Malware Analysis Report

2024-10-23 19:49

Sample ID 240314-ah5fdsdf41
Target 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.zip
SHA256 12c923e36aa075c39aada2b2c6a88af66d42795061c1a82cac3c843449258c4f
Tags
chaos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12c923e36aa075c39aada2b2c6a88af66d42795061c1a82cac3c843449258c4f

Threat Level: Known bad

The file 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.zip was found to be: Known bad.

Malicious Activity Summary

chaos evasion persistence ransomware spyware stealer

Chaos Ransomware

Chaos

Chaos family

Renames multiple (571) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (215) files with added filename extension

Deletes shadow copies

Deletes backup catalog

Disables Task Manager via registry modification

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 00:13

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 00:13

Reported

2024-03-14 00:16

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (215) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd40t9c5o.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1052 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1052 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2868 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2868 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2868 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2540 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2540 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2540 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2540 wrote to memory of 576 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2540 wrote to memory of 576 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2540 wrote to memory of 576 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2868 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2868 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2868 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2316 wrote to memory of 836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2316 wrote to memory of 836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2316 wrote to memory of 836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2316 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2316 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2316 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2868 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2868 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2868 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2000 wrote to memory of 1816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2000 wrote to memory of 1816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2000 wrote to memory of 1816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2868 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2868 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2868 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe

"C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\ReadMeForDecrypt.txt

Network

N/A

Files

memory/1052-0-0x00000000012F0000-0x00000000014FA000-memory.dmp

memory/1052-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/1052-2-0x000000001B340000-0x000000001B3C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 9ea4e29bc9e30bfc3e6700a8a7b528bc
SHA1 e746ab4e69c7fdae6a7264c6c950734e1b00afa9
SHA256 efee72ef931113405a93d278893f9ad0dd1c80585731b38cb651a4874961cbb2
SHA512 d319c4066f238d0a75a75c4b4678f15f14836219df6f679910b7cbbc53a59832bd096049be7d065f2016851186abff08850f86564c3dd85b87a0571e0e3ea249

memory/2868-9-0x0000000001190000-0x000000000139A000-memory.dmp

memory/1052-8-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 cd8abb94bc38da2b38c58f64d4d608be
SHA1 8d11d65d0cec74f0ce9b6137b7c76ef38b9d75d4
SHA256 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd
SHA512 cad217dc9dc7858b2d2f36d6f0af35a6f5036d1d7d7c8782692922d48a9ce2743b0200838ddc9f1a7c967042bc0c243ba4d3c8468a86a1617340a946beae3747

memory/2868-10-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2868-11-0x0000000000F20000-0x0000000000FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\ReadMeForDecrypt.txt

MD5 d4db6d273d98cc61baace7ef41316f07
SHA1 5f79024e8c5e75ba48aeeecbc74375c59634bacf
SHA256 36138fc2f3adcca70aebd68c03d7a13f9e379dae2eae70ea35fd588916fa2656
SHA512 a36db243b8302cd8d0516d441d147a5d0ccf6b09b833e5d3dc45fa572f1a7f8b11db8f8aab1f5f69c995872cbd3922c8f500098ba50576ea93bac583193932b6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 d1457b72c3fb323a2671125aef3eab5d
SHA1 5bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA256 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512 ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

memory/2868-775-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 00:13

Reported

2024-03-14 00:16

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (571) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xab9c26qd.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1348 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4600 wrote to memory of 460 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4600 wrote to memory of 460 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 460 wrote to memory of 1864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 460 wrote to memory of 1864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 460 wrote to memory of 3016 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 460 wrote to memory of 3016 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4600 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4600 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2240 wrote to memory of 4356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2240 wrote to memory of 4356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2240 wrote to memory of 5092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2240 wrote to memory of 5092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4600 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4600 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4916 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4916 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4600 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 4600 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe

"C:\Users\Admin\AppData\Local\Temp\486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\ReadMeForDecrypt.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1348-0-0x00000254AF060000-0x00000254AF26A000-memory.dmp

memory/1348-1-0x00007FFAA6D00000-0x00007FFAA77C1000-memory.dmp

memory/1348-2-0x00000254C9900000-0x00000254C9910000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 4ff9284aad846aba67fa1274025cd9cf
SHA1 c410437b57c6524e09acc49fafb38ba5481fe24a
SHA256 c86d4ff727aa5a42e19c6dabc1dc608eae80355995840dcf6de702b3264d0d75
SHA512 baacdf3213d5c55ee894fc0d2fca531104a8fd3771be02e0734634e04258f08fe3b1a969105a4011c01f31f8492725f0706b241263822d6e0e353d04ddc11f27

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 cd8abb94bc38da2b38c58f64d4d608be
SHA1 8d11d65d0cec74f0ce9b6137b7c76ef38b9d75d4
SHA256 486f2eb64908f44b45220dd70aba4f6aacdf5208282c654d5ecb028b7ab8d1cd
SHA512 cad217dc9dc7858b2d2f36d6f0af35a6f5036d1d7d7c8782692922d48a9ce2743b0200838ddc9f1a7c967042bc0c243ba4d3c8468a86a1617340a946beae3747

memory/1348-15-0x00007FFAA6D00000-0x00007FFAA77C1000-memory.dmp

memory/4600-16-0x00007FFAA6D00000-0x00007FFAA77C1000-memory.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk

MD5 d1457b72c3fb323a2671125aef3eab5d
SHA1 5bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA256 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512 ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ReadMeForDecrypt.txt

MD5 d4db6d273d98cc61baace7ef41316f07
SHA1 5f79024e8c5e75ba48aeeecbc74375c59634bacf
SHA256 36138fc2f3adcca70aebd68c03d7a13f9e379dae2eae70ea35fd588916fa2656
SHA512 a36db243b8302cd8d0516d441d147a5d0ccf6b09b833e5d3dc45fa572f1a7f8b11db8f8aab1f5f69c995872cbd3922c8f500098ba50576ea93bac583193932b6

memory/4600-1541-0x00007FFAA6D00000-0x00007FFAA77C1000-memory.dmp