Analysis
-
max time kernel
361s -
max time network
364s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
26/09/2023, 23:38
Behavioral task
behavioral1
Sample
902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe
Resource
win10v2004-20230915-en
General
-
Target
902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe
-
Size
55KB
-
MD5
04fe14d0256c71c7ef0173c1bac2d407
-
SHA1
b4972cbff4112fa1623e1921bb85dec39f923d2b
-
SHA256
902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5
-
SHA512
166ab82d5c16f100405730a212ef4b7ebd21d4e5ac753f205e67c53068a35f3f2a28475d1e805c02f42c32425b8c53910b8d5b585dc3efe2e4536a7603c03a84
-
SSDEEP
1536:eo2mQ1r9WekrJqzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzs:eolQ1r9WF9hF
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/memory/2312-0-0x00000000008C0000-0x00000000008D4000-memory.dmp family_chaos behavioral1/files/0x0009000000012020-6.dat family_chaos behavioral1/memory/2360-7-0x0000000000BD0000-0x0000000000BE4000-memory.dmp family_chaos behavioral1/files/0x0009000000012020-5.dat family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1672 bcdedit.exe 1404 bcdedit.exe -
Renames multiple (75) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1268 wbadmin.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2360 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2ujyy52ju.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2928 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2252 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2360 svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2312 902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe 2312 902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2312 902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe Token: SeDebugPrivilege 2360 svchost.exe Token: SeBackupPrivilege 2932 vssvc.exe Token: SeRestorePrivilege 2932 vssvc.exe Token: SeAuditPrivilege 2932 vssvc.exe Token: SeIncreaseQuotaPrivilege 320 WMIC.exe Token: SeSecurityPrivilege 320 WMIC.exe Token: SeTakeOwnershipPrivilege 320 WMIC.exe Token: SeLoadDriverPrivilege 320 WMIC.exe Token: SeSystemProfilePrivilege 320 WMIC.exe Token: SeSystemtimePrivilege 320 WMIC.exe Token: SeProfSingleProcessPrivilege 320 WMIC.exe Token: SeIncBasePriorityPrivilege 320 WMIC.exe Token: SeCreatePagefilePrivilege 320 WMIC.exe Token: SeBackupPrivilege 320 WMIC.exe Token: SeRestorePrivilege 320 WMIC.exe Token: SeShutdownPrivilege 320 WMIC.exe Token: SeDebugPrivilege 320 WMIC.exe Token: SeSystemEnvironmentPrivilege 320 WMIC.exe Token: SeRemoteShutdownPrivilege 320 WMIC.exe Token: SeUndockPrivilege 320 WMIC.exe Token: SeManageVolumePrivilege 320 WMIC.exe Token: 33 320 WMIC.exe Token: 34 320 WMIC.exe Token: 35 320 WMIC.exe Token: SeIncreaseQuotaPrivilege 320 WMIC.exe Token: SeSecurityPrivilege 320 WMIC.exe Token: SeTakeOwnershipPrivilege 320 WMIC.exe Token: SeLoadDriverPrivilege 320 WMIC.exe Token: SeSystemProfilePrivilege 320 WMIC.exe Token: SeSystemtimePrivilege 320 WMIC.exe Token: SeProfSingleProcessPrivilege 320 WMIC.exe Token: SeIncBasePriorityPrivilege 320 WMIC.exe Token: SeCreatePagefilePrivilege 320 WMIC.exe Token: SeBackupPrivilege 320 WMIC.exe Token: SeRestorePrivilege 320 WMIC.exe Token: SeShutdownPrivilege 320 WMIC.exe Token: SeDebugPrivilege 320 WMIC.exe Token: SeSystemEnvironmentPrivilege 320 WMIC.exe Token: SeRemoteShutdownPrivilege 320 WMIC.exe Token: SeUndockPrivilege 320 WMIC.exe Token: SeManageVolumePrivilege 320 WMIC.exe Token: 33 320 WMIC.exe Token: 34 320 WMIC.exe Token: 35 320 WMIC.exe Token: SeBackupPrivilege 1096 wbengine.exe Token: SeRestorePrivilege 1096 wbengine.exe Token: SeSecurityPrivilege 1096 wbengine.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2360 2312 902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe 28 PID 2312 wrote to memory of 2360 2312 902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe 28 PID 2312 wrote to memory of 2360 2312 902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe 28 PID 2360 wrote to memory of 328 2360 svchost.exe 30 PID 2360 wrote to memory of 328 2360 svchost.exe 30 PID 2360 wrote to memory of 328 2360 svchost.exe 30 PID 328 wrote to memory of 2928 328 cmd.exe 32 PID 328 wrote to memory of 2928 328 cmd.exe 32 PID 328 wrote to memory of 2928 328 cmd.exe 32 PID 328 wrote to memory of 320 328 cmd.exe 35 PID 328 wrote to memory of 320 328 cmd.exe 35 PID 328 wrote to memory of 320 328 cmd.exe 35 PID 2360 wrote to memory of 1304 2360 svchost.exe 37 PID 2360 wrote to memory of 1304 2360 svchost.exe 37 PID 2360 wrote to memory of 1304 2360 svchost.exe 37 PID 1304 wrote to memory of 1672 1304 cmd.exe 39 PID 1304 wrote to memory of 1672 1304 cmd.exe 39 PID 1304 wrote to memory of 1672 1304 cmd.exe 39 PID 1304 wrote to memory of 1404 1304 cmd.exe 40 PID 1304 wrote to memory of 1404 1304 cmd.exe 40 PID 1304 wrote to memory of 1404 1304 cmd.exe 40 PID 2360 wrote to memory of 2692 2360 svchost.exe 41 PID 2360 wrote to memory of 2692 2360 svchost.exe 41 PID 2360 wrote to memory of 2692 2360 svchost.exe 41 PID 2692 wrote to memory of 1268 2692 cmd.exe 43 PID 2692 wrote to memory of 1268 2692 cmd.exe 43 PID 2692 wrote to memory of 1268 2692 cmd.exe 43 PID 2360 wrote to memory of 2252 2360 svchost.exe 47 PID 2360 wrote to memory of 2252 2360 svchost.exe 47 PID 2360 wrote to memory of 2252 2360 svchost.exe 47 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe"C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2928
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1672
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1268
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\NIGHT_CROW_RECOVERY.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2252
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:912
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
603B
MD5641c3eaed2ac13a0ec65a2d3754da95f
SHA130ff5e7c82530a2c07517e2fd1d93425fed23f8d
SHA2569e9c33a98c4fd44dfa3ab8ae450e22fc059d960ae5920894bba7ffd9bf41f445
SHA51213ff44284e85ccf99adcd0923282f7c0d7fe3bb298072242c00a688304560e09be720de0e6ddbbe6966b94022afd85362757e9678e51eddb71dd3184e0bcc5f9
-
Filesize
55KB
MD504fe14d0256c71c7ef0173c1bac2d407
SHA1b4972cbff4112fa1623e1921bb85dec39f923d2b
SHA256902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5
SHA512166ab82d5c16f100405730a212ef4b7ebd21d4e5ac753f205e67c53068a35f3f2a28475d1e805c02f42c32425b8c53910b8d5b585dc3efe2e4536a7603c03a84
-
Filesize
55KB
MD504fe14d0256c71c7ef0173c1bac2d407
SHA1b4972cbff4112fa1623e1921bb85dec39f923d2b
SHA256902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5
SHA512166ab82d5c16f100405730a212ef4b7ebd21d4e5ac753f205e67c53068a35f3f2a28475d1e805c02f42c32425b8c53910b8d5b585dc3efe2e4536a7603c03a84
-
Filesize
603B
MD5641c3eaed2ac13a0ec65a2d3754da95f
SHA130ff5e7c82530a2c07517e2fd1d93425fed23f8d
SHA2569e9c33a98c4fd44dfa3ab8ae450e22fc059d960ae5920894bba7ffd9bf41f445
SHA51213ff44284e85ccf99adcd0923282f7c0d7fe3bb298072242c00a688304560e09be720de0e6ddbbe6966b94022afd85362757e9678e51eddb71dd3184e0bcc5f9