Analysis
-
max time kernel
27s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 20:07
Behavioral task
behavioral1
Sample
adawarewebinstaller.bin.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
adawarewebinstaller.bin.exe
Resource
win10v2004-20221111-en
General
-
Target
adawarewebinstaller.bin.exe
-
Size
137KB
-
MD5
9b02b542834573f9502ca83719a73a01
-
SHA1
f3bc7cf16eec977772455f3fce87fed505fb18e3
-
SHA256
e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14
-
SHA512
290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031
-
SSDEEP
3072:Eoy7AHYqr9ACDYVbu4sijUtSWnFA22WnVaxs2gzx+IjBz2:0mr9AHVycjUgWnFAGms2gzoch
Malware Config
Extracted
C:\Users\Admin\Desktop\andrianov.txt
leonid.andrianoviaa@mail.ru
3QpLGGaeFwxtV61p1bBUpTBzPcKdtPQpNA
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2012-54-0x0000000000ED0000-0x0000000000EF8000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos behavioral1/memory/1964-58-0x0000000001380000-0x00000000013A8000-memory.dmp family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1744 bcdedit.exe 836 bcdedit.exe -
Processes:
wbadmin.exepid process 1724 wbadmin.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Users\Admin\Pictures\LimitRename.tif => C:\Users\Admin\Pictures\LimitRename.tif.1iyT6bav7VyWM5 svchost.exe File renamed C:\Users\Admin\Pictures\RequestFind.png => C:\Users\Admin\Pictures\RequestFind.png.1iyT6bav7VyWM5 svchost.exe File renamed C:\Users\Admin\Pictures\WaitInitialize.png => C:\Users\Admin\Pictures\WaitInitialize.png.1iyT6bav7VyWM5 svchost.exe File renamed C:\Users\Admin\Pictures\ConvertToClose.png => C:\Users\Admin\Pictures\ConvertToClose.png.1iyT6bav7VyWM5 svchost.exe File renamed C:\Users\Admin\Pictures\DebugLock.tif => C:\Users\Admin\Pictures\DebugLock.tif.1iyT6bav7VyWM5 svchost.exe File renamed C:\Users\Admin\Pictures\InstallRegister.tif => C:\Users\Admin\Pictures\InstallRegister.tif.1iyT6bav7VyWM5 svchost.exe -
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\andrianov.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1964 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 33 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\l8lcweka5.jpg" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 644 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1312 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid process 1964 svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
adawarewebinstaller.bin.exesvchost.exepid process 2012 adawarewebinstaller.bin.exe 1964 svchost.exe 1964 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
adawarewebinstaller.bin.exesvchost.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 2012 adawarewebinstaller.bin.exe Token: SeDebugPrivilege 1964 svchost.exe Token: SeBackupPrivilege 1388 vssvc.exe Token: SeRestorePrivilege 1388 vssvc.exe Token: SeAuditPrivilege 1388 vssvc.exe Token: SeIncreaseQuotaPrivilege 1804 WMIC.exe Token: SeSecurityPrivilege 1804 WMIC.exe Token: SeTakeOwnershipPrivilege 1804 WMIC.exe Token: SeLoadDriverPrivilege 1804 WMIC.exe Token: SeSystemProfilePrivilege 1804 WMIC.exe Token: SeSystemtimePrivilege 1804 WMIC.exe Token: SeProfSingleProcessPrivilege 1804 WMIC.exe Token: SeIncBasePriorityPrivilege 1804 WMIC.exe Token: SeCreatePagefilePrivilege 1804 WMIC.exe Token: SeBackupPrivilege 1804 WMIC.exe Token: SeRestorePrivilege 1804 WMIC.exe Token: SeShutdownPrivilege 1804 WMIC.exe Token: SeDebugPrivilege 1804 WMIC.exe Token: SeSystemEnvironmentPrivilege 1804 WMIC.exe Token: SeRemoteShutdownPrivilege 1804 WMIC.exe Token: SeUndockPrivilege 1804 WMIC.exe Token: SeManageVolumePrivilege 1804 WMIC.exe Token: 33 1804 WMIC.exe Token: 34 1804 WMIC.exe Token: 35 1804 WMIC.exe Token: SeIncreaseQuotaPrivilege 1804 WMIC.exe Token: SeSecurityPrivilege 1804 WMIC.exe Token: SeTakeOwnershipPrivilege 1804 WMIC.exe Token: SeLoadDriverPrivilege 1804 WMIC.exe Token: SeSystemProfilePrivilege 1804 WMIC.exe Token: SeSystemtimePrivilege 1804 WMIC.exe Token: SeProfSingleProcessPrivilege 1804 WMIC.exe Token: SeIncBasePriorityPrivilege 1804 WMIC.exe Token: SeCreatePagefilePrivilege 1804 WMIC.exe Token: SeBackupPrivilege 1804 WMIC.exe Token: SeRestorePrivilege 1804 WMIC.exe Token: SeShutdownPrivilege 1804 WMIC.exe Token: SeDebugPrivilege 1804 WMIC.exe Token: SeSystemEnvironmentPrivilege 1804 WMIC.exe Token: SeRemoteShutdownPrivilege 1804 WMIC.exe Token: SeUndockPrivilege 1804 WMIC.exe Token: SeManageVolumePrivilege 1804 WMIC.exe Token: 33 1804 WMIC.exe Token: 34 1804 WMIC.exe Token: 35 1804 WMIC.exe Token: SeBackupPrivilege 1504 wbengine.exe Token: SeRestorePrivilege 1504 wbengine.exe Token: SeSecurityPrivilege 1504 wbengine.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
adawarewebinstaller.bin.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 2012 wrote to memory of 1964 2012 adawarewebinstaller.bin.exe svchost.exe PID 2012 wrote to memory of 1964 2012 adawarewebinstaller.bin.exe svchost.exe PID 2012 wrote to memory of 1964 2012 adawarewebinstaller.bin.exe svchost.exe PID 1964 wrote to memory of 1780 1964 svchost.exe cmd.exe PID 1964 wrote to memory of 1780 1964 svchost.exe cmd.exe PID 1964 wrote to memory of 1780 1964 svchost.exe cmd.exe PID 1780 wrote to memory of 644 1780 cmd.exe vssadmin.exe PID 1780 wrote to memory of 644 1780 cmd.exe vssadmin.exe PID 1780 wrote to memory of 644 1780 cmd.exe vssadmin.exe PID 1780 wrote to memory of 1804 1780 cmd.exe WMIC.exe PID 1780 wrote to memory of 1804 1780 cmd.exe WMIC.exe PID 1780 wrote to memory of 1804 1780 cmd.exe WMIC.exe PID 1964 wrote to memory of 1160 1964 svchost.exe cmd.exe PID 1964 wrote to memory of 1160 1964 svchost.exe cmd.exe PID 1964 wrote to memory of 1160 1964 svchost.exe cmd.exe PID 1160 wrote to memory of 1744 1160 cmd.exe bcdedit.exe PID 1160 wrote to memory of 1744 1160 cmd.exe bcdedit.exe PID 1160 wrote to memory of 1744 1160 cmd.exe bcdedit.exe PID 1160 wrote to memory of 836 1160 cmd.exe bcdedit.exe PID 1160 wrote to memory of 836 1160 cmd.exe bcdedit.exe PID 1160 wrote to memory of 836 1160 cmd.exe bcdedit.exe PID 1964 wrote to memory of 1332 1964 svchost.exe cmd.exe PID 1964 wrote to memory of 1332 1964 svchost.exe cmd.exe PID 1964 wrote to memory of 1332 1964 svchost.exe cmd.exe PID 1332 wrote to memory of 1724 1332 cmd.exe wbadmin.exe PID 1332 wrote to memory of 1724 1332 cmd.exe wbadmin.exe PID 1332 wrote to memory of 1724 1332 cmd.exe wbadmin.exe PID 1964 wrote to memory of 1312 1964 svchost.exe NOTEPAD.EXE PID 1964 wrote to memory of 1312 1964 svchost.exe NOTEPAD.EXE PID 1964 wrote to memory of 1312 1964 svchost.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\adawarewebinstaller.bin.exe"C:\Users\Admin\AppData\Local\Temp\adawarewebinstaller.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Modifies extensions of user files
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\andrianov.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\andrianov.txtFilesize
987B
MD58d31c8f9e4bb13c044a9825aee0cdfa3
SHA16ff267b0179f7ddebe46e8ba855b5e4d176a9bbb
SHA2565aca5bd47a3fd4a211121870f0124245a87528da86b07cb1a0934566ba0349bf
SHA512878a8b06a392000fba503bcd16766c75c53ea033746fd74da02a5bb3a91bf3b9701fb9c89a5eafc179909727c5e16ac21b293fb5de134770bf30db8ed3ae216a
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
137KB
MD59b02b542834573f9502ca83719a73a01
SHA1f3bc7cf16eec977772455f3fce87fed505fb18e3
SHA256e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14
SHA512290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
137KB
MD59b02b542834573f9502ca83719a73a01
SHA1f3bc7cf16eec977772455f3fce87fed505fb18e3
SHA256e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14
SHA512290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031
-
memory/644-60-0x0000000000000000-mapping.dmp
-
memory/836-64-0x0000000000000000-mapping.dmp
-
memory/1160-62-0x0000000000000000-mapping.dmp
-
memory/1312-68-0x0000000000000000-mapping.dmp
-
memory/1332-65-0x0000000000000000-mapping.dmp
-
memory/1724-66-0x0000000000000000-mapping.dmp
-
memory/1724-67-0x000007FEFB5F1000-0x000007FEFB5F3000-memory.dmpFilesize
8KB
-
memory/1744-63-0x0000000000000000-mapping.dmp
-
memory/1780-59-0x0000000000000000-mapping.dmp
-
memory/1804-61-0x0000000000000000-mapping.dmp
-
memory/1964-58-0x0000000001380000-0x00000000013A8000-memory.dmpFilesize
160KB
-
memory/1964-55-0x0000000000000000-mapping.dmp
-
memory/2012-54-0x0000000000ED0000-0x0000000000EF8000-memory.dmpFilesize
160KB