Analysis
-
max time kernel
477s -
max time network
585s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2023, 22:33
Behavioral task
behavioral1
Sample
a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe
Resource
win10v2004-20230831-en
General
-
Target
a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe
-
Size
671KB
-
MD5
599bd35670c4e89123c6d73c769cb0a8
-
SHA1
17a5bd208e4cc88a9d75a6f90293bb6af95e482c
-
SHA256
a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac
-
SHA512
15279721c73d24a1986ccc0659419bb43de84ef9daaadd314ee8577d74a85ba111b6cb5b7af0e2f318de6d75b1d2f4efac7ae7a63f406f377d27201baca60fb5
-
SSDEEP
12288:Pt4FTwCGapwkND/MpOStMriowZAv0XzKCrlpoAFzA1Ryhwco5TYFvwIfiidHwJ70:PCiSeYEMtTVK
Malware Config
Extracted
C:\Users\Admin\Documents\README.txt
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral2/memory/1432-0-0x0000000000030000-0x00000000000DE000-memory.dmp family_chaos behavioral2/files/0x00070000000231ad-6.dat family_chaos behavioral2/files/0x00070000000231ad-11.dat family_chaos behavioral2/files/0x00070000000231ad-12.dat family_chaos -
Renames multiple (185) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3348 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1859779917-101786662-3680946609-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\we2ijj322.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1752 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3348 svchost.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe 3348 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe Token: SeDebugPrivilege 3348 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1432 wrote to memory of 3348 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 88 PID 1432 wrote to memory of 3348 1432 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe 88 PID 3348 wrote to memory of 1752 3348 svchost.exe 97 PID 3348 wrote to memory of 1752 3348 svchost.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe"C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1752
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
758B
MD5a827f97d9d0a9a035a0ddaee6834a1ce
SHA1495f9592799da2074d5e55c83fcd4f6e060e9b1b
SHA25680725268e5db7edf8cdab3779fb3f691ed479078f73e11e08263b1ad0d1be86f
SHA5129fb3ef63191e51d07a8ffb8f88c844558f3ef6221139d64e199aec3ca7e28be50542fa19d037656bc7172d432c9b10d4ae00cc5da21f7084b5680659a3c1dda2
-
Filesize
671KB
MD5599bd35670c4e89123c6d73c769cb0a8
SHA117a5bd208e4cc88a9d75a6f90293bb6af95e482c
SHA256a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac
SHA51215279721c73d24a1986ccc0659419bb43de84ef9daaadd314ee8577d74a85ba111b6cb5b7af0e2f318de6d75b1d2f4efac7ae7a63f406f377d27201baca60fb5
-
Filesize
671KB
MD5599bd35670c4e89123c6d73c769cb0a8
SHA117a5bd208e4cc88a9d75a6f90293bb6af95e482c
SHA256a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac
SHA51215279721c73d24a1986ccc0659419bb43de84ef9daaadd314ee8577d74a85ba111b6cb5b7af0e2f318de6d75b1d2f4efac7ae7a63f406f377d27201baca60fb5
-
Filesize
671KB
MD5599bd35670c4e89123c6d73c769cb0a8
SHA117a5bd208e4cc88a9d75a6f90293bb6af95e482c
SHA256a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac
SHA51215279721c73d24a1986ccc0659419bb43de84ef9daaadd314ee8577d74a85ba111b6cb5b7af0e2f318de6d75b1d2f4efac7ae7a63f406f377d27201baca60fb5
-
Filesize
758B
MD5a827f97d9d0a9a035a0ddaee6834a1ce
SHA1495f9592799da2074d5e55c83fcd4f6e060e9b1b
SHA25680725268e5db7edf8cdab3779fb3f691ed479078f73e11e08263b1ad0d1be86f
SHA5129fb3ef63191e51d07a8ffb8f88c844558f3ef6221139d64e199aec3ca7e28be50542fa19d037656bc7172d432c9b10d4ae00cc5da21f7084b5680659a3c1dda2