Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/09/2023, 03:28
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20230831-en
General
-
Target
1.exe
-
Size
953KB
-
MD5
5fc3bd9632a02f189d81f75fc3b12ebf
-
SHA1
6abbc78a6fb421adf80051365dbfaff0b3fb696b
-
SHA256
37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60
-
SHA512
cf0b9df6db5c85ebc85967dbfbdd99ada401f718445f69f258d9d0a9466f7b58a7bb2f1287cb5679988bd79b42807fa0e0e7fc419557f0af3fbb620b40b2c2af
-
SSDEEP
12288:OzEPMLC814R2hig4tHkg2W+AU+R2TjsPvEpv8LpgUO4EP3SL98l0zmWHQuTwYzz5:0ztQE1ov2AZ9HjkftWyq
Malware Config
Extracted
C:\Users\Admin\Documents\PLEASEREAD.txt
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/memory/2956-0-0x00000000002F0000-0x00000000003E4000-memory.dmp family_chaos behavioral1/memory/2956-461-0x000000001B010000-0x000000001B090000-memory.dmp family_chaos -
Renames multiple (203) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PLEASEREAD.txt 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 1.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 1.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 1.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 1.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 1.exe File opened for modification C:\Users\Public\Documents\desktop.ini 1.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 1.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 1.exe File opened for modification C:\Users\Admin\Music\desktop.ini 1.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 1.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 1.exe File opened for modification C:\Users\Public\Music\desktop.ini 1.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 1.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 1.exe File opened for modification C:\Users\Public\Videos\desktop.ini 1.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 1.exe File opened for modification C:\Users\Admin\Links\desktop.ini 1.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 1.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-607259312-1573743425-2763420908-1000\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 1.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2716 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2956 1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2956 1.exe 2956 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2956 1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2716 2956 1.exe 29 PID 2956 wrote to memory of 2716 2956 1.exe 29 PID 2956 wrote to memory of 2716 2956 1.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\PLEASEREAD.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
823B
MD5929ad339c51b2a3b1bd4b3b7acf47379
SHA1b555580144c617a5950aa55a800b09decb5e4c80
SHA256b94bd148bc968f4e6c70f8479a16588424d587812cd17e9b2cc4ba8766d1b5d8
SHA5120319b0c3a4b7223a489b7883b9a6d5f6c51fc0285a96940635b0247e0162b7a6bcc48c5c91b0896e1d676b5bbeac5e8ada4eb200b847cda1a33efc31be020dda
-
Filesize
823B
MD5929ad339c51b2a3b1bd4b3b7acf47379
SHA1b555580144c617a5950aa55a800b09decb5e4c80
SHA256b94bd148bc968f4e6c70f8479a16588424d587812cd17e9b2cc4ba8766d1b5d8
SHA5120319b0c3a4b7223a489b7883b9a6d5f6c51fc0285a96940635b0247e0162b7a6bcc48c5c91b0896e1d676b5bbeac5e8ada4eb200b847cda1a33efc31be020dda