Malware Analysis Report

2024-08-06 15:32

Sample ID 231126-lmxf5agd87
Target 82e34351115b01948c0ed5ba16337e6ddd3f519a0b6f681061fd5f50f95fda46.zip
SHA256 1d3c2088b2d712f8006279db8acb9a1c6dc3037886a655d37bf75ea5fa6b9518
Tags
bootkit persistence aspackv2 chaos
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d3c2088b2d712f8006279db8acb9a1c6dc3037886a655d37bf75ea5fa6b9518

Threat Level: Known bad

The file 82e34351115b01948c0ed5ba16337e6ddd3f519a0b6f681061fd5f50f95fda46.zip was found to be: Known bad.

Malicious Activity Summary

bootkit persistence aspackv2 chaos

Chaos Ransomware

Chaos family

Executes dropped EXE

ASPack v2.12-2.42

Writes to the Master Boot Record (MBR)

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-11-26 09:39

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-26 09:39

Reported

2023-11-26 09:40

Platform

win10v2004-20231023-en

Max time kernel

9s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Malware-database-main\PowerPoint.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\Malware-database-main\PowerPoint.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "100" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3908 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\Malware-database-main\PowerPoint.exe C:\Users\Admin\AppData\Local\Temp\sys3.exe
PID 3908 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\Malware-database-main\PowerPoint.exe C:\Users\Admin\AppData\Local\Temp\sys3.exe
PID 3908 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\Malware-database-main\PowerPoint.exe C:\Users\Admin\AppData\Local\Temp\sys3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Malware-database-main\PowerPoint.exe

"C:\Users\Admin\AppData\Local\Temp\Malware-database-main\PowerPoint.exe"

C:\Users\Admin\AppData\Local\Temp\sys3.exe

C:\Users\Admin\AppData\Local\Temp\\sys3.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3985855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 122.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/3908-0-0x000000002AA00000-0x000000002AA24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sys3.exe

MD5 70108103a53123201ceb2e921fcfe83c
SHA1 c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA256 9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512 996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

C:\Users\Admin\AppData\Local\Temp\sys3.exe

MD5 70108103a53123201ceb2e921fcfe83c
SHA1 c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA256 9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512 996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

memory/4204-6-0x000000002AA00000-0x000000002AA24000-memory.dmp

memory/3908-7-0x000000002AA00000-0x000000002AA24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\systm.txt

MD5 89f10072ebabf67c196f4c140e5b5349
SHA1 e36722bc9f76f6d8ba5d81d6a4db6bc6f34b9dfa
SHA256 da42851c854d6a2a0cfab513537bfe4bff184f8c63a04512cf00270b8fb34877
SHA512 eaa40272dd2f2df0abd171657ec0b1cf49f0a0ead48ad02f2c21550a7180cd5d4a1701596cab0fbdcff4d308edfb9ff96b2581ae089adddc2b5a410a4141af35