Analysis

  • max time kernel
    477s
  • max time network
    585s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2023, 22:33

General

  • Target

    a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe

  • Size

    671KB

  • MD5

    599bd35670c4e89123c6d73c769cb0a8

  • SHA1

    17a5bd208e4cc88a9d75a6f90293bb6af95e482c

  • SHA256

    a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac

  • SHA512

    15279721c73d24a1986ccc0659419bb43de84ef9daaadd314ee8577d74a85ba111b6cb5b7af0e2f318de6d75b1d2f4efac7ae7a63f406f377d27201baca60fb5

  • SSDEEP

    12288:Pt4FTwCGapwkND/MpOStMriowZAv0XzKCrlpoAFzA1Ryhwco5TYFvwIfiidHwJ70:PCiSeYEMtTVK

Malware Config

Extracted

Path

C:\Users\Admin\Documents\README.txt

Ransom Note
All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help. What can I do to get your files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the cooties from your computer. The price for the software is any donation!! Payment can be made in Bitcoin only. Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy it. Contact me because im bored. Telegram: @anontsugumi Payment information Amount: ANY BTC Bitcoin Address: bc1qpr48nr5hqc7prc5w5f4h82h0n6w8wg93jwky43

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 4 IoCs
  • Renames multiple (185) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe
    "C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3348
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1752

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\README.txt

          Filesize

          758B

          MD5

          a827f97d9d0a9a035a0ddaee6834a1ce

          SHA1

          495f9592799da2074d5e55c83fcd4f6e060e9b1b

          SHA256

          80725268e5db7edf8cdab3779fb3f691ed479078f73e11e08263b1ad0d1be86f

          SHA512

          9fb3ef63191e51d07a8ffb8f88c844558f3ef6221139d64e199aec3ca7e28be50542fa19d037656bc7172d432c9b10d4ae00cc5da21f7084b5680659a3c1dda2

        • C:\Users\Admin\AppData\Roaming\svchost.exe

          Filesize

          671KB

          MD5

          599bd35670c4e89123c6d73c769cb0a8

          SHA1

          17a5bd208e4cc88a9d75a6f90293bb6af95e482c

          SHA256

          a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac

          SHA512

          15279721c73d24a1986ccc0659419bb43de84ef9daaadd314ee8577d74a85ba111b6cb5b7af0e2f318de6d75b1d2f4efac7ae7a63f406f377d27201baca60fb5

        • C:\Users\Admin\AppData\Roaming\svchost.exe

          Filesize

          671KB

          MD5

          599bd35670c4e89123c6d73c769cb0a8

          SHA1

          17a5bd208e4cc88a9d75a6f90293bb6af95e482c

          SHA256

          a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac

          SHA512

          15279721c73d24a1986ccc0659419bb43de84ef9daaadd314ee8577d74a85ba111b6cb5b7af0e2f318de6d75b1d2f4efac7ae7a63f406f377d27201baca60fb5

        • C:\Users\Admin\AppData\Roaming\svchost.exe

          Filesize

          671KB

          MD5

          599bd35670c4e89123c6d73c769cb0a8

          SHA1

          17a5bd208e4cc88a9d75a6f90293bb6af95e482c

          SHA256

          a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac

          SHA512

          15279721c73d24a1986ccc0659419bb43de84ef9daaadd314ee8577d74a85ba111b6cb5b7af0e2f318de6d75b1d2f4efac7ae7a63f406f377d27201baca60fb5

        • C:\Users\Admin\Documents\README.txt

          Filesize

          758B

          MD5

          a827f97d9d0a9a035a0ddaee6834a1ce

          SHA1

          495f9592799da2074d5e55c83fcd4f6e060e9b1b

          SHA256

          80725268e5db7edf8cdab3779fb3f691ed479078f73e11e08263b1ad0d1be86f

          SHA512

          9fb3ef63191e51d07a8ffb8f88c844558f3ef6221139d64e199aec3ca7e28be50542fa19d037656bc7172d432c9b10d4ae00cc5da21f7084b5680659a3c1dda2

        • memory/1432-0-0x0000000000030000-0x00000000000DE000-memory.dmp

          Filesize

          696KB

        • memory/1432-1-0x00007FFE3EA60000-0x00007FFE3F521000-memory.dmp

          Filesize

          10.8MB

        • memory/1432-15-0x00007FFE3EA60000-0x00007FFE3F521000-memory.dmp

          Filesize

          10.8MB

        • memory/3348-14-0x00007FFE3EA60000-0x00007FFE3F521000-memory.dmp

          Filesize

          10.8MB

        • memory/3348-439-0x00007FFE3EA60000-0x00007FFE3F521000-memory.dmp

          Filesize

          10.8MB