Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2024 10:16

General

  • Target

    c85e2c51d367e1035407c74d5701c33f.exe

  • Size

    18KB

  • MD5

    c85e2c51d367e1035407c74d5701c33f

  • SHA1

    8f866a991dbd63ff68027a7454df08c2f0d82c61

  • SHA256

    4d5c36ae16fb89f682ac9e5b9a3c4120a240a120a0bbc9e44dd39624e417eb3a

  • SHA512

    043189d7b576277b36d467dffd06fa867dfc4201e4d82e837ea3a7321f6a6c7647c8cf47fa21f9de1b9ab6aeb05d4ce3dad16cde05b333c37c7436af8ff15e98

  • SSDEEP

    192:ca1c5EFHg5rfWCW+5OTChvfjVOhw1qnG8V/Y1P0abAK0xNvncPKHgBD91CfmY32z:0Yksqqn7w1P0OSvD2D91C9M1FqAP

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
Oooooops ! All your files have been encrypted by a ransomware that use a military grade. Your files have been encrypted and you won't be able to decrypt them without our help 1. How Can recover my files ? To decrypt your files, you do buying a decryption logiciel that convert your crypted files into normal files. This software will allow you to recover all of your data and remove the ransomware from your computer. 2. How much cost the decryption software ? The price for the software is $150. Payment can be made in Bitcoin (BTC) only. 3. How Can I Buy BTC ? You can buy cryptocurrencies in a lot of market such Coinbase, CoinMarket, Coinama, etc. 4. How can i send my BTC ? Send $150 at this adress : BTC Adress : 173y1DPs8yPFQTVqcjdBaZSPXqfKDnzEyS 5. And After ? Contact us by mail at this adress : Mail Adress : [email protected] Join a picture of your transaction, and we will send you the decryption software. Without your money, we don't answer to your mail.
Wallets

173y1DPs8yPFQTVqcjdBaZSPXqfKDnzEyS

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 3 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe
    "C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Users\Admin\AppData\Roaming\RE8crack.exe
      "C:\Users\Admin\AppData\Roaming\RE8crack.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2620
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1900
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:308
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2784
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2776
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2708
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1472
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2780
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:612
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2180
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1864

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\RE8crack.exe

        Filesize

        18KB

        MD5

        c85e2c51d367e1035407c74d5701c33f

        SHA1

        8f866a991dbd63ff68027a7454df08c2f0d82c61

        SHA256

        4d5c36ae16fb89f682ac9e5b9a3c4120a240a120a0bbc9e44dd39624e417eb3a

        SHA512

        043189d7b576277b36d467dffd06fa867dfc4201e4d82e837ea3a7321f6a6c7647c8cf47fa21f9de1b9ab6aeb05d4ce3dad16cde05b333c37c7436af8ff15e98

      • C:\Users\Admin\Documents\read_it.txt

        Filesize

        1KB

        MD5

        8bab127caba68d9aaf6ea322b02c8fa9

        SHA1

        68690e6932bea4d6a6c266d13f388ee5d4ce5998

        SHA256

        c217b95d8cea69c163c74466414bb0f857bbcf5ec52fabf77d571411423fe62d

        SHA512

        a814487d07cd7f6e504b82b7d5c65de1c6f059cbc89e9b1bfc7ca6dfaa298da4833f81bc0140fc712becdb5f8bddbab01c0d31f5994a8be5c622c664bdd85a41

      • memory/1548-0-0x0000000000020000-0x000000000002A000-memory.dmp

        Filesize

        40KB

      • memory/1548-1-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

        Filesize

        9.9MB

      • memory/1548-8-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

        Filesize

        9.9MB

      • memory/2588-7-0x0000000000250000-0x000000000025A000-memory.dmp

        Filesize

        40KB

      • memory/2588-9-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

        Filesize

        9.9MB

      • memory/2588-187-0x000000001AF70000-0x000000001AFF0000-memory.dmp

        Filesize

        512KB

      • memory/2588-189-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

        Filesize

        9.9MB

      • memory/2588-190-0x000000001AF70000-0x000000001AFF0000-memory.dmp

        Filesize

        512KB