Malware Analysis Report

2025-06-16 06:23

Sample ID 230926-3mzd6aec4t
Target 902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5
SHA256 902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5
Tags
chaos evasion ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5

Threat Level: Known bad

The file 902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5 was found to be: Known bad.

Malicious Activity Summary

chaos evasion ransomware spyware stealer

Chaos family

Chaos Ransomware

Chaos

Modifies boot configuration data using bcdedit

Renames multiple (75) files with added filename extension

Deletes shadow copies

Renames multiple (88) files with added filename extension

Deletes backup catalog

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Opens file in notepad (likely ransom note)

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-26 23:38

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-26 23:38

Reported

2023-09-26 23:48

Platform

win7-20230831-en

Max time kernel

361s

Max time network

364s

Command Line

"C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (75) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2ujyy52ju.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2312 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2312 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2360 wrote to memory of 328 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2360 wrote to memory of 328 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2360 wrote to memory of 328 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 328 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 328 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 328 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 328 wrote to memory of 320 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 328 wrote to memory of 320 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 328 wrote to memory of 320 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2360 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2360 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2360 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1304 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1304 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1304 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1304 wrote to memory of 1404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1304 wrote to memory of 1404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1304 wrote to memory of 1404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2360 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2360 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2360 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2692 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2692 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2692 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2360 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2360 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2360 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe

"C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\NIGHT_CROW_RECOVERY.txt

Network

N/A

Files

memory/2312-0-0x00000000008C0000-0x00000000008D4000-memory.dmp

memory/2312-1-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 04fe14d0256c71c7ef0173c1bac2d407
SHA1 b4972cbff4112fa1623e1921bb85dec39f923d2b
SHA256 902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5
SHA512 166ab82d5c16f100405730a212ef4b7ebd21d4e5ac753f205e67c53068a35f3f2a28475d1e805c02f42c32425b8c53910b8d5b585dc3efe2e4536a7603c03a84

memory/2360-7-0x0000000000BD0000-0x0000000000BE4000-memory.dmp

memory/2312-8-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 04fe14d0256c71c7ef0173c1bac2d407
SHA1 b4972cbff4112fa1623e1921bb85dec39f923d2b
SHA256 902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5
SHA512 166ab82d5c16f100405730a212ef4b7ebd21d4e5ac753f205e67c53068a35f3f2a28475d1e805c02f42c32425b8c53910b8d5b585dc3efe2e4536a7603c03a84

memory/2360-9-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2360-11-0x000000001AAF0000-0x000000001AB70000-memory.dmp

C:\Users\Admin\Music\NIGHT_CROW_RECOVERY.txt

MD5 641c3eaed2ac13a0ec65a2d3754da95f
SHA1 30ff5e7c82530a2c07517e2fd1d93425fed23f8d
SHA256 9e9c33a98c4fd44dfa3ab8ae450e22fc059d960ae5920894bba7ffd9bf41f445
SHA512 13ff44284e85ccf99adcd0923282f7c0d7fe3bb298072242c00a688304560e09be720de0e6ddbbe6966b94022afd85362757e9678e51eddb71dd3184e0bcc5f9

memory/2360-176-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2360-177-0x000000001AAF0000-0x000000001AB70000-memory.dmp

C:\Users\Admin\AppData\Roaming\NIGHT_CROW_RECOVERY.txt

MD5 641c3eaed2ac13a0ec65a2d3754da95f
SHA1 30ff5e7c82530a2c07517e2fd1d93425fed23f8d
SHA256 9e9c33a98c4fd44dfa3ab8ae450e22fc059d960ae5920894bba7ffd9bf41f445
SHA512 13ff44284e85ccf99adcd0923282f7c0d7fe3bb298072242c00a688304560e09be720de0e6ddbbe6966b94022afd85362757e9678e51eddb71dd3184e0bcc5f9

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-26 23:38

Reported

2023-09-26 23:48

Platform

win10v2004-20230915-en

Max time kernel

477s

Max time network

591s

Command Line

"C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (88) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d0o6v9yrs.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4236 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3348 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 3348 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 3504 wrote to memory of 4008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3504 wrote to memory of 4008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3504 wrote to memory of 3464 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3504 wrote to memory of 3464 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3348 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 3348 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4492 wrote to memory of 4720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4492 wrote to memory of 4720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4492 wrote to memory of 4544 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4492 wrote to memory of 4544 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3348 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 3348 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 3932 wrote to memory of 2752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3932 wrote to memory of 2752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3348 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 3348 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe

"C:\Users\Admin\AppData\Local\Temp\902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\NIGHT_CROW_RECOVERY.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/4236-0-0x0000000000D00000-0x0000000000D14000-memory.dmp

memory/4236-1-0x00007FFA2D240000-0x00007FFA2DD01000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 04fe14d0256c71c7ef0173c1bac2d407
SHA1 b4972cbff4112fa1623e1921bb85dec39f923d2b
SHA256 902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5
SHA512 166ab82d5c16f100405730a212ef4b7ebd21d4e5ac753f205e67c53068a35f3f2a28475d1e805c02f42c32425b8c53910b8d5b585dc3efe2e4536a7603c03a84

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 04fe14d0256c71c7ef0173c1bac2d407
SHA1 b4972cbff4112fa1623e1921bb85dec39f923d2b
SHA256 902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5
SHA512 166ab82d5c16f100405730a212ef4b7ebd21d4e5ac753f205e67c53068a35f3f2a28475d1e805c02f42c32425b8c53910b8d5b585dc3efe2e4536a7603c03a84

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 04fe14d0256c71c7ef0173c1bac2d407
SHA1 b4972cbff4112fa1623e1921bb85dec39f923d2b
SHA256 902b16b11fc262b96d921f00f96bc83b0a302dc02829e14b17a8227e0e49d3c5
SHA512 166ab82d5c16f100405730a212ef4b7ebd21d4e5ac753f205e67c53068a35f3f2a28475d1e805c02f42c32425b8c53910b8d5b585dc3efe2e4536a7603c03a84

memory/4236-14-0x00007FFA2D240000-0x00007FFA2DD01000-memory.dmp

memory/3348-15-0x00007FFA2D240000-0x00007FFA2DD01000-memory.dmp

C:\Users\Admin\Music\NIGHT_CROW_RECOVERY.txt

MD5 641c3eaed2ac13a0ec65a2d3754da95f
SHA1 30ff5e7c82530a2c07517e2fd1d93425fed23f8d
SHA256 9e9c33a98c4fd44dfa3ab8ae450e22fc059d960ae5920894bba7ffd9bf41f445
SHA512 13ff44284e85ccf99adcd0923282f7c0d7fe3bb298072242c00a688304560e09be720de0e6ddbbe6966b94022afd85362757e9678e51eddb71dd3184e0bcc5f9

memory/3348-203-0x00007FFA2D240000-0x00007FFA2DD01000-memory.dmp

C:\Users\Admin\AppData\Roaming\NIGHT_CROW_RECOVERY.txt

MD5 641c3eaed2ac13a0ec65a2d3754da95f
SHA1 30ff5e7c82530a2c07517e2fd1d93425fed23f8d
SHA256 9e9c33a98c4fd44dfa3ab8ae450e22fc059d960ae5920894bba7ffd9bf41f445
SHA512 13ff44284e85ccf99adcd0923282f7c0d7fe3bb298072242c00a688304560e09be720de0e6ddbbe6966b94022afd85362757e9678e51eddb71dd3184e0bcc5f9