Overview

overview

10

Static

static

10

adawareweb...in.exe

windows7-x64

10

adawareweb...in.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2023 20:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adawarewebinstaller.bin.exe

  • Size

    137KB

  • MD5

    9b02b542834573f9502ca83719a73a01

  • SHA1

    f3bc7cf16eec977772455f3fce87fed505fb18e3

  • SHA256

    e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14

  • SHA512

    290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031

  • SSDEEP

    3072:Eoy7AHYqr9ACDYVbu4sijUtSWnFA22WnVaxs2gzx+IjBz2:0mr9AHVycjUgWnFAGms2gzoch

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\andrianov.txt

Ransom Note
Your Personal Files has been Encrypted and Locked Your documents, photos, databases and other important files have been encrypted with strongest encryption and locked with unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. Caution: Removing of Blackhat will not restore access to your encrypted files. Frequently Asked Questions What happened to my files ? understanding the issue How can i get my files back ? the only way to restore your files What should i do next ? Buy decryption key Now you have the last chance to decrypt your files. 1. Buy Bitcoin (https://blockchain.info) 2. Send amount of 200 dollar to address: to 3QpLGGaeFwxtV61p1bBUpTBzPcKdtPQpNA 3. Transaction will take about 15-30 minutes to confirm. 4. When transaction is confirmed, send email to us at leonid.andrianoviaa@mail.ru Click here to restore and recovery your files
Emails

leonid.andrianoviaa@mail.ru

Wallets

3QpLGGaeFwxtV61p1bBUpTBzPcKdtPQpNA

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 33 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adawarewebinstaller.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\adawarewebinstaller.bin.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Modifies extensions of user files
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1400
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1484
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3052
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3752
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2712
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:336
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\andrianov.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:5108
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4540
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1060
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:3232
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:2368

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    File Deletion

    3
    T1107

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    4
    T1490

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\andrianov.txt
      Filesize

      987B

      MD5

      8d31c8f9e4bb13c044a9825aee0cdfa3

      SHA1

      6ff267b0179f7ddebe46e8ba855b5e4d176a9bbb

      SHA256

      5aca5bd47a3fd4a211121870f0124245a87528da86b07cb1a0934566ba0349bf

      SHA512

      878a8b06a392000fba503bcd16766c75c53ea033746fd74da02a5bb3a91bf3b9701fb9c89a5eafc179909727c5e16ac21b293fb5de134770bf30db8ed3ae216a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      137KB

      MD5

      9b02b542834573f9502ca83719a73a01

      SHA1

      f3bc7cf16eec977772455f3fce87fed505fb18e3

      SHA256

      e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14

      SHA512

      290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031

      Download Submit
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      137KB

      MD5

      9b02b542834573f9502ca83719a73a01

      SHA1

      f3bc7cf16eec977772455f3fce87fed505fb18e3

      SHA256

      e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14

      SHA512

      290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031

      Download Submit
    • memory/336-146-0x0000000000000000-mapping.dmp
      Download
    • memory/1400-139-0x0000000000000000-mapping.dmp
      Download
    • memory/1484-140-0x0000000000000000-mapping.dmp
      Download
    • memory/1520-142-0x0000000000000000-mapping.dmp
      Download
    • memory/2712-144-0x0000000000000000-mapping.dmp
      Download
    • memory/3032-138-0x00007FF812820000-0x00007FF8132E1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3032-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3032-149-0x00007FF812820000-0x00007FF8132E1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3052-141-0x0000000000000000-mapping.dmp
      Download
    • memory/3752-143-0x0000000000000000-mapping.dmp
      Download
    • memory/4712-137-0x00007FF812820000-0x00007FF8132E1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4712-132-0x00000000003A0000-0x00000000003C8000-memory.dmp
      Filesize

      160KB

      Download
    • memory/4712-133-0x00007FF812820000-0x00007FF8132E1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4976-145-0x0000000000000000-mapping.dmp
      Download
    • memory/5108-147-0x0000000000000000-mapping.dmp
      Download