Malware Analysis Report

2024-10-19 07:13

Sample ID 240314-ma1tfsbg29
Target c85e2c51d367e1035407c74d5701c33f
SHA256 4d5c36ae16fb89f682ac9e5b9a3c4120a240a120a0bbc9e44dd39624e417eb3a
Tags
chaos evasion persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d5c36ae16fb89f682ac9e5b9a3c4120a240a120a0bbc9e44dd39624e417eb3a

Threat Level: Known bad

The file c85e2c51d367e1035407c74d5701c33f was found to be: Known bad.

Malicious Activity Summary

chaos evasion persistence ransomware

Chaos family

Chaos Ransomware

Chaos

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Checks computer location settings

Executes dropped EXE

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 10:16

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 10:16

Reported

2024-03-14 10:19

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RE8crack.url C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Roaming\\RE8crack.exe" C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe C:\Users\Admin\AppData\Roaming\RE8crack.exe
PID 1548 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe C:\Users\Admin\AppData\Roaming\RE8crack.exe
PID 1548 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe C:\Users\Admin\AppData\Roaming\RE8crack.exe
PID 2588 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 2588 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 2588 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 2528 wrote to memory of 2620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2528 wrote to memory of 2620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2528 wrote to memory of 2620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2528 wrote to memory of 1900 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2528 wrote to memory of 1900 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2528 wrote to memory of 1900 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2588 wrote to memory of 308 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 2588 wrote to memory of 308 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 2588 wrote to memory of 308 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 308 wrote to memory of 2784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 308 wrote to memory of 2784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 308 wrote to memory of 2784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 308 wrote to memory of 2776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 308 wrote to memory of 2776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 308 wrote to memory of 2776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2588 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 2588 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 2588 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 2484 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2484 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2484 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2588 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\system32\NOTEPAD.EXE
PID 2588 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\system32\NOTEPAD.EXE
PID 2588 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe

"C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe"

C:\Users\Admin\AppData\Roaming\RE8crack.exe

"C:\Users\Admin\AppData\Roaming\RE8crack.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

N/A

Files

memory/1548-0-0x0000000000020000-0x000000000002A000-memory.dmp

memory/1548-1-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

C:\Users\Admin\AppData\Roaming\RE8crack.exe

MD5 c85e2c51d367e1035407c74d5701c33f
SHA1 8f866a991dbd63ff68027a7454df08c2f0d82c61
SHA256 4d5c36ae16fb89f682ac9e5b9a3c4120a240a120a0bbc9e44dd39624e417eb3a
SHA512 043189d7b576277b36d467dffd06fa867dfc4201e4d82e837ea3a7321f6a6c7647c8cf47fa21f9de1b9ab6aeb05d4ce3dad16cde05b333c37c7436af8ff15e98

memory/2588-7-0x0000000000250000-0x000000000025A000-memory.dmp

memory/1548-8-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

memory/2588-9-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

C:\Users\Admin\Documents\read_it.txt

MD5 8bab127caba68d9aaf6ea322b02c8fa9
SHA1 68690e6932bea4d6a6c266d13f388ee5d4ce5998
SHA256 c217b95d8cea69c163c74466414bb0f857bbcf5ec52fabf77d571411423fe62d
SHA512 a814487d07cd7f6e504b82b7d5c65de1c6f059cbc89e9b1bfc7ca6dfaa298da4833f81bc0140fc712becdb5f8bddbab01c0d31f5994a8be5c622c664bdd85a41

memory/2588-187-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/2588-189-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

memory/2588-190-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 10:16

Reported

2024-03-14 10:19

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RE8crack.url C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Roaming\\RE8crack.exe" C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe C:\Users\Admin\AppData\Roaming\RE8crack.exe
PID 3028 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe C:\Users\Admin\AppData\Roaming\RE8crack.exe
PID 2548 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 2548 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 1844 wrote to memory of 3916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1844 wrote to memory of 3916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1844 wrote to memory of 4536 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1844 wrote to memory of 4536 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2548 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 2548 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 1480 wrote to memory of 3544 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1480 wrote to memory of 3544 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1480 wrote to memory of 4164 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1480 wrote to memory of 4164 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2548 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 2548 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\System32\cmd.exe
PID 3336 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3336 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2548 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\system32\NOTEPAD.EXE
PID 2548 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Roaming\RE8crack.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe

"C:\Users\Admin\AppData\Local\Temp\c85e2c51d367e1035407c74d5701c33f.exe"

C:\Users\Admin\AppData\Roaming\RE8crack.exe

"C:\Users\Admin\AppData\Roaming\RE8crack.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3028-0-0x0000000000880000-0x000000000088A000-memory.dmp

memory/3028-1-0x00007FF853D50000-0x00007FF854811000-memory.dmp

C:\Users\Admin\AppData\Roaming\RE8crack.exe

MD5 c85e2c51d367e1035407c74d5701c33f
SHA1 8f866a991dbd63ff68027a7454df08c2f0d82c61
SHA256 4d5c36ae16fb89f682ac9e5b9a3c4120a240a120a0bbc9e44dd39624e417eb3a
SHA512 043189d7b576277b36d467dffd06fa867dfc4201e4d82e837ea3a7321f6a6c7647c8cf47fa21f9de1b9ab6aeb05d4ce3dad16cde05b333c37c7436af8ff15e98

memory/3028-14-0x00007FF853D50000-0x00007FF854811000-memory.dmp

memory/2548-15-0x00007FF853D50000-0x00007FF854811000-memory.dmp

C:\Users\Admin\Documents\read_it.txt

MD5 8bab127caba68d9aaf6ea322b02c8fa9
SHA1 68690e6932bea4d6a6c266d13f388ee5d4ce5998
SHA256 c217b95d8cea69c163c74466414bb0f857bbcf5ec52fabf77d571411423fe62d
SHA512 a814487d07cd7f6e504b82b7d5c65de1c6f059cbc89e9b1bfc7ca6dfaa298da4833f81bc0140fc712becdb5f8bddbab01c0d31f5994a8be5c622c664bdd85a41

memory/2548-191-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/2548-194-0x00007FF853D50000-0x00007FF854811000-memory.dmp

memory/2548-195-0x00000000027C0000-0x00000000027D0000-memory.dmp