Overview

overview

10

Static

static

10

684274340a...57.exe

windows7-x64

10

684274340a...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2023, 01:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    684274340a8524713ddaf388412f968ef97109ed33d3c5d89290b721016bcc57.exe

  • Size

    2.7MB

  • MD5

    75bd0447e9c391f10792e720f7f4bfd5

  • SHA1

    60d30256a61ec8008b0229a8b90c5daae9cf402c

  • SHA256

    684274340a8524713ddaf388412f968ef97109ed33d3c5d89290b721016bcc57

  • SHA512

    fd5bec71910729f30af23953521da61216fcf16691d8938b755518ed6ae2a2606a3de55d0b6832d2d3d80da3dc940539147d8037f28e45532b158e654f42d1e7

  • SSDEEP

    24576:4DS4lQMNWi3VesNY8106qPN4K3P0QcejoMZLyiTtiFfkOfE:4DSy6PX3PpM+P5Id

Score
10/10
chaosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Updater6\How to Recovery.bat

Ransom Note
echo off color 0A cls :MENU ECHO. ECHO -----------------Attention----------------- ECHO. ECHO. Your All Files Have been Encrypted! ECHO. ECHO Your Personal files (Documents, Databases, All Drive, PDF, ETC.) We re encrypted. ECHO. But don't worry about your files,You can take back all of them, To decrypt your all files need ECHO. to buy Our Software With your unique private key. Only our software well allow decrypt your files. ECHO. Remember if you try to recovery your files through any third-party software, ECHO. it's can cause premature damage to your files, and we can't help you either. ECHO. ECHO. -----------------Note!----------------- ECHO. ECHO. You have only 72 hours from the moment when an encryption was done to buy our software at $1,000 for the payment ECHO. ECHO. BTC Address:- 33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP ECHO. ECHO. And if you Payment complete then Send me proof. ECHO. ECHO. Use the following ID as the title of your email:- QA2Z67DXLBFF1000FHN ECHO. ECHO. Use these emails to contact us and receive instructions:- ECHO. ECHO. Main email:- [email protected] ECHO. ECHO. Secondary email ( in case of no response in 48h):- [email protected] ECHO. ECHO. Also, you can send up to 3 test files to see if we can decrypt your files. ECHO. ECHO. After paying, the decryptor software and your private key will be given to you. ECHO. SET /P M=
Wallets

33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 5 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\684274340a8524713ddaf388412f968ef97109ed33d3c5d89290b721016bcc57.exe
    "C:\Users\Admin\AppData\Local\Temp\684274340a8524713ddaf388412f968ef97109ed33d3c5d89290b721016bcc57.exe"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Modifies extensions of user files
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:568
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:928
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1992
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:288
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:544
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1208
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1632
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\How to Recovery.bat" "
        3⤵
          PID:1796
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1112
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1972
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1732
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:592

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Adobe\Updater6\How to Recovery.bat
          Filesize

          1KB

          MD5

          914457664d91979c49a1c987404f2b1d

          SHA1

          4ab39aef61a44aebc1f40c52d817bcced8d94f3a

          SHA256

          eaedb85da6c79e720761aff0d37b82f2a3e84d3a2967a00066687462463ccfe0

          SHA512

          ef7e3d11ced2df8397454d0d03b3dbbfbb9621996cec271392ad7f97b1194225c4900cd3649161a75bd3d959f8313591bfa6eed01e410d4da0c10bd4bd3fdcb7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\How to Recovery.bat
          Filesize

          1KB

          MD5

          914457664d91979c49a1c987404f2b1d

          SHA1

          4ab39aef61a44aebc1f40c52d817bcced8d94f3a

          SHA256

          eaedb85da6c79e720761aff0d37b82f2a3e84d3a2967a00066687462463ccfe0

          SHA512

          ef7e3d11ced2df8397454d0d03b3dbbfbb9621996cec271392ad7f97b1194225c4900cd3649161a75bd3d959f8313591bfa6eed01e410d4da0c10bd4bd3fdcb7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          2.7MB

          MD5

          75bd0447e9c391f10792e720f7f4bfd5

          SHA1

          60d30256a61ec8008b0229a8b90c5daae9cf402c

          SHA256

          684274340a8524713ddaf388412f968ef97109ed33d3c5d89290b721016bcc57

          SHA512

          fd5bec71910729f30af23953521da61216fcf16691d8938b755518ed6ae2a2606a3de55d0b6832d2d3d80da3dc940539147d8037f28e45532b158e654f42d1e7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          2.7MB

          MD5

          75bd0447e9c391f10792e720f7f4bfd5

          SHA1

          60d30256a61ec8008b0229a8b90c5daae9cf402c

          SHA256

          684274340a8524713ddaf388412f968ef97109ed33d3c5d89290b721016bcc57

          SHA512

          fd5bec71910729f30af23953521da61216fcf16691d8938b755518ed6ae2a2606a3de55d0b6832d2d3d80da3dc940539147d8037f28e45532b158e654f42d1e7

          Download Submit

        • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
          Filesize

          1B

          MD5

          d1457b72c3fb323a2671125aef3eab5d

          SHA1

          5bab61eb53176449e25c2c82f172b82cb13ffb9d

          SHA256

          8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

          SHA512

          ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

          Download Submit

        • memory/1308-54-0x0000000000C40000-0x0000000000EFC000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/1308-55-0x000000001B110000-0x000000001B190000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1492-61-0x00000000012E0000-0x000000000159C000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/1492-62-0x000000001B110000-0x000000001B190000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1492-960-0x000000001B110000-0x000000001B190000-memory.dmp

          Filesize

          512KB

          Download