Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 10:16
Behavioral task
behavioral1
Sample
c85e2c51d367e1035407c74d5701c33f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c85e2c51d367e1035407c74d5701c33f.exe
Resource
win10v2004-20240226-en
General
-
Target
c85e2c51d367e1035407c74d5701c33f.exe
-
Size
18KB
-
MD5
c85e2c51d367e1035407c74d5701c33f
-
SHA1
8f866a991dbd63ff68027a7454df08c2f0d82c61
-
SHA256
4d5c36ae16fb89f682ac9e5b9a3c4120a240a120a0bbc9e44dd39624e417eb3a
-
SHA512
043189d7b576277b36d467dffd06fa867dfc4201e4d82e837ea3a7321f6a6c7647c8cf47fa21f9de1b9ab6aeb05d4ce3dad16cde05b333c37c7436af8ff15e98
-
SSDEEP
192:ca1c5EFHg5rfWCW+5OTChvfjVOhw1qnG8V/Y1P0abAK0xNvncPKHgBD91CfmY32z:0Yksqqn7w1P0OSvD2D91C9M1FqAP
Malware Config
Extracted
C:\Users\Admin\Documents\read_it.txt
173y1DPs8yPFQTVqcjdBaZSPXqfKDnzEyS
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1548-0-0x0000000000020000-0x000000000002A000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\RE8crack.exe family_chaos behavioral1/memory/2588-7-0x0000000000250000-0x000000000025A000-memory.dmp family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2784 bcdedit.exe 2776 bcdedit.exe -
Processes:
wbadmin.exepid process 2708 wbadmin.exe -
Drops startup file 1 IoCs
Processes:
RE8crack.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RE8crack.url RE8crack.exe -
Executes dropped EXE 1 IoCs
Processes:
RE8crack.exepid process 2588 RE8crack.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RE8crack.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Roaming\\RE8crack.exe" RE8crack.exe -
Drops desktop.ini file(s) 14 IoCs
Processes:
RE8crack.exedescription ioc process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Links\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Searches\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Documents\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Music\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Videos\desktop.ini RE8crack.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2620 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1472 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
RE8crack.exepid process 2588 RE8crack.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
c85e2c51d367e1035407c74d5701c33f.exeRE8crack.exepid process 1548 c85e2c51d367e1035407c74d5701c33f.exe 1548 c85e2c51d367e1035407c74d5701c33f.exe 2588 RE8crack.exe 2588 RE8crack.exe 2588 RE8crack.exe 2588 RE8crack.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
c85e2c51d367e1035407c74d5701c33f.exeRE8crack.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 1548 c85e2c51d367e1035407c74d5701c33f.exe Token: SeDebugPrivilege 2588 RE8crack.exe Token: SeBackupPrivilege 2780 vssvc.exe Token: SeRestorePrivilege 2780 vssvc.exe Token: SeAuditPrivilege 2780 vssvc.exe Token: SeIncreaseQuotaPrivilege 1900 WMIC.exe Token: SeSecurityPrivilege 1900 WMIC.exe Token: SeTakeOwnershipPrivilege 1900 WMIC.exe Token: SeLoadDriverPrivilege 1900 WMIC.exe Token: SeSystemProfilePrivilege 1900 WMIC.exe Token: SeSystemtimePrivilege 1900 WMIC.exe Token: SeProfSingleProcessPrivilege 1900 WMIC.exe Token: SeIncBasePriorityPrivilege 1900 WMIC.exe Token: SeCreatePagefilePrivilege 1900 WMIC.exe Token: SeBackupPrivilege 1900 WMIC.exe Token: SeRestorePrivilege 1900 WMIC.exe Token: SeShutdownPrivilege 1900 WMIC.exe Token: SeDebugPrivilege 1900 WMIC.exe Token: SeSystemEnvironmentPrivilege 1900 WMIC.exe Token: SeRemoteShutdownPrivilege 1900 WMIC.exe Token: SeUndockPrivilege 1900 WMIC.exe Token: SeManageVolumePrivilege 1900 WMIC.exe Token: 33 1900 WMIC.exe Token: 34 1900 WMIC.exe Token: 35 1900 WMIC.exe Token: SeIncreaseQuotaPrivilege 1900 WMIC.exe Token: SeSecurityPrivilege 1900 WMIC.exe Token: SeTakeOwnershipPrivilege 1900 WMIC.exe Token: SeLoadDriverPrivilege 1900 WMIC.exe Token: SeSystemProfilePrivilege 1900 WMIC.exe Token: SeSystemtimePrivilege 1900 WMIC.exe Token: SeProfSingleProcessPrivilege 1900 WMIC.exe Token: SeIncBasePriorityPrivilege 1900 WMIC.exe Token: SeCreatePagefilePrivilege 1900 WMIC.exe Token: SeBackupPrivilege 1900 WMIC.exe Token: SeRestorePrivilege 1900 WMIC.exe Token: SeShutdownPrivilege 1900 WMIC.exe Token: SeDebugPrivilege 1900 WMIC.exe Token: SeSystemEnvironmentPrivilege 1900 WMIC.exe Token: SeRemoteShutdownPrivilege 1900 WMIC.exe Token: SeUndockPrivilege 1900 WMIC.exe Token: SeManageVolumePrivilege 1900 WMIC.exe Token: 33 1900 WMIC.exe Token: 34 1900 WMIC.exe Token: 35 1900 WMIC.exe Token: SeBackupPrivilege 612 wbengine.exe Token: SeRestorePrivilege 612 wbengine.exe Token: SeSecurityPrivilege 612 wbengine.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
c85e2c51d367e1035407c74d5701c33f.exeRE8crack.execmd.execmd.execmd.exedescription pid process target process PID 1548 wrote to memory of 2588 1548 c85e2c51d367e1035407c74d5701c33f.exe RE8crack.exe PID 1548 wrote to memory of 2588 1548 c85e2c51d367e1035407c74d5701c33f.exe RE8crack.exe PID 1548 wrote to memory of 2588 1548 c85e2c51d367e1035407c74d5701c33f.exe RE8crack.exe PID 2588 wrote to memory of 2528 2588 RE8crack.exe cmd.exe PID 2588 wrote to memory of 2528 2588 RE8crack.exe cmd.exe PID 2588 wrote to memory of 2528 2588 RE8crack.exe cmd.exe PID 2528 wrote to memory of 2620 2528 cmd.exe vssadmin.exe PID 2528 wrote to memory of 2620 2528 cmd.exe vssadmin.exe PID 2528 wrote to memory of 2620 2528 cmd.exe vssadmin.exe PID 2528 wrote to memory of 1900 2528 cmd.exe WMIC.exe PID 2528 wrote to memory of 1900 2528 cmd.exe WMIC.exe PID 2528 wrote to memory of 1900 2528 cmd.exe WMIC.exe PID 2588 wrote to memory of 308 2588 RE8crack.exe cmd.exe PID 2588 wrote to memory of 308 2588 RE8crack.exe cmd.exe PID 2588 wrote to memory of 308 2588 RE8crack.exe cmd.exe PID 308 wrote to memory of 2784 308 cmd.exe bcdedit.exe PID 308 wrote to memory of 2784 308 cmd.exe bcdedit.exe PID 308 wrote to memory of 2784 308 cmd.exe bcdedit.exe PID 308 wrote to memory of 2776 308 cmd.exe bcdedit.exe PID 308 wrote to memory of 2776 308 cmd.exe bcdedit.exe PID 308 wrote to memory of 2776 308 cmd.exe bcdedit.exe PID 2588 wrote to memory of 2484 2588 RE8crack.exe cmd.exe PID 2588 wrote to memory of 2484 2588 RE8crack.exe cmd.exe PID 2588 wrote to memory of 2484 2588 RE8crack.exe cmd.exe PID 2484 wrote to memory of 2708 2484 cmd.exe wbadmin.exe PID 2484 wrote to memory of 2708 2484 cmd.exe wbadmin.exe PID 2484 wrote to memory of 2708 2484 cmd.exe wbadmin.exe PID 2588 wrote to memory of 1472 2588 RE8crack.exe NOTEPAD.EXE PID 2588 wrote to memory of 1472 2588 RE8crack.exe NOTEPAD.EXE PID 2588 wrote to memory of 1472 2588 RE8crack.exe NOTEPAD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe"C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Roaming\RE8crack.exe"C:\Users\Admin\AppData\Roaming\RE8crack.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2620 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2784 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2708 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1472
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:612
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2180
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5c85e2c51d367e1035407c74d5701c33f
SHA18f866a991dbd63ff68027a7454df08c2f0d82c61
SHA2564d5c36ae16fb89f682ac9e5b9a3c4120a240a120a0bbc9e44dd39624e417eb3a
SHA512043189d7b576277b36d467dffd06fa867dfc4201e4d82e837ea3a7321f6a6c7647c8cf47fa21f9de1b9ab6aeb05d4ce3dad16cde05b333c37c7436af8ff15e98
-
Filesize
1KB
MD58bab127caba68d9aaf6ea322b02c8fa9
SHA168690e6932bea4d6a6c266d13f388ee5d4ce5998
SHA256c217b95d8cea69c163c74466414bb0f857bbcf5ec52fabf77d571411423fe62d
SHA512a814487d07cd7f6e504b82b7d5c65de1c6f059cbc89e9b1bfc7ca6dfaa298da4833f81bc0140fc712becdb5f8bddbab01c0d31f5994a8be5c622c664bdd85a41