Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 00:13
Behavioral task
behavioral1
Sample
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe
Resource
win10v2004-20240226-en
General
-
Target
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe
-
Size
2.0MB
-
MD5
cd8abb94bc38da2b38c58f64d4d608be
-
SHA1
8d11d65d0cec74f0ce9b6137b7c76ef38b9d75d4
-
SHA256
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd
-
SHA512
cad217dc9dc7858b2d2f36d6f0af35a6f5036d1d7d7c8782692922d48a9ce2743b0200838ddc9f1a7c967042bc0c243ba4d3c8468a86a1617340a946beae3747
-
SSDEEP
24576:1R8ohgv/l9vmz4oHrATOIrmsmgXz2uMpVg20hVfXQ:PQmfEhVfXQ
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\ReadMeForDecrypt.txt
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1052-0-0x00000000012F0000-0x00000000014FA000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos behavioral1/memory/2868-9-0x0000000001190000-0x000000000139A000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 836 bcdedit.exe 1308 bcdedit.exe -
Renames multiple (215) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exepid process 1816 wbadmin.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2868 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2868 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd40t9c5o.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2880 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3048 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exesvchost.exepid process 1052 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 2868 svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exesvchost.exepid process 1052 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1052 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1052 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 2868 svchost.exe 2868 svchost.exe 2868 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exesvchost.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 1052 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe Token: SeDebugPrivilege 2868 svchost.exe Token: SeBackupPrivilege 2628 vssvc.exe Token: SeRestorePrivilege 2628 vssvc.exe Token: SeAuditPrivilege 2628 vssvc.exe Token: SeIncreaseQuotaPrivilege 576 WMIC.exe Token: SeSecurityPrivilege 576 WMIC.exe Token: SeTakeOwnershipPrivilege 576 WMIC.exe Token: SeLoadDriverPrivilege 576 WMIC.exe Token: SeSystemProfilePrivilege 576 WMIC.exe Token: SeSystemtimePrivilege 576 WMIC.exe Token: SeProfSingleProcessPrivilege 576 WMIC.exe Token: SeIncBasePriorityPrivilege 576 WMIC.exe Token: SeCreatePagefilePrivilege 576 WMIC.exe Token: SeBackupPrivilege 576 WMIC.exe Token: SeRestorePrivilege 576 WMIC.exe Token: SeShutdownPrivilege 576 WMIC.exe Token: SeDebugPrivilege 576 WMIC.exe Token: SeSystemEnvironmentPrivilege 576 WMIC.exe Token: SeRemoteShutdownPrivilege 576 WMIC.exe Token: SeUndockPrivilege 576 WMIC.exe Token: SeManageVolumePrivilege 576 WMIC.exe Token: 33 576 WMIC.exe Token: 34 576 WMIC.exe Token: 35 576 WMIC.exe Token: SeIncreaseQuotaPrivilege 576 WMIC.exe Token: SeSecurityPrivilege 576 WMIC.exe Token: SeTakeOwnershipPrivilege 576 WMIC.exe Token: SeLoadDriverPrivilege 576 WMIC.exe Token: SeSystemProfilePrivilege 576 WMIC.exe Token: SeSystemtimePrivilege 576 WMIC.exe Token: SeProfSingleProcessPrivilege 576 WMIC.exe Token: SeIncBasePriorityPrivilege 576 WMIC.exe Token: SeCreatePagefilePrivilege 576 WMIC.exe Token: SeBackupPrivilege 576 WMIC.exe Token: SeRestorePrivilege 576 WMIC.exe Token: SeShutdownPrivilege 576 WMIC.exe Token: SeDebugPrivilege 576 WMIC.exe Token: SeSystemEnvironmentPrivilege 576 WMIC.exe Token: SeRemoteShutdownPrivilege 576 WMIC.exe Token: SeUndockPrivilege 576 WMIC.exe Token: SeManageVolumePrivilege 576 WMIC.exe Token: 33 576 WMIC.exe Token: 34 576 WMIC.exe Token: 35 576 WMIC.exe Token: SeBackupPrivilege 2664 wbengine.exe Token: SeRestorePrivilege 2664 wbengine.exe Token: SeSecurityPrivilege 2664 wbengine.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 1052 wrote to memory of 2868 1052 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe svchost.exe PID 1052 wrote to memory of 2868 1052 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe svchost.exe PID 1052 wrote to memory of 2868 1052 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe svchost.exe PID 2868 wrote to memory of 2540 2868 svchost.exe cmd.exe PID 2868 wrote to memory of 2540 2868 svchost.exe cmd.exe PID 2868 wrote to memory of 2540 2868 svchost.exe cmd.exe PID 2540 wrote to memory of 2880 2540 cmd.exe vssadmin.exe PID 2540 wrote to memory of 2880 2540 cmd.exe vssadmin.exe PID 2540 wrote to memory of 2880 2540 cmd.exe vssadmin.exe PID 2540 wrote to memory of 576 2540 cmd.exe WMIC.exe PID 2540 wrote to memory of 576 2540 cmd.exe WMIC.exe PID 2540 wrote to memory of 576 2540 cmd.exe WMIC.exe PID 2868 wrote to memory of 2316 2868 svchost.exe cmd.exe PID 2868 wrote to memory of 2316 2868 svchost.exe cmd.exe PID 2868 wrote to memory of 2316 2868 svchost.exe cmd.exe PID 2316 wrote to memory of 836 2316 cmd.exe bcdedit.exe PID 2316 wrote to memory of 836 2316 cmd.exe bcdedit.exe PID 2316 wrote to memory of 836 2316 cmd.exe bcdedit.exe PID 2316 wrote to memory of 1308 2316 cmd.exe bcdedit.exe PID 2316 wrote to memory of 1308 2316 cmd.exe bcdedit.exe PID 2316 wrote to memory of 1308 2316 cmd.exe bcdedit.exe PID 2868 wrote to memory of 2000 2868 svchost.exe cmd.exe PID 2868 wrote to memory of 2000 2868 svchost.exe cmd.exe PID 2868 wrote to memory of 2000 2868 svchost.exe cmd.exe PID 2000 wrote to memory of 1816 2000 cmd.exe wbadmin.exe PID 2000 wrote to memory of 1816 2000 cmd.exe wbadmin.exe PID 2000 wrote to memory of 1816 2000 cmd.exe wbadmin.exe PID 2868 wrote to memory of 3048 2868 svchost.exe NOTEPAD.EXE PID 2868 wrote to memory of 3048 2868 svchost.exe NOTEPAD.EXE PID 2868 wrote to memory of 3048 2868 svchost.exe NOTEPAD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe"C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2880 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:836 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1816 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\ReadMeForDecrypt.txt3⤵
- Opens file in notepad (likely ransom note)
PID:3048
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1984
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5d4db6d273d98cc61baace7ef41316f07
SHA15f79024e8c5e75ba48aeeecbc74375c59634bacf
SHA25636138fc2f3adcca70aebd68c03d7a13f9e379dae2eae70ea35fd588916fa2656
SHA512a36db243b8302cd8d0516d441d147a5d0ccf6b09b833e5d3dc45fa572f1a7f8b11db8f8aab1f5f69c995872cbd3922c8f500098ba50576ea93bac583193932b6
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
1.2MB
MD59ea4e29bc9e30bfc3e6700a8a7b528bc
SHA1e746ab4e69c7fdae6a7264c6c950734e1b00afa9
SHA256efee72ef931113405a93d278893f9ad0dd1c80585731b38cb651a4874961cbb2
SHA512d319c4066f238d0a75a75c4b4678f15f14836219df6f679910b7cbbc53a59832bd096049be7d065f2016851186abff08850f86564c3dd85b87a0571e0e3ea249
-
Filesize
2.0MB
MD5cd8abb94bc38da2b38c58f64d4d608be
SHA18d11d65d0cec74f0ce9b6137b7c76ef38b9d75d4
SHA256486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd
SHA512cad217dc9dc7858b2d2f36d6f0af35a6f5036d1d7d7c8782692922d48a9ce2743b0200838ddc9f1a7c967042bc0c243ba4d3c8468a86a1617340a946beae3747