Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 10:16
Behavioral task
behavioral1
Sample
c85e2c51d367e1035407c74d5701c33f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c85e2c51d367e1035407c74d5701c33f.exe
Resource
win10v2004-20240226-en
General
-
Target
c85e2c51d367e1035407c74d5701c33f.exe
-
Size
18KB
-
MD5
c85e2c51d367e1035407c74d5701c33f
-
SHA1
8f866a991dbd63ff68027a7454df08c2f0d82c61
-
SHA256
4d5c36ae16fb89f682ac9e5b9a3c4120a240a120a0bbc9e44dd39624e417eb3a
-
SHA512
043189d7b576277b36d467dffd06fa867dfc4201e4d82e837ea3a7321f6a6c7647c8cf47fa21f9de1b9ab6aeb05d4ce3dad16cde05b333c37c7436af8ff15e98
-
SSDEEP
192:ca1c5EFHg5rfWCW+5OTChvfjVOhw1qnG8V/Y1P0abAK0xNvncPKHgBD91CfmY32z:0Yksqqn7w1P0OSvD2D91C9M1FqAP
Malware Config
Extracted
C:\Users\Admin\Documents\read_it.txt
173y1DPs8yPFQTVqcjdBaZSPXqfKDnzEyS
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3028-0-0x0000000000880000-0x000000000088A000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\RE8crack.exe family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3544 bcdedit.exe 4164 bcdedit.exe -
Processes:
wbadmin.exepid process 2764 wbadmin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c85e2c51d367e1035407c74d5701c33f.exeRE8crack.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation c85e2c51d367e1035407c74d5701c33f.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation RE8crack.exe -
Drops startup file 1 IoCs
Processes:
RE8crack.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RE8crack.url RE8crack.exe -
Executes dropped EXE 1 IoCs
Processes:
RE8crack.exepid process 2548 RE8crack.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RE8crack.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Roaming\\RE8crack.exe" RE8crack.exe -
Drops desktop.ini file(s) 16 IoCs
Processes:
RE8crack.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Documents\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Searches\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Videos\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini RE8crack.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Music\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Links\desktop.ini RE8crack.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini RE8crack.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3916 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
RE8crack.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings RE8crack.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3632 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
RE8crack.exepid process 2548 RE8crack.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
c85e2c51d367e1035407c74d5701c33f.exeRE8crack.exepid process 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 3028 c85e2c51d367e1035407c74d5701c33f.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe 2548 RE8crack.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
c85e2c51d367e1035407c74d5701c33f.exeRE8crack.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 3028 c85e2c51d367e1035407c74d5701c33f.exe Token: SeDebugPrivilege 2548 RE8crack.exe Token: SeBackupPrivilege 1500 vssvc.exe Token: SeRestorePrivilege 1500 vssvc.exe Token: SeAuditPrivilege 1500 vssvc.exe Token: SeIncreaseQuotaPrivilege 4536 WMIC.exe Token: SeSecurityPrivilege 4536 WMIC.exe Token: SeTakeOwnershipPrivilege 4536 WMIC.exe Token: SeLoadDriverPrivilege 4536 WMIC.exe Token: SeSystemProfilePrivilege 4536 WMIC.exe Token: SeSystemtimePrivilege 4536 WMIC.exe Token: SeProfSingleProcessPrivilege 4536 WMIC.exe Token: SeIncBasePriorityPrivilege 4536 WMIC.exe Token: SeCreatePagefilePrivilege 4536 WMIC.exe Token: SeBackupPrivilege 4536 WMIC.exe Token: SeRestorePrivilege 4536 WMIC.exe Token: SeShutdownPrivilege 4536 WMIC.exe Token: SeDebugPrivilege 4536 WMIC.exe Token: SeSystemEnvironmentPrivilege 4536 WMIC.exe Token: SeRemoteShutdownPrivilege 4536 WMIC.exe Token: SeUndockPrivilege 4536 WMIC.exe Token: SeManageVolumePrivilege 4536 WMIC.exe Token: 33 4536 WMIC.exe Token: 34 4536 WMIC.exe Token: 35 4536 WMIC.exe Token: 36 4536 WMIC.exe Token: SeIncreaseQuotaPrivilege 4536 WMIC.exe Token: SeSecurityPrivilege 4536 WMIC.exe Token: SeTakeOwnershipPrivilege 4536 WMIC.exe Token: SeLoadDriverPrivilege 4536 WMIC.exe Token: SeSystemProfilePrivilege 4536 WMIC.exe Token: SeSystemtimePrivilege 4536 WMIC.exe Token: SeProfSingleProcessPrivilege 4536 WMIC.exe Token: SeIncBasePriorityPrivilege 4536 WMIC.exe Token: SeCreatePagefilePrivilege 4536 WMIC.exe Token: SeBackupPrivilege 4536 WMIC.exe Token: SeRestorePrivilege 4536 WMIC.exe Token: SeShutdownPrivilege 4536 WMIC.exe Token: SeDebugPrivilege 4536 WMIC.exe Token: SeSystemEnvironmentPrivilege 4536 WMIC.exe Token: SeRemoteShutdownPrivilege 4536 WMIC.exe Token: SeUndockPrivilege 4536 WMIC.exe Token: SeManageVolumePrivilege 4536 WMIC.exe Token: 33 4536 WMIC.exe Token: 34 4536 WMIC.exe Token: 35 4536 WMIC.exe Token: 36 4536 WMIC.exe Token: SeBackupPrivilege 3268 wbengine.exe Token: SeRestorePrivilege 3268 wbengine.exe Token: SeSecurityPrivilege 3268 wbengine.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
c85e2c51d367e1035407c74d5701c33f.exeRE8crack.execmd.execmd.execmd.exedescription pid process target process PID 3028 wrote to memory of 2548 3028 c85e2c51d367e1035407c74d5701c33f.exe RE8crack.exe PID 3028 wrote to memory of 2548 3028 c85e2c51d367e1035407c74d5701c33f.exe RE8crack.exe PID 2548 wrote to memory of 1844 2548 RE8crack.exe cmd.exe PID 2548 wrote to memory of 1844 2548 RE8crack.exe cmd.exe PID 1844 wrote to memory of 3916 1844 cmd.exe vssadmin.exe PID 1844 wrote to memory of 3916 1844 cmd.exe vssadmin.exe PID 1844 wrote to memory of 4536 1844 cmd.exe WMIC.exe PID 1844 wrote to memory of 4536 1844 cmd.exe WMIC.exe PID 2548 wrote to memory of 1480 2548 RE8crack.exe cmd.exe PID 2548 wrote to memory of 1480 2548 RE8crack.exe cmd.exe PID 1480 wrote to memory of 3544 1480 cmd.exe bcdedit.exe PID 1480 wrote to memory of 3544 1480 cmd.exe bcdedit.exe PID 1480 wrote to memory of 4164 1480 cmd.exe bcdedit.exe PID 1480 wrote to memory of 4164 1480 cmd.exe bcdedit.exe PID 2548 wrote to memory of 3336 2548 RE8crack.exe cmd.exe PID 2548 wrote to memory of 3336 2548 RE8crack.exe cmd.exe PID 3336 wrote to memory of 2764 3336 cmd.exe wbadmin.exe PID 3336 wrote to memory of 2764 3336 cmd.exe wbadmin.exe PID 2548 wrote to memory of 3632 2548 RE8crack.exe NOTEPAD.EXE PID 2548 wrote to memory of 3632 2548 RE8crack.exe NOTEPAD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe"C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Roaming\RE8crack.exe"C:\Users\Admin\AppData\Roaming\RE8crack.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:3916 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3544 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2764 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:3632
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4588
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5c85e2c51d367e1035407c74d5701c33f
SHA18f866a991dbd63ff68027a7454df08c2f0d82c61
SHA2564d5c36ae16fb89f682ac9e5b9a3c4120a240a120a0bbc9e44dd39624e417eb3a
SHA512043189d7b576277b36d467dffd06fa867dfc4201e4d82e837ea3a7321f6a6c7647c8cf47fa21f9de1b9ab6aeb05d4ce3dad16cde05b333c37c7436af8ff15e98
-
Filesize
1KB
MD58bab127caba68d9aaf6ea322b02c8fa9
SHA168690e6932bea4d6a6c266d13f388ee5d4ce5998
SHA256c217b95d8cea69c163c74466414bb0f857bbcf5ec52fabf77d571411423fe62d
SHA512a814487d07cd7f6e504b82b7d5c65de1c6f059cbc89e9b1bfc7ca6dfaa298da4833f81bc0140fc712becdb5f8bddbab01c0d31f5994a8be5c622c664bdd85a41