Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2024 10:16

General

  • Target

    c85e2c51d367e1035407c74d5701c33f.exe

  • Size

    18KB

  • MD5

    c85e2c51d367e1035407c74d5701c33f

  • SHA1

    8f866a991dbd63ff68027a7454df08c2f0d82c61

  • SHA256

    4d5c36ae16fb89f682ac9e5b9a3c4120a240a120a0bbc9e44dd39624e417eb3a

  • SHA512

    043189d7b576277b36d467dffd06fa867dfc4201e4d82e837ea3a7321f6a6c7647c8cf47fa21f9de1b9ab6aeb05d4ce3dad16cde05b333c37c7436af8ff15e98

  • SSDEEP

    192:ca1c5EFHg5rfWCW+5OTChvfjVOhw1qnG8V/Y1P0abAK0xNvncPKHgBD91CfmY32z:0Yksqqn7w1P0OSvD2D91C9M1FqAP

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
Oooooops ! All your files have been encrypted by a ransomware that use a military grade. Your files have been encrypted and you won't be able to decrypt them without our help 1. How Can recover my files ? To decrypt your files, you do buying a decryption logiciel that convert your crypted files into normal files. This software will allow you to recover all of your data and remove the ransomware from your computer. 2. How much cost the decryption software ? The price for the software is $150. Payment can be made in Bitcoin (BTC) only. 3. How Can I Buy BTC ? You can buy cryptocurrencies in a lot of market such Coinbase, CoinMarket, Coinama, etc. 4. How can i send my BTC ? Send $150 at this adress : BTC Adress : 173y1DPs8yPFQTVqcjdBaZSPXqfKDnzEyS 5. And After ? Contact us by mail at this adress : Mail Adress : [email protected] Join a picture of your transaction, and we will send you the decryption software. Without your money, we don't answer to your mail.
Wallets

173y1DPs8yPFQTVqcjdBaZSPXqfKDnzEyS

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe
    "C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Users\Admin\AppData\Roaming\RE8crack.exe
      "C:\Users\Admin\AppData\Roaming\RE8crack.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1844
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:3916
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4536
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3544
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4164
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3336
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2764
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3632
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1500
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3268
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:4588
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\RE8crack.exe

      Filesize

      18KB

      MD5

      c85e2c51d367e1035407c74d5701c33f

      SHA1

      8f866a991dbd63ff68027a7454df08c2f0d82c61

      SHA256

      4d5c36ae16fb89f682ac9e5b9a3c4120a240a120a0bbc9e44dd39624e417eb3a

      SHA512

      043189d7b576277b36d467dffd06fa867dfc4201e4d82e837ea3a7321f6a6c7647c8cf47fa21f9de1b9ab6aeb05d4ce3dad16cde05b333c37c7436af8ff15e98

    • C:\Users\Admin\Documents\read_it.txt

      Filesize

      1KB

      MD5

      8bab127caba68d9aaf6ea322b02c8fa9

      SHA1

      68690e6932bea4d6a6c266d13f388ee5d4ce5998

      SHA256

      c217b95d8cea69c163c74466414bb0f857bbcf5ec52fabf77d571411423fe62d

      SHA512

      a814487d07cd7f6e504b82b7d5c65de1c6f059cbc89e9b1bfc7ca6dfaa298da4833f81bc0140fc712becdb5f8bddbab01c0d31f5994a8be5c622c664bdd85a41

    • memory/2548-15-0x00007FF853D50000-0x00007FF854811000-memory.dmp

      Filesize

      10.8MB

    • memory/2548-191-0x00000000027C0000-0x00000000027D0000-memory.dmp

      Filesize

      64KB

    • memory/2548-194-0x00007FF853D50000-0x00007FF854811000-memory.dmp

      Filesize

      10.8MB

    • memory/2548-195-0x00000000027C0000-0x00000000027D0000-memory.dmp

      Filesize

      64KB

    • memory/3028-0-0x0000000000880000-0x000000000088A000-memory.dmp

      Filesize

      40KB

    • memory/3028-1-0x00007FF853D50000-0x00007FF854811000-memory.dmp

      Filesize

      10.8MB

    • memory/3028-14-0x00007FF853D50000-0x00007FF854811000-memory.dmp

      Filesize

      10.8MB