Analysis

  • max time kernel
    93s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2024 00:13

General

  • Target

    486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe

  • Size

    2.0MB

  • MD5

    cd8abb94bc38da2b38c58f64d4d608be

  • SHA1

    8d11d65d0cec74f0ce9b6137b7c76ef38b9d75d4

  • SHA256

    486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd

  • SHA512

    cad217dc9dc7858b2d2f36d6f0af35a6f5036d1d7d7c8782692922d48a9ce2743b0200838ddc9f1a7c967042bc0c243ba4d3c8468a86a1617340a946beae3747

  • SSDEEP

    24576:1R8ohgv/l9vmz4oHrATOIrmsmgXz2uMpVg20hVfXQ:PQmfEhVfXQ

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ReadMeForDecrypt.txt

Ransom Note
------------------------ ALL YOUR FILES ARE ENCRYPTED ------------------------ ----> Оставайтесь сосредоточенными. <---- Все ваши файлы зашифрованы Ваш компьютер заражен вирусом-вымогателем. Ваши файлы зашифрованы, и вы не будете сможете расшифровать их без нашей помощи. Что я могу сделать, чтобы восстановить файлы? Вы можете купить наше программное обеспечение для дешифрования, это программное обеспечение позволит вам восстановить все ваши данные и удалить программы-вымогатели с вашего компьютера. Цена программного обеспечения составляет 130 долларов США (0,0027 BTC). может быть произведена только в биткойнах. Как оплатить, где я могу получить биткойны? Покупка биткойнов варьируется от страны к стране, лучше всего выполнить быстрый поиск в Google. Сами узнайте, как купить биткойн. Многие из наших клиентов отмечают, что эти сайты работают быстро и надежно: Коинмама — hxxps://www.coinmama.com Битпанда — hxxps://www.bitpanda.com BTC : bc1qf48urryzyt3t8a4g5sdjkfy4qdkqdnq24q3xr5 ETH : 0x55069B5317529E07ccABAaA5AaE22a9bfa1C3E12 Для подтверждения покупки свяжитесь с администратором по электронной почте или в Telegram: Электронная почта — [email protected] ТЛГ - @payurransom ---------------------------------------------------------------------------------------------------------------------------------------- ----> Stay focused. <---- All your files have been encrypted Your computer has been infected with a ransomware virus. Your files have been encrypted and you won't be be able to decipher them without our help. What can I do to recover my files? You can buy our decryption software, this software will allow you to recover all your data and delete the ransomware from your computer. The price of the software is $130 (0.0027 BTC). Payment can only be made in Bitcoin. How to pay, where can I get Bitcoin? Buying Bitcoin varies from country to country, it's best to do a quick Google search. Yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com BTC : bc1qf48urryzyt3t8a4g5sdjkfy4qdkqdnq24q3xr5 ETH : 0x55069B5317529E07ccABAaA5AaE22a9bfa1C3E12 To confirm your purchase, please contact the administrator via email or Telegram: Email - [email protected] TLG - @payurransom ---------------------------------------------------------------------------------------------------------------------------------------- ----> Restez concentré. <---- Tous vos fichiers ont été cryptés Votre ordinateur a été infecté par un virus ransomware. Vos fichiers ont été cryptés et vous ne le serez pas pouvoir les décrypter sans notre aide. Que puis-je faire pour récupérer mes fichiers ? Vous pouvez acheter notre logiciel de décryptage, ce logiciel vous permettra de récupérer toutes vos données et de supprimer les ransomware depuis votre ordinateur. Le prix du logiciel est de 130 $ ( 0,0027 BTC). Le paiement peut être effectué uniquement en Bitcoin. Comment payer, où puis-je obtenir du Bitcoin ? L'achat de Bitcoin varie d'un pays à l'autre, il est préférable de faire une recherche rapide sur Google. Vous-même pour découvrir comment acheter du Bitcoin. Beaucoup de nos clients ont signalé que ces sites étaient rapides et fiables : Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com BTC : bc1qf48urryzyt3t8a4g5sdjkfy4qdkqdnq24q3xr5 ETH : 0x55069B5317529E07ccABAaA5AaE22a9bfa1C3E12 Pour confirmer votre achat, veuillez contacter l'administrateur via mail ou Telegram : Mail - [email protected] TLG - @payurransom

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 3 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (571) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe
    "C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4600
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:460
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1864
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3016
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4356
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:5092
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4916
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1628
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\ReadMeForDecrypt.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:4504
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4804
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2488
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:4564
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ReadMeForDecrypt.txt

      Filesize

      4KB

      MD5

      d4db6d273d98cc61baace7ef41316f07

      SHA1

      5f79024e8c5e75ba48aeeecbc74375c59634bacf

      SHA256

      36138fc2f3adcca70aebd68c03d7a13f9e379dae2eae70ea35fd588916fa2656

      SHA512

      a36db243b8302cd8d0516d441d147a5d0ccf6b09b833e5d3dc45fa572f1a7f8b11db8f8aab1f5f69c995872cbd3922c8f500098ba50576ea93bac583193932b6

    • C:\Users\Admin\AppData\Roaming\svchost.exe

      Filesize

      2.0MB

      MD5

      cd8abb94bc38da2b38c58f64d4d608be

      SHA1

      8d11d65d0cec74f0ce9b6137b7c76ef38b9d75d4

      SHA256

      486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd

      SHA512

      cad217dc9dc7858b2d2f36d6f0af35a6f5036d1d7d7c8782692922d48a9ce2743b0200838ddc9f1a7c967042bc0c243ba4d3c8468a86a1617340a946beae3747

    • C:\Users\Admin\AppData\Roaming\svchost.exe

      Filesize

      492KB

      MD5

      4ff9284aad846aba67fa1274025cd9cf

      SHA1

      c410437b57c6524e09acc49fafb38ba5481fe24a

      SHA256

      c86d4ff727aa5a42e19c6dabc1dc608eae80355995840dcf6de702b3264d0d75

      SHA512

      baacdf3213d5c55ee894fc0d2fca531104a8fd3771be02e0734634e04258f08fe3b1a969105a4011c01f31f8492725f0706b241263822d6e0e353d04ddc11f27

    • C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk

      Filesize

      1B

      MD5

      d1457b72c3fb323a2671125aef3eab5d

      SHA1

      5bab61eb53176449e25c2c82f172b82cb13ffb9d

      SHA256

      8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

      SHA512

      ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

    • memory/1348-0-0x00000254AF060000-0x00000254AF26A000-memory.dmp

      Filesize

      2.0MB

    • memory/1348-1-0x00007FFAA6D00000-0x00007FFAA77C1000-memory.dmp

      Filesize

      10.8MB

    • memory/1348-2-0x00000254C9900000-0x00000254C9910000-memory.dmp

      Filesize

      64KB

    • memory/1348-15-0x00007FFAA6D00000-0x00007FFAA77C1000-memory.dmp

      Filesize

      10.8MB

    • memory/4600-16-0x00007FFAA6D00000-0x00007FFAA77C1000-memory.dmp

      Filesize

      10.8MB

    • memory/4600-1541-0x00007FFAA6D00000-0x00007FFAA77C1000-memory.dmp

      Filesize

      10.8MB