Overview

overview

10

Static

static

10

cb7c19b49e...a6.exe

windows7-x64

10

cb7c19b49e...a6.exe

windows10-2004-x64

10

Resubmissions

25/01/2024, 01:57

240125-cdn9qadge6 10

24/01/2024, 15:56

240124-tdhwdadfb5 10

24/01/2024, 11:55

240124-n3eblahecn 10

Analysis

  • max time kernel
    138s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2024, 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe

  • Size

    3.4MB

  • MD5

    f64a5c6fa180acaee93d4fac406c579b

  • SHA1

    bacf88f16fe670ef2d87df154929c51b28b12263

  • SHA256

    cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6

  • SHA512

    01687ae73126dd6540308efa140e56c5410d5971415881a3747cf961c4abcd2e9be4dcd75181f865070bfb4e296617b8e3d61f55de747407a4c459e6a2bc0197

  • SSDEEP

    24576:SvFnlgEsJu/SqXF3mh8uNFr95+CUNHEes4pyQquVexXCP7OigudxcAGZLqrDIjHM:QloJ0wtfSHO43ZpTLiADL

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\PLS_READ_ME.txt

Ransom Note
Oops, what happend? All of your files have been encrypted Your computer was infected with Frivinho Ransomware. Your files have been encrypted and you won't be able to decrypt them without our help. What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin or Robux. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Check this pastebin to get the my newest Bitcoin Adress: https://pastebin.com/raw/wZnisRDV And by cheking the pastebin, you can see more information about how you can pay.
URLs

https://pastebin.com/raw/wZnisRDV

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (206) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3244
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3756
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:4192
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:812
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3300
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4708
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2268
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1292
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2348
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\PLS_READ_ME.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3224
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2396
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4420
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:3064
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4180

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      768KB

      MD5

      ec9755ed732449a6b015c967afef65bc

      SHA1

      722a050bc77305ba7006e76c5aa8b7604baef54b

      SHA256

      0fc1d4e1a976d9fdfb64ec84f3522f55769873ef0c5ccba0269d6135f5fd7f51

      SHA512

      6e4ca487a07da493d11522a514a2a05a640083ecfa68334e5191fc5dc73528229f4ef27106ae025e05de0411c1631133ff261d24360d007dca8f8ad1b2625559

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      3.4MB

      MD5

      f64a5c6fa180acaee93d4fac406c579b

      SHA1

      bacf88f16fe670ef2d87df154929c51b28b12263

      SHA256

      cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6

      SHA512

      01687ae73126dd6540308efa140e56c5410d5971415881a3747cf961c4abcd2e9be4dcd75181f865070bfb4e296617b8e3d61f55de747407a4c459e6a2bc0197

      Download Submit

    • C:\Users\Admin\Documents\PLS_READ_ME.txt
      Filesize

      1019B

      MD5

      bf4f42180e1f6f0dc0dc8e5863fbfdff

      SHA1

      11ebaf5dd9d926371b27c9cdb86a0b7978deb383

      SHA256

      c22510ba329236dacd2e14be4c260eca7a8deb7433cb4291311232f37ee40bd7

      SHA512

      6004b7d2e6a6b4035363d25cb7291dc0be0c0070a8bbadea0c4275278fb4299e3348cb5aebb5d9870ff7986bf43c59983bb3aa1680f1b27fcad8c68064c09c16

      Download Submit

    • memory/3244-0-0x0000000000AE0000-0x0000000000E4A000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3244-1-0x00007FF955C20000-0x00007FF9566E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3244-15-0x00007FF955C20000-0x00007FF9566E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3756-14-0x00007FF955C20000-0x00007FF9566E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3756-480-0x00007FF955C20000-0x00007FF9566E1000-memory.dmp

      Filesize

      10.8MB

      Download