Analysis
-
max time kernel
225s -
max time network
241s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 18:54
Behavioral task
behavioral1
Sample
exec.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
exec.exe
Resource
win10v2004-20240226-en
General
-
Target
exec.exe
-
Size
223KB
-
MD5
a32b23db12286223af4786eccf8f66d7
-
SHA1
fe19f59183dcf801749457140b4b3aeeb3e82598
-
SHA256
5f161fe20eafa6de2ad791276d14bd1c28013a1dd7b83b8b20016ea3065eacbf
-
SHA512
0395949d424e0898d25efa5713952c2e2df155f743c5d158003268256c4c541bd83c10bf2653e4fa31ed52bb1a044e4e19e9464f7d972313a5a8e2f1b4856aa0
-
SSDEEP
6144:m4Er9iAYFCtntIVprUPvEefILCrSK3FK+x:m4GYFCtntIVqPvCLCrSK1K+x
Malware Config
Extracted
C:\Users\Admin\Desktop\read_it.txt
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/memory/628-0-0x0000000000190000-0x00000000001CE000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost.exeexec.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation exec.exe -
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4084 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2gtd0kgmc.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3180 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid process 4084 svchost.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
exec.exesvchost.exepid process 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 628 exec.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe 4084 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
exec.exesvchost.exedescription pid process Token: SeDebugPrivilege 628 exec.exe Token: SeDebugPrivilege 4084 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
exec.exesvchost.exedescription pid process target process PID 628 wrote to memory of 4084 628 exec.exe svchost.exe PID 628 wrote to memory of 4084 628 exec.exe svchost.exe PID 4084 wrote to memory of 3180 4084 svchost.exe NOTEPAD.EXE PID 4084 wrote to memory of 3180 4084 svchost.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\exec.exe"C:\Users\Admin\AppData\Local\Temp\exec.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:3180
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD5a32b23db12286223af4786eccf8f66d7
SHA1fe19f59183dcf801749457140b4b3aeeb3e82598
SHA2565f161fe20eafa6de2ad791276d14bd1c28013a1dd7b83b8b20016ea3065eacbf
SHA5120395949d424e0898d25efa5713952c2e2df155f743c5d158003268256c4c541bd83c10bf2653e4fa31ed52bb1a044e4e19e9464f7d972313a5a8e2f1b4856aa0
-
Filesize
1KB
MD5ea03cbb2fdf2dc96252b579612602225
SHA1ac9ceff3c368f7409b9a7201f62fa92eded4da51
SHA256e4f0c335d1ffc3ed4a32ae4aee294c9652f67a765fbaaad1f90e0540d25ed565
SHA5121388a3f740f84541f8a8c0298bfe8b71f03d86a71174f97a68edcb4bdca0f467d6823b94314fa54547451c3ec4f6bc2228d74bf7537acf7c2dfb9f5a2d398051