Overview

overview

10

Static

static

10

adawareweb...in.exe

windows7-x64

10

adawareweb...in.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    27s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    06-02-2023 20:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adawarewebinstaller.bin.exe

  • Size

    137KB

  • MD5

    9b02b542834573f9502ca83719a73a01

  • SHA1

    f3bc7cf16eec977772455f3fce87fed505fb18e3

  • SHA256

    e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14

  • SHA512

    290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031

  • SSDEEP

    3072:Eoy7AHYqr9ACDYVbu4sijUtSWnFA22WnVaxs2gzx+IjBz2:0mr9AHVycjUgWnFAGms2gzoch

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\andrianov.txt

Ransom Note
Your Personal Files has been Encrypted and Locked Your documents, photos, databases and other important files have been encrypted with strongest encryption and locked with unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. Caution: Removing of Blackhat will not restore access to your encrypted files. Frequently Asked Questions What happened to my files ? understanding the issue How can i get my files back ? the only way to restore your files What should i do next ? Buy decryption key Now you have the last chance to decrypt your files. 1. Buy Bitcoin (https://blockchain.info) 2. Send amount of 200 dollar to address: to 3QpLGGaeFwxtV61p1bBUpTBzPcKdtPQpNA 3. Transaction will take about 15-30 minutes to confirm. 4. When transaction is confirmed, send email to us at leonid.andrianoviaa@mail.ru Click here to restore and recovery your files
Emails

leonid.andrianoviaa@mail.ru

Wallets

3QpLGGaeFwxtV61p1bBUpTBzPcKdtPQpNA

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 4 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 33 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adawarewebinstaller.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\adawarewebinstaller.bin.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Modifies extensions of user files
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1780
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:644
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1804
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1744
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:836
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1332
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1724
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\andrianov.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1312
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1388
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1504
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:604
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:336

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Command-Line Interface

      1
      T1059

      Persistence

      Privilege Escalation

      Defense Evasion

      File Deletion

      3
      T1107

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      4
      T1490

      Defacement

      1
      T1491

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\andrianov.txt
        Filesize

        987B

        MD5

        8d31c8f9e4bb13c044a9825aee0cdfa3

        SHA1

        6ff267b0179f7ddebe46e8ba855b5e4d176a9bbb

        SHA256

        5aca5bd47a3fd4a211121870f0124245a87528da86b07cb1a0934566ba0349bf

        SHA512

        878a8b06a392000fba503bcd16766c75c53ea033746fd74da02a5bb3a91bf3b9701fb9c89a5eafc179909727c5e16ac21b293fb5de134770bf30db8ed3ae216a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        137KB

        MD5

        9b02b542834573f9502ca83719a73a01

        SHA1

        f3bc7cf16eec977772455f3fce87fed505fb18e3

        SHA256

        e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14

        SHA512

        290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031

        Download Submit
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        137KB

        MD5

        9b02b542834573f9502ca83719a73a01

        SHA1

        f3bc7cf16eec977772455f3fce87fed505fb18e3

        SHA256

        e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14

        SHA512

        290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031

        Download Submit
      • memory/644-60-0x0000000000000000-mapping.dmp
        Download
      • memory/836-64-0x0000000000000000-mapping.dmp
        Download
      • memory/1160-62-0x0000000000000000-mapping.dmp
        Download
      • memory/1312-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1332-65-0x0000000000000000-mapping.dmp
        Download
      • memory/1724-66-0x0000000000000000-mapping.dmp
        Download
      • memory/1724-67-0x000007FEFB5F1000-0x000007FEFB5F3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1744-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1780-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1804-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1964-58-0x0000000001380000-0x00000000013A8000-memory.dmp
        Filesize

        160KB

        Download
      • memory/1964-55-0x0000000000000000-mapping.dmp
        Download
      • memory/2012-54-0x0000000000ED0000-0x0000000000EF8000-memory.dmp
        Filesize

        160KB

        Download