Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 20:07
Behavioral task
behavioral1
Sample
adawarewebinstaller.bin.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
adawarewebinstaller.bin.exe
Resource
win10v2004-20221111-en
General
-
Target
adawarewebinstaller.bin.exe
-
Size
137KB
-
MD5
9b02b542834573f9502ca83719a73a01
-
SHA1
f3bc7cf16eec977772455f3fce87fed505fb18e3
-
SHA256
e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14
-
SHA512
290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031
-
SSDEEP
3072:Eoy7AHYqr9ACDYVbu4sijUtSWnFA22WnVaxs2gzx+IjBz2:0mr9AHVycjUgWnFAGms2gzoch
Malware Config
Extracted
C:\Users\Admin\Desktop\andrianov.txt
leonid.andrianoviaa@mail.ru
3QpLGGaeFwxtV61p1bBUpTBzPcKdtPQpNA
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4712-132-0x00000000003A0000-0x00000000003C8000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3752 bcdedit.exe 2712 bcdedit.exe -
Processes:
wbadmin.exepid process 336 wbadmin.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Users\Admin\Pictures\GetUnprotect.png => C:\Users\Admin\Pictures\GetUnprotect.png.1iyT6bav7VyWM5 svchost.exe File renamed C:\Users\Admin\Pictures\MoveSave.tif => C:\Users\Admin\Pictures\MoveSave.tif.1iyT6bav7VyWM5 svchost.exe File renamed C:\Users\Admin\Pictures\ResetUnprotect.png => C:\Users\Admin\Pictures\ResetUnprotect.png.1iyT6bav7VyWM5 svchost.exe File renamed C:\Users\Admin\Pictures\TestMount.png => C:\Users\Admin\Pictures\TestMount.png.1iyT6bav7VyWM5 svchost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
adawarewebinstaller.bin.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation adawarewebinstaller.bin.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\andrianov.txt svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3032 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 33 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hir5g4dte.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1484 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 5108 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid process 3032 svchost.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
adawarewebinstaller.bin.exesvchost.exepid process 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 4712 adawarewebinstaller.bin.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
adawarewebinstaller.bin.exesvchost.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 4712 adawarewebinstaller.bin.exe Token: SeDebugPrivilege 3032 svchost.exe Token: SeBackupPrivilege 4540 vssvc.exe Token: SeRestorePrivilege 4540 vssvc.exe Token: SeAuditPrivilege 4540 vssvc.exe Token: SeIncreaseQuotaPrivilege 3052 WMIC.exe Token: SeSecurityPrivilege 3052 WMIC.exe Token: SeTakeOwnershipPrivilege 3052 WMIC.exe Token: SeLoadDriverPrivilege 3052 WMIC.exe Token: SeSystemProfilePrivilege 3052 WMIC.exe Token: SeSystemtimePrivilege 3052 WMIC.exe Token: SeProfSingleProcessPrivilege 3052 WMIC.exe Token: SeIncBasePriorityPrivilege 3052 WMIC.exe Token: SeCreatePagefilePrivilege 3052 WMIC.exe Token: SeBackupPrivilege 3052 WMIC.exe Token: SeRestorePrivilege 3052 WMIC.exe Token: SeShutdownPrivilege 3052 WMIC.exe Token: SeDebugPrivilege 3052 WMIC.exe Token: SeSystemEnvironmentPrivilege 3052 WMIC.exe Token: SeRemoteShutdownPrivilege 3052 WMIC.exe Token: SeUndockPrivilege 3052 WMIC.exe Token: SeManageVolumePrivilege 3052 WMIC.exe Token: 33 3052 WMIC.exe Token: 34 3052 WMIC.exe Token: 35 3052 WMIC.exe Token: 36 3052 WMIC.exe Token: SeIncreaseQuotaPrivilege 3052 WMIC.exe Token: SeSecurityPrivilege 3052 WMIC.exe Token: SeTakeOwnershipPrivilege 3052 WMIC.exe Token: SeLoadDriverPrivilege 3052 WMIC.exe Token: SeSystemProfilePrivilege 3052 WMIC.exe Token: SeSystemtimePrivilege 3052 WMIC.exe Token: SeProfSingleProcessPrivilege 3052 WMIC.exe Token: SeIncBasePriorityPrivilege 3052 WMIC.exe Token: SeCreatePagefilePrivilege 3052 WMIC.exe Token: SeBackupPrivilege 3052 WMIC.exe Token: SeRestorePrivilege 3052 WMIC.exe Token: SeShutdownPrivilege 3052 WMIC.exe Token: SeDebugPrivilege 3052 WMIC.exe Token: SeSystemEnvironmentPrivilege 3052 WMIC.exe Token: SeRemoteShutdownPrivilege 3052 WMIC.exe Token: SeUndockPrivilege 3052 WMIC.exe Token: SeManageVolumePrivilege 3052 WMIC.exe Token: 33 3052 WMIC.exe Token: 34 3052 WMIC.exe Token: 35 3052 WMIC.exe Token: 36 3052 WMIC.exe Token: SeBackupPrivilege 1060 wbengine.exe Token: SeRestorePrivilege 1060 wbengine.exe Token: SeSecurityPrivilege 1060 wbengine.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
adawarewebinstaller.bin.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 4712 wrote to memory of 3032 4712 adawarewebinstaller.bin.exe svchost.exe PID 4712 wrote to memory of 3032 4712 adawarewebinstaller.bin.exe svchost.exe PID 3032 wrote to memory of 1400 3032 svchost.exe cmd.exe PID 3032 wrote to memory of 1400 3032 svchost.exe cmd.exe PID 1400 wrote to memory of 1484 1400 cmd.exe vssadmin.exe PID 1400 wrote to memory of 1484 1400 cmd.exe vssadmin.exe PID 1400 wrote to memory of 3052 1400 cmd.exe WMIC.exe PID 1400 wrote to memory of 3052 1400 cmd.exe WMIC.exe PID 3032 wrote to memory of 1520 3032 svchost.exe cmd.exe PID 3032 wrote to memory of 1520 3032 svchost.exe cmd.exe PID 1520 wrote to memory of 3752 1520 cmd.exe bcdedit.exe PID 1520 wrote to memory of 3752 1520 cmd.exe bcdedit.exe PID 1520 wrote to memory of 2712 1520 cmd.exe bcdedit.exe PID 1520 wrote to memory of 2712 1520 cmd.exe bcdedit.exe PID 3032 wrote to memory of 4976 3032 svchost.exe cmd.exe PID 3032 wrote to memory of 4976 3032 svchost.exe cmd.exe PID 4976 wrote to memory of 336 4976 cmd.exe wbadmin.exe PID 4976 wrote to memory of 336 4976 cmd.exe wbadmin.exe PID 3032 wrote to memory of 5108 3032 svchost.exe NOTEPAD.EXE PID 3032 wrote to memory of 5108 3032 svchost.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\adawarewebinstaller.bin.exe"C:\Users\Admin\AppData\Local\Temp\adawarewebinstaller.bin.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\andrianov.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\andrianov.txtFilesize
987B
MD58d31c8f9e4bb13c044a9825aee0cdfa3
SHA16ff267b0179f7ddebe46e8ba855b5e4d176a9bbb
SHA2565aca5bd47a3fd4a211121870f0124245a87528da86b07cb1a0934566ba0349bf
SHA512878a8b06a392000fba503bcd16766c75c53ea033746fd74da02a5bb3a91bf3b9701fb9c89a5eafc179909727c5e16ac21b293fb5de134770bf30db8ed3ae216a
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
137KB
MD59b02b542834573f9502ca83719a73a01
SHA1f3bc7cf16eec977772455f3fce87fed505fb18e3
SHA256e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14
SHA512290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
137KB
MD59b02b542834573f9502ca83719a73a01
SHA1f3bc7cf16eec977772455f3fce87fed505fb18e3
SHA256e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14
SHA512290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031
-
memory/336-146-0x0000000000000000-mapping.dmp
-
memory/1400-139-0x0000000000000000-mapping.dmp
-
memory/1484-140-0x0000000000000000-mapping.dmp
-
memory/1520-142-0x0000000000000000-mapping.dmp
-
memory/2712-144-0x0000000000000000-mapping.dmp
-
memory/3032-138-0x00007FF812820000-0x00007FF8132E1000-memory.dmpFilesize
10.8MB
-
memory/3032-134-0x0000000000000000-mapping.dmp
-
memory/3032-149-0x00007FF812820000-0x00007FF8132E1000-memory.dmpFilesize
10.8MB
-
memory/3052-141-0x0000000000000000-mapping.dmp
-
memory/3752-143-0x0000000000000000-mapping.dmp
-
memory/4712-137-0x00007FF812820000-0x00007FF8132E1000-memory.dmpFilesize
10.8MB
-
memory/4712-132-0x00000000003A0000-0x00000000003C8000-memory.dmpFilesize
160KB
-
memory/4712-133-0x00007FF812820000-0x00007FF8132E1000-memory.dmpFilesize
10.8MB
-
memory/4976-145-0x0000000000000000-mapping.dmp
-
memory/5108-147-0x0000000000000000-mapping.dmp