chaos | f489bf6a1174808559dd88bfa808f72f9d2523b47ab96655715f297ac3cfe0f0

Resubmissions

03-03-2024 09:49

240303-ltql6ahb95 10

01-02-2024 05:28

240201-f6h5ysebhk 10

Analysis

max time kernel
649s
max time network
1725s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03a24130a308900d97f520ccec6ae421bee265ddbad5d600fdac4e56f8d2b23d.exe
Size

26KB
MD5

07ddb94aff7467b34aefc04419bd01b7
SHA1

77b1457c37008c3e070064e329bfc677a2a585e7
SHA256

f489bf6a1174808559dd88bfa808f72f9d2523b47ab96655715f297ac3cfe0f0
SHA512

ed15039f7d1d2706d968c3f265b1923be82850909c3d4c58b7bb07cac7ad1e86a2c13627fd878950524c2b3dbcd3e5549763eb41c4af6eec427166ae88f3ded0
SSDEEP

384:zYenjLLAps4T5lBavzb/xlhKOVp91QZb5hxDGJ:aOElB6sc9GZbXxD+

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\read_it.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2904-0-0x0000000001380000-0x000000000138C000-memory.dmp	family_chaos
behavioral1/files/0x000a00000001224e-6.dat	family_chaos
behavioral1/memory/2156-7-0x0000000000320000-0x000000000032C000-memory.dmp	family_chaos

Renames multiple (173) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2156	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HUNEJ1HU\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MG62UP6H\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6UZVS19T\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JWM3U1DD\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2RM92H5V\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A9XVYA91\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2412	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2156	svchost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2904	03a24130a308900d97f520ccec6ae421bee265ddbad5d600fdac4e56f8d2b23d.exe
2904	03a24130a308900d97f520ccec6ae421bee265ddbad5d600fdac4e56f8d2b23d.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	03a24130a308900d97f520ccec6ae421bee265ddbad5d600fdac4e56f8d2b23d.exe
Token: SeDebugPrivilege	2156	svchost.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2156	2904	03a24130a308900d97f520ccec6ae421bee265ddbad5d600fdac4e56f8d2b23d.exe	28
PID 2904 wrote to memory of 2156	2904	03a24130a308900d97f520ccec6ae421bee265ddbad5d600fdac4e56f8d2b23d.exe	28
PID 2904 wrote to memory of 2156	2904	03a24130a308900d97f520ccec6ae421bee265ddbad5d600fdac4e56f8d2b23d.exe	28
PID 2156 wrote to memory of 2412	2156	svchost.exe	30
PID 2156 wrote to memory of 2412	2156	svchost.exe	30
PID 2156 wrote to memory of 2412	2156	svchost.exe	30
PID 1864 wrote to memory of 568	1864	chrome.exe	36
PID 1864 wrote to memory of 568	1864	chrome.exe	36
PID 1864 wrote to memory of 568	1864	chrome.exe	36
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1668	1864	chrome.exe	38
PID 1864 wrote to memory of 1992	1864	chrome.exe	39
PID 1864 wrote to memory of 1992	1864	chrome.exe	39
PID 1864 wrote to memory of 1992	1864	chrome.exe	39
PID 1864 wrote to memory of 1680	1864	chrome.exe	40
PID 1864 wrote to memory of 1680	1864	chrome.exe	40
PID 1864 wrote to memory of 1680	1864	chrome.exe	40
PID 1864 wrote to memory of 1680	1864	chrome.exe	40
PID 1864 wrote to memory of 1680	1864	chrome.exe	40
PID 1864 wrote to memory of 1680	1864	chrome.exe	40
PID 1864 wrote to memory of 1680	1864	chrome.exe	40
PID 1864 wrote to memory of 1680	1864	chrome.exe	40
PID 1864 wrote to memory of 1680	1864	chrome.exe	40
PID 1864 wrote to memory of 1680	1864	chrome.exe	40
PID 1864 wrote to memory of 1680	1864	chrome.exe	40
PID 1864 wrote to memory of 1680	1864	chrome.exe	40
PID 1864 wrote to memory of 1680	1864	chrome.exe	40

C:\Users\Admin\AppData\Local\Temp\03a24130a308900d97f520ccec6ae421bee265ddbad5d600fdac4e56f8d2b23d.exe
"C:\Users\Admin\AppData\Local\Temp\03a24130a308900d97f520ccec6ae421bee265ddbad5d600fdac4e56f8d2b23d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2412

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\PopSplit.hta"
1⤵
- Modifies Internet Explorer settings
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6729758,0x7fef6729768,0x7fef6729778
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1208,i,10440933331454291161,6808450954611698866,131072 /prefetch:2
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1208,i,10440933331454291161,6808450954611698866,131072 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1208,i,10440933331454291161,6808450954611698866,131072 /prefetch:8
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1208,i,10440933331454291161,6808450954611698866,131072 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1208,i,10440933331454291161,6808450954611698866,131072 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1492 --field-trial-handle=1208,i,10440933331454291161,6808450954611698866,131072 /prefetch:2
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1176 --field-trial-handle=1208,i,10440933331454291161,6808450954611698866,131072 /prefetch:1
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 --field-trial-handle=1208,i,10440933331454291161,6808450954611698866,131072 /prefetch:8
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1140 --field-trial-handle=1208,i,10440933331454291161,6808450954611698866,131072 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1200 --field-trial-handle=1208,i,10440933331454291161,6808450954611698866,131072 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3380 --field-trial-handle=1208,i,10440933331454291161,6808450954611698866,131072 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3412 --field-trial-handle=1208,i,10440933331454291161,6808450954611698866,131072 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3356 --field-trial-handle=1208,i,10440933331454291161,6808450954611698866,131072 /prefetch:8
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3760 --field-trial-handle=1208,i,10440933331454291161,6808450954611698866,131072 /prefetch:8
  2⤵
  PID:1660

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:876

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x540
1⤵
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c14a874aafe23e038a4aa2f33deb8111

SHA1
7e0490194355cddc7f38182e12b19913e4cb554b

SHA256
839c97b34c05423c2222e01fc80bf3b3d3b948fbb30f01072905f88ffd475f66

SHA512
c17fde5ece06b920e83f42e0aa90447bf8af8082f38d2a21e4d478b8f0f2ce277ad2f85f65c2dfba75428cc597067e00cab5fa1979cdb23488ece6ba6db9185f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\read_it.txt

Filesize
964B

MD5
4217b8b83ce3c3f70029a056546f8fd0

SHA1
487cdb5733d073a0427418888e8f7070fe782a03

SHA256
7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

SHA512
2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
195KB

MD5
89d79dbf26a3c2e22ddd95766fe3173d

SHA1
f38fd066eef4cf4e72a934548eafb5f6abb00b53

SHA256
367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69

SHA512
ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
25fa4b14963cc95c3f3867a9818a4bbf

SHA1
e0ffaea78dc1cfe75c17e8ee861a71050172efc8

SHA256
b910976a756d188794bf693ed2b64e539ae1ad02bf765fe1b716132fb51afce3

SHA512
f19f00ae2bf4c54adefc1b106550729b536441ca2beb58077901f27a82379935410370873d489e995866f78898d8aa75a028e09a1ba606ea0b969eb0385c8b58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e698e76e24e5fc8b9667ebcfe0f16f89

SHA1
c6b5c28c47b5971b95f7206c33c502ed5bf1b9a4

SHA256
c75cc98356101f745531d4d8523a971cec33affe73defc07b0a4001f35d0327b

SHA512
46ac10e9d86b4b35b892e8548b475730f29214dc520691b4b8345923ec85ecf1fee7c8b90bf684b44848de248937c03434ea32968942a0e821571a1848d62325

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
cc4d27efe212b408080e905f6990df08

SHA1
b7395f77c988910034a3e86edd3520f0f7e1d3c8

SHA256
5aee90fde7fa875e84cf4ccb148cea928ce12e13be80dc5d6eef7e80d1ffcc3a

SHA512
fc14bd88866b5d5102715f87a35b3c7070cd5f4206c01710384805449c1f107291a8807698198a8d702106545f028de48b1b018a801df962e23def3af1c7508a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9c2b395cec9aa9b30930111e6d0e831e

SHA1
56f1122a0284f2adcb5a0350cb651b335ea33a22

SHA256
ac0513c34622953f0a905e747504a3e28d7c68d8ab2f205e905a72a4fa70b3bd

SHA512
19a18fc708507fccfa607d9f1cf65f7672eb704fbf98e38a4d42e1845bf4536a450f64efad9310bb7b5458b1a585762d1fddd870a07a10e769f189a9978993f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
a54110ae2161b5409e32e07ce9a0dee4

SHA1
07b983f153947ad5c219039ffb948b90747fa15d

SHA256
ec3545d5b16efe4a010176b9726db7087b1bcec7f0cb366a73074f9131b77c0f

SHA512
92fe0296ecd67fbd68eeb28d87176ac01ec7ac0f4d9a52b0f6f51f0312b5f946f4cb32df5c73e8c7d397eeb72cbaca7a54fed1d8768454dc549c4786eaf77c3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
c1c2ee92c7a2341b88b3667c06a5c8c7

SHA1
0d453fbe1a86aeeb3f375fc0932448873ee7586a

SHA256
b3c240f7f1a642e9114127fa176b38c4dcc383703bb6065b4e0b96b94c27c635

SHA512
3ce4149661377cc429cfe6c9c0e560007daead5826a17142a6166fec37f137ba7db4da124ee6e5fab58619b0ae116eb11e7295fb52d1274a49e83421686b2116

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
a78292071f12cef48a3caea6faad4704

SHA1
3b7fd627e9c598e685676bfd8af4f1e31b451bad

SHA256
f979e0060b8802cfde70bb350590d8bd77b4595ca8a2e2608d383f2dd5787634

SHA512
2cc502ac8a50972c4330a1356be2fecaceba34193e8d8307e6b3d7cd88e2c0814a3b9c7a1cf4cccb1a09b5514f332c1c323dfc7d69178e4b6c75c8f19d8f9b4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
eb87a77e6233e381095805ad8f4fe5b6

SHA1
3e137602839d5c3f60d23b50cc0a67998d6f007e

SHA256
2de582ac1ac317b0cc2bece9fdd8c6f45fd44bfa2be4e324eb386d2286714a4f

SHA512
1dd8f268a5dfe1509b73d4c87ba95be41b394f8f4fa694b6d64f56562a5934fd74a53e058c0e065e2e4f2ff8d6c3d5bddb02689144ca85dd8b82607868473d6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
35bd0817aeec6ee25ff1141f8321e27d

SHA1
641784941ae0df793f4ebe06195276424c3e34f9

SHA256
d111447b8d82e141cecdc1dd987f031ebda0a6a5699b04f9aaa537bb7703f78c

SHA512
f493d5f11b39f754d17da080c9f6690955124fcb85f8b141ac70f3fcd799e7f73095c7180d7a2fa6f81d4d4dcb3c1684b4afb776d0fe50a6b40c4ea644acfe81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6371b0fa9be7eacbabbe5f08e48e4a39

SHA1
c1f06f09cbe3c7800c96c6f7c5c946574512b7f8

SHA256
b9d9fdeea1a724c1ffcf52d7109058eb1a1e7deb30e7a4a6a942bf7a2405ddc4

SHA512
135329784ce21b62b094106a6cfb207368afd7ac1431e29fb546e7dcad48d0e534356da5c615c3a2ce14e3cc45d707847dc5f2845588e11b2397914f3a1fb83a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
93b6a6cd12988f6d48290fed01308b52

SHA1
fd492d18c73e1aa92556356d857d06daf12ae905

SHA256
7d7e383485b2fe673b9382ca40ff89a7859e4441a2d3c663608e8215676de4fe

SHA512
ea3885220adab2a40e6ceed1d6bb4c847aced2fed1045e6a05e378ce2819d40f057846afb3294803c214b5fe7bc71a82f4ee57494fccc07314d06040bc6a9db3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
47ceea2a72f7311186e9d9c150b6a56e

SHA1
fae4553daf54225f1393e5cff9b421e7d2cc33c2

SHA256
64c8cf4f17a41965ff6423d185ca7eb77367a982d1cdd39d70af53579846fb42

SHA512
3b15f589d8966f0e6727170686705df1947131ad647d9b3282d3707414e2d3b0d0d5123ed7c9961572592bcd8f148086210b7ecdb11c4dc76b17240733fb5c10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9831.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\ImportWrite.wmv

Filesize
1B

MD5
d1457b72c3fb323a2671125aef3eab5d

SHA1
5bab61eb53176449e25c2c82f172b82cb13ffb9d

SHA256
8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

SHA512
ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
26KB

MD5
07ddb94aff7467b34aefc04419bd01b7

SHA1
77b1457c37008c3e070064e329bfc677a2a585e7

SHA256
f489bf6a1174808559dd88bfa808f72f9d2523b47ab96655715f297ac3cfe0f0

SHA512
ed15039f7d1d2706d968c3f265b1923be82850909c3d4c58b7bb07cac7ad1e86a2c13627fd878950524c2b3dbcd3e5549763eb41c4af6eec427166ae88f3ded0

Download Submit
memory/2156-888-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-889-0x0000000001F50000-0x0000000001FD0000-memory.dmp

Filesize
512KB

Download
memory/2156-72-0x0000000001F50000-0x0000000001FD0000-memory.dmp

Filesize
512KB

Download
memory/2156-7-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/2156-9-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-0-0x0000000001380000-0x000000000138C000-memory.dmp

Filesize
48KB

Download
memory/2904-8-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-1-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

Filesize
9.9MB

Download