Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2023, 03:28
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20230831-en
General
-
Target
1.exe
-
Size
953KB
-
MD5
5fc3bd9632a02f189d81f75fc3b12ebf
-
SHA1
6abbc78a6fb421adf80051365dbfaff0b3fb696b
-
SHA256
37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60
-
SHA512
cf0b9df6db5c85ebc85967dbfbdd99ada401f718445f69f258d9d0a9466f7b58a7bb2f1287cb5679988bd79b42807fa0e0e7fc419557f0af3fbb620b40b2c2af
-
SSDEEP
12288:OzEPMLC814R2hig4tHkg2W+AU+R2TjsPvEpv8LpgUO4EP3SL98l0zmWHQuTwYzz5:0ztQE1ov2AZ9HjkftWyq
Malware Config
Extracted
C:\Users\Admin\Documents\PLEASEREAD.txt
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 1 IoCs
resource yara_rule behavioral2/memory/220-0-0x0000000000010000-0x0000000000104000-memory.dmp family_chaos -
Renames multiple (198) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation 1.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PLEASEREAD.txt 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Links\desktop.ini 1.exe File opened for modification C:\Users\Admin\Music\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 1.exe File opened for modification C:\Users\Public\Documents\desktop.ini 1.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 1.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 1.exe File opened for modification C:\Users\Public\Videos\desktop.ini 1.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 1.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 1.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 1.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 1.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 1.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 1.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 1.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 1.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 1.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 1.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 1.exe File opened for modification C:\Users\Public\Music\desktop.ini 1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1859779917-101786662-3680946609-1000\desktop.ini 1.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000_Classes\Local Settings 1.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3856 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 220 1.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe 220 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 220 1.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 220 wrote to memory of 3856 220 1.exe 93 PID 220 wrote to memory of 3856 220 1.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\PLEASEREAD.txt2⤵
- Opens file in notepad (likely ransom note)
PID:3856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
823B
MD5929ad339c51b2a3b1bd4b3b7acf47379
SHA1b555580144c617a5950aa55a800b09decb5e4c80
SHA256b94bd148bc968f4e6c70f8479a16588424d587812cd17e9b2cc4ba8766d1b5d8
SHA5120319b0c3a4b7223a489b7883b9a6d5f6c51fc0285a96940635b0247e0162b7a6bcc48c5c91b0896e1d676b5bbeac5e8ada4eb200b847cda1a33efc31be020dda
-
Filesize
823B
MD5929ad339c51b2a3b1bd4b3b7acf47379
SHA1b555580144c617a5950aa55a800b09decb5e4c80
SHA256b94bd148bc968f4e6c70f8479a16588424d587812cd17e9b2cc4ba8766d1b5d8
SHA5120319b0c3a4b7223a489b7883b9a6d5f6c51fc0285a96940635b0247e0162b7a6bcc48c5c91b0896e1d676b5bbeac5e8ada4eb200b847cda1a33efc31be020dda