Analysis
-
max time kernel
128s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
18/09/2023, 08:20
Behavioral task
behavioral1
Sample
b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe
Resource
win10v2004-20230915-en
General
-
Target
b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe
-
Size
61KB
-
MD5
9eb958c38bd3d39c55b009f9a200f42f
-
SHA1
b5ab794dd5821d08f7ecd860ba7975a6644dd46d
-
SHA256
b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
-
SHA512
f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954
-
SSDEEP
1536:Lo2RzBFN0Yr9dEmZ6sIF8ahn62Zq8qWwESmNHEgLufKOUmoEE4:LoMDN0Yr9dEm+yBIUEbNHEgLuiOUmoEl
Malware Config
Extracted
C:\Users\Admin\Documents\read_it.txt
https://paypal.me/GoldenWolf42
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/memory/232-0-0x00000000000D0000-0x00000000000E6000-memory.dmp family_chaos behavioral1/files/0x000a000000023158-6.dat family_chaos behavioral1/files/0x000a000000023158-11.dat family_chaos behavioral1/files/0x000a000000023158-13.dat family_chaos -
Renames multiple (185) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2956 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3027552071-446050021-1254071215-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\n0zskuzcs.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5020 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2956 svchost.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe Token: SeDebugPrivilege 2956 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 232 wrote to memory of 2956 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 88 PID 232 wrote to memory of 2956 232 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe 88 PID 2956 wrote to memory of 5020 2956 svchost.exe 92 PID 2956 wrote to memory of 5020 2956 svchost.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe"C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:5020
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
993B
MD55585e6fc24994e065c4adbac963fc340
SHA13f9cbd088444f7d79c794259ea569a72c94976d8
SHA256eb2bffbb68a9e7b325e1e9313902b4b7d7af2df7732e843ab3786afc819c4095
SHA51282ebe4aecf5f6fb902befc31edb814f0f5cb3ce76b8458a5f13f0412619b093d21b6911d0a08c28273e18afbb3b6dea9b8823d22a1aa5250b627b7ba463a27bb
-
Filesize
61KB
MD59eb958c38bd3d39c55b009f9a200f42f
SHA1b5ab794dd5821d08f7ecd860ba7975a6644dd46d
SHA256b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
SHA512f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954
-
Filesize
61KB
MD59eb958c38bd3d39c55b009f9a200f42f
SHA1b5ab794dd5821d08f7ecd860ba7975a6644dd46d
SHA256b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
SHA512f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954
-
Filesize
61KB
MD59eb958c38bd3d39c55b009f9a200f42f
SHA1b5ab794dd5821d08f7ecd860ba7975a6644dd46d
SHA256b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
SHA512f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954
-
Filesize
993B
MD55585e6fc24994e065c4adbac963fc340
SHA13f9cbd088444f7d79c794259ea569a72c94976d8
SHA256eb2bffbb68a9e7b325e1e9313902b4b7d7af2df7732e843ab3786afc819c4095
SHA51282ebe4aecf5f6fb902befc31edb814f0f5cb3ce76b8458a5f13f0412619b093d21b6911d0a08c28273e18afbb3b6dea9b8823d22a1aa5250b627b7ba463a27bb