Analysis
-
max time kernel
93s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 00:13
Behavioral task
behavioral1
Sample
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe
Resource
win10v2004-20240226-en
General
-
Target
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe
-
Size
2.0MB
-
MD5
cd8abb94bc38da2b38c58f64d4d608be
-
SHA1
8d11d65d0cec74f0ce9b6137b7c76ef38b9d75d4
-
SHA256
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd
-
SHA512
cad217dc9dc7858b2d2f36d6f0af35a6f5036d1d7d7c8782692922d48a9ce2743b0200838ddc9f1a7c967042bc0c243ba4d3c8468a86a1617340a946beae3747
-
SSDEEP
24576:1R8ohgv/l9vmz4oHrATOIrmsmgXz2uMpVg20hVfXQ:PQmfEhVfXQ
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ReadMeForDecrypt.txt
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1348-0-0x00000254AF060000-0x00000254AF26A000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4356 bcdedit.exe 5092 bcdedit.exe -
Renames multiple (571) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exepid process 1628 wbadmin.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4600 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4600 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xab9c26qd.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1864 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4504 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exesvchost.exepid process 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 4600 svchost.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exesvchost.exepid process 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe 4600 svchost.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exesvchost.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe Token: SeDebugPrivilege 4600 svchost.exe Token: SeBackupPrivilege 4804 vssvc.exe Token: SeRestorePrivilege 4804 vssvc.exe Token: SeAuditPrivilege 4804 vssvc.exe Token: SeIncreaseQuotaPrivilege 3016 WMIC.exe Token: SeSecurityPrivilege 3016 WMIC.exe Token: SeTakeOwnershipPrivilege 3016 WMIC.exe Token: SeLoadDriverPrivilege 3016 WMIC.exe Token: SeSystemProfilePrivilege 3016 WMIC.exe Token: SeSystemtimePrivilege 3016 WMIC.exe Token: SeProfSingleProcessPrivilege 3016 WMIC.exe Token: SeIncBasePriorityPrivilege 3016 WMIC.exe Token: SeCreatePagefilePrivilege 3016 WMIC.exe Token: SeBackupPrivilege 3016 WMIC.exe Token: SeRestorePrivilege 3016 WMIC.exe Token: SeShutdownPrivilege 3016 WMIC.exe Token: SeDebugPrivilege 3016 WMIC.exe Token: SeSystemEnvironmentPrivilege 3016 WMIC.exe Token: SeRemoteShutdownPrivilege 3016 WMIC.exe Token: SeUndockPrivilege 3016 WMIC.exe Token: SeManageVolumePrivilege 3016 WMIC.exe Token: 33 3016 WMIC.exe Token: 34 3016 WMIC.exe Token: 35 3016 WMIC.exe Token: 36 3016 WMIC.exe Token: SeIncreaseQuotaPrivilege 3016 WMIC.exe Token: SeSecurityPrivilege 3016 WMIC.exe Token: SeTakeOwnershipPrivilege 3016 WMIC.exe Token: SeLoadDriverPrivilege 3016 WMIC.exe Token: SeSystemProfilePrivilege 3016 WMIC.exe Token: SeSystemtimePrivilege 3016 WMIC.exe Token: SeProfSingleProcessPrivilege 3016 WMIC.exe Token: SeIncBasePriorityPrivilege 3016 WMIC.exe Token: SeCreatePagefilePrivilege 3016 WMIC.exe Token: SeBackupPrivilege 3016 WMIC.exe Token: SeRestorePrivilege 3016 WMIC.exe Token: SeShutdownPrivilege 3016 WMIC.exe Token: SeDebugPrivilege 3016 WMIC.exe Token: SeSystemEnvironmentPrivilege 3016 WMIC.exe Token: SeRemoteShutdownPrivilege 3016 WMIC.exe Token: SeUndockPrivilege 3016 WMIC.exe Token: SeManageVolumePrivilege 3016 WMIC.exe Token: 33 3016 WMIC.exe Token: 34 3016 WMIC.exe Token: 35 3016 WMIC.exe Token: 36 3016 WMIC.exe Token: SeBackupPrivilege 2488 wbengine.exe Token: SeRestorePrivilege 2488 wbengine.exe Token: SeSecurityPrivilege 2488 wbengine.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 1348 wrote to memory of 4600 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe svchost.exe PID 1348 wrote to memory of 4600 1348 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe svchost.exe PID 4600 wrote to memory of 460 4600 svchost.exe cmd.exe PID 4600 wrote to memory of 460 4600 svchost.exe cmd.exe PID 460 wrote to memory of 1864 460 cmd.exe vssadmin.exe PID 460 wrote to memory of 1864 460 cmd.exe vssadmin.exe PID 460 wrote to memory of 3016 460 cmd.exe WMIC.exe PID 460 wrote to memory of 3016 460 cmd.exe WMIC.exe PID 4600 wrote to memory of 2240 4600 svchost.exe cmd.exe PID 4600 wrote to memory of 2240 4600 svchost.exe cmd.exe PID 2240 wrote to memory of 4356 2240 cmd.exe bcdedit.exe PID 2240 wrote to memory of 4356 2240 cmd.exe bcdedit.exe PID 2240 wrote to memory of 5092 2240 cmd.exe bcdedit.exe PID 2240 wrote to memory of 5092 2240 cmd.exe bcdedit.exe PID 4600 wrote to memory of 4916 4600 svchost.exe cmd.exe PID 4600 wrote to memory of 4916 4600 svchost.exe cmd.exe PID 4916 wrote to memory of 1628 4916 cmd.exe wbadmin.exe PID 4916 wrote to memory of 1628 4916 cmd.exe wbadmin.exe PID 4600 wrote to memory of 4504 4600 svchost.exe NOTEPAD.EXE PID 4600 wrote to memory of 4504 4600 svchost.exe NOTEPAD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe"C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe"1⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1864 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:4356 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:5092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1628 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\ReadMeForDecrypt.txt3⤵
- Opens file in notepad (likely ransom note)
PID:4504
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4564
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5d4db6d273d98cc61baace7ef41316f07
SHA15f79024e8c5e75ba48aeeecbc74375c59634bacf
SHA25636138fc2f3adcca70aebd68c03d7a13f9e379dae2eae70ea35fd588916fa2656
SHA512a36db243b8302cd8d0516d441d147a5d0ccf6b09b833e5d3dc45fa572f1a7f8b11db8f8aab1f5f69c995872cbd3922c8f500098ba50576ea93bac583193932b6
-
Filesize
2.0MB
MD5cd8abb94bc38da2b38c58f64d4d608be
SHA18d11d65d0cec74f0ce9b6137b7c76ef38b9d75d4
SHA256486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd
SHA512cad217dc9dc7858b2d2f36d6f0af35a6f5036d1d7d7c8782692922d48a9ce2743b0200838ddc9f1a7c967042bc0c243ba4d3c8468a86a1617340a946beae3747
-
Filesize
492KB
MD54ff9284aad846aba67fa1274025cd9cf
SHA1c410437b57c6524e09acc49fafb38ba5481fe24a
SHA256c86d4ff727aa5a42e19c6dabc1dc608eae80355995840dcf6de702b3264d0d75
SHA512baacdf3213d5c55ee894fc0d2fca531104a8fd3771be02e0734634e04258f08fe3b1a969105a4011c01f31f8492725f0706b241263822d6e0e353d04ddc11f27
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0