Resubmissions

27-05-2024 22:11

240527-14ae9ada43 10

27-05-2024 21:15

240527-z3zhbabd59 10

13-02-2024 12:11

240213-pcwzdshd2w 10

13-02-2024 12:08

240213-pa6qtahc7y 10

18-12-2023 08:13

231218-j4g2nabaf5 10

05-12-2023 08:54

231205-kt32taae27 10

05-12-2023 07:41

231205-jjdthahh6w 10

05-12-2023 07:38

231205-jgmcvshh5x 10

26-11-2023 09:39

231126-lmxf5agd87 10

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 07:38

General

  • Target

    Malware-database-main/Electron V2.exe

  • Size

    39KB

  • MD5

    b1228ba24ca5f75f8df9d5d177e5bb2b

  • SHA1

    1895758de51ccfefa40239aa11055540c8c5deb7

  • SHA256

    04b106b179c202c67361aa4debad5d82f79a1927ab0ab8abc2ef350d18894b08

  • SHA512

    7abc1df0089a1a00aadc11c33eecffb5d85258acc4eac0b261ceaea77e814eaf671506383fe0074fd5779b8bc58e0f48f0d15309aa81aecf27ecc6633da4c5a4

  • SSDEEP

    768:hqo2khp1DlNjwQr9KWO4TOpkx7u/LraCvpbMC2mkek:ko2kFpNjwQr9KWODkx74L2CNf5k

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 4 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Malware-database-main\Electron V2.exe
    "C:\Users\Admin\AppData\Local\Temp\Malware-database-main\Electron V2.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1048
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2956
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\IMPORTANT.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\IMPORTANT.txt

    Filesize

    763B

    MD5

    46fe77013e7336b17e5270cc708a1da4

    SHA1

    c8949dbcaac904160eacafcbde51b52c0e5110f1

    SHA256

    fff91118e1d44de84c1876cfcb6ee5413c336dca888efb2d9af084047fe06cf6

    SHA512

    b4e5bc4e20005c869e914ab9314944215dced635991772896d07731bf1711708ce74f5660bab8669de965eeac00ce7b56cfb5fd650437dfe3336c90eb3790d52

  • C:\Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    39KB

    MD5

    b1228ba24ca5f75f8df9d5d177e5bb2b

    SHA1

    1895758de51ccfefa40239aa11055540c8c5deb7

    SHA256

    04b106b179c202c67361aa4debad5d82f79a1927ab0ab8abc2ef350d18894b08

    SHA512

    7abc1df0089a1a00aadc11c33eecffb5d85258acc4eac0b261ceaea77e814eaf671506383fe0074fd5779b8bc58e0f48f0d15309aa81aecf27ecc6633da4c5a4

  • C:\Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    39KB

    MD5

    b1228ba24ca5f75f8df9d5d177e5bb2b

    SHA1

    1895758de51ccfefa40239aa11055540c8c5deb7

    SHA256

    04b106b179c202c67361aa4debad5d82f79a1927ab0ab8abc2ef350d18894b08

    SHA512

    7abc1df0089a1a00aadc11c33eecffb5d85258acc4eac0b261ceaea77e814eaf671506383fe0074fd5779b8bc58e0f48f0d15309aa81aecf27ecc6633da4c5a4

  • C:\Users\Admin\Documents\IMPORTANT.txt

    Filesize

    763B

    MD5

    46fe77013e7336b17e5270cc708a1da4

    SHA1

    c8949dbcaac904160eacafcbde51b52c0e5110f1

    SHA256

    fff91118e1d44de84c1876cfcb6ee5413c336dca888efb2d9af084047fe06cf6

    SHA512

    b4e5bc4e20005c869e914ab9314944215dced635991772896d07731bf1711708ce74f5660bab8669de965eeac00ce7b56cfb5fd650437dfe3336c90eb3790d52

  • memory/2108-0-0x00000000001C0000-0x00000000001D0000-memory.dmp

    Filesize

    64KB

  • memory/2108-1-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

    Filesize

    9.9MB

  • memory/2108-8-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

    Filesize

    9.9MB

  • memory/3048-7-0x0000000000EF0000-0x0000000000F00000-memory.dmp

    Filesize

    64KB

  • memory/3048-9-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

    Filesize

    9.9MB

  • memory/3048-11-0x000000001AE90000-0x000000001AF10000-memory.dmp

    Filesize

    512KB

  • memory/3048-454-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

    Filesize

    9.9MB

  • memory/3048-455-0x000000001AE90000-0x000000001AF10000-memory.dmp

    Filesize

    512KB