51a479135f7aee6b0cd1a2b13d67741cdcc413b0c3a155db

        • C:\Users\Admin\AppData\Roaming\svchost.exe

          Filesize

          1.1MB

          MD5

          e654d76dadfd3cefd9052a116afd0e00

          SHA1

          0774c3f2cdf2ef9760d1cacaeb9464e6f59cf745

          SHA256

          ca452d795d8a7055e429e57205ff2b3a2083d28fe97dbb1ba591a3178df3a1a4

          SHA512

          5c85e2aea0db6a2fb9e1ad9960f5c42cb7db62d0089c635ae71e1d029dab83b96116770e054e8633ebeb1e0144120f937e4381b1fa1c04fe8a045aff38cfbf47

        • C:\Users\Admin\AppData\Roaming\svchost.exe

          Filesize

          1.1MB

          MD5

          e654d76dadfd3cefd9052a116afd0e00

          SHA1

          0774c3f2cdf2ef9760d1cacaeb9464e6f59cf745

          SHA256

          ca452d795d8a7055e429e57205ff2b3a2083d28fe97dbb1ba591a3178df3a1a4

          SHA512

          5c85e2aea0db6a2fb9e1ad9960f5c42cb7db62d0089c635ae71e1d029dab83b96116770e054e8633ebeb1e0144120f937e4381b1fa1c04fe8a045aff38cfbf47

        • memory/324-68-0x0000000000000000-mapping.dmp

        • memory/544-64-0x0000000000000000-mapping.dmp

        • memory/588-59-0x0000000000000000-mapping.dmp

        • memory/632-60-0x0000000000000000-mapping.dmp

        • memory/892-55-0x0000000000000000-mapping.dmp

        • memory/892-58-0x0000000001090000-0x00000000011BC000-memory.dmp

          Filesize

          1.2MB

        • memory/964-61-0x0000000000000000-mapping.dmp

        • memory/1120-65-0x0000000000000000-mapping.dmp

        • memory/1456-63-0x0000000000000000-mapping.dmp

        • memory/1572-62-0x0000000000000000-mapping.dmp

        • memory/1700-66-0x0000000000000000-mapping.dmp

        • memory/1700-67-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

          Filesize

          8KB

        • memory/1816-54-0x0000000000EB0000-0x0000000000FDC000-memory.dmp

          Filesize

          1.2MB