Analysis

  • max time kernel
    128s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/09/2023, 08:20

General

  • Target

    b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe

  • Size

    61KB

  • MD5

    9eb958c38bd3d39c55b009f9a200f42f

  • SHA1

    b5ab794dd5821d08f7ecd860ba7975a6644dd46d

  • SHA256

    b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956

  • SHA512

    f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954

  • SSDEEP

    1536:Lo2RzBFN0Yr9dEmZ6sIF8ahn62Zq8qWwESmNHEgLufKOUmoEE4:LoMDN0Yr9dEm+yBIUEbNHEgLuiOUmoEl

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help. What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer. The price for the software is £50 GBP. Payment can be made in Bitcoin, PayPal. How do I pay, where do I get Bitcoin? PayPal: https://paypal.me/GoldenWolf42 Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.0014 BTC Bitcoin Address: bc1qu6tharwawwny28z9fj6nrxg5cqftaep9ap6z2v PayPal: https://paypal.me/GoldenWolf42 (£50, Family And Friends)
URLs

https://paypal.me/GoldenWolf42

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 4 IoCs
  • Renames multiple (185) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe
    "C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:5020

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\read_it.txt

          Filesize

          993B

          MD5

          5585e6fc24994e065c4adbac963fc340

          SHA1

          3f9cbd088444f7d79c794259ea569a72c94976d8

          SHA256

          eb2bffbb68a9e7b325e1e9313902b4b7d7af2df7732e843ab3786afc819c4095

          SHA512

          82ebe4aecf5f6fb902befc31edb814f0f5cb3ce76b8458a5f13f0412619b093d21b6911d0a08c28273e18afbb3b6dea9b8823d22a1aa5250b627b7ba463a27bb

        • C:\Users\Admin\AppData\Roaming\svchost.exe

          Filesize

          61KB

          MD5

          9eb958c38bd3d39c55b009f9a200f42f

          SHA1

          b5ab794dd5821d08f7ecd860ba7975a6644dd46d

          SHA256

          b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956

          SHA512

          f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954

        • C:\Users\Admin\AppData\Roaming\svchost.exe

          Filesize

          61KB

          MD5

          9eb958c38bd3d39c55b009f9a200f42f

          SHA1

          b5ab794dd5821d08f7ecd860ba7975a6644dd46d

          SHA256

          b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956

          SHA512

          f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954

        • C:\Users\Admin\AppData\Roaming\svchost.exe

          Filesize

          61KB

          MD5

          9eb958c38bd3d39c55b009f9a200f42f

          SHA1

          b5ab794dd5821d08f7ecd860ba7975a6644dd46d

          SHA256

          b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956

          SHA512

          f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954

        • C:\Users\Admin\Documents\read_it.txt

          Filesize

          993B

          MD5

          5585e6fc24994e065c4adbac963fc340

          SHA1

          3f9cbd088444f7d79c794259ea569a72c94976d8

          SHA256

          eb2bffbb68a9e7b325e1e9313902b4b7d7af2df7732e843ab3786afc819c4095

          SHA512

          82ebe4aecf5f6fb902befc31edb814f0f5cb3ce76b8458a5f13f0412619b093d21b6911d0a08c28273e18afbb3b6dea9b8823d22a1aa5250b627b7ba463a27bb

        • memory/232-0-0x00000000000D0000-0x00000000000E6000-memory.dmp

          Filesize

          88KB

        • memory/232-1-0x00007FFE77790000-0x00007FFE78251000-memory.dmp

          Filesize

          10.8MB

        • memory/232-15-0x00007FFE77790000-0x00007FFE78251000-memory.dmp

          Filesize

          10.8MB

        • memory/2956-14-0x00007FFE77790000-0x00007FFE78251000-memory.dmp

          Filesize

          10.8MB

        • memory/2956-439-0x00007FFE77790000-0x00007FFE78251000-memory.dmp

          Filesize

          10.8MB