Overview

overview

10

Static

static

10

067f997e6f...40.exe

windows7-x64

10

0c0c9a19db...c1.exe

windows7-x64

10

1a8f35d0f2...b9.exe

windows7-x64

2354403f00...3b.exe

windows7-x64

240ac12f9c...0b.exe

windows7-x64

10

276727bfac...36.exe

windows7-x64

10

280a75ca5c...8e.exe

windows7-x64

2e8af1ad4b...51.exe

windows7-x64

10

32c51906c1...ec.exe

windows7-x64

3e84def5ee...96.exe

windows7-x64

403b8f1ce9...40.exe

windows7-x64

4731758b5f...25.exe

windows7-x64

9

4c21b335ba...49.exe

windows7-x64

10

4c99ac9f69...35.exe

windows7-x64

4fbbd67a32...a7.exe

windows7-x64

10

622e2834e5...95.exe

windows7-x64

10

6734e7474c...fd.exe

windows7-x64

67a00565a4...5d.exe

windows7-x64

6e228df5e4...62.exe

windows7-x64

7b93299c45...03.exe

windows7-x64

7c2a9bae3b...c1.exe

windows7-x64

10

7d9c97a133...b5.exe

windows7-x64

10

83b294975e...74.exe

windows7-x64

9b0cfabed9...8e.exe

windows7-x64

10

aa63528bf7...cd.exe

windows7-x64

b54d6dc708...7d.exe

windows7-x64

10

b6b2c1f4bb...00.exe

windows7-x64

10

ba43b2eb48...fb.exe

windows7-x64

cc43fc18d6...e8.exe

windows7-x64

10

d50b23e12c...af.exe

windows7-x64

10

ebb17d81ff...0f.exe

windows7-x64

ec09cfa4a7...da.exe

windows7-x64

10

Resubmissions

16-03-2024 17:17

240316-vtswysfd2y 10

16-03-2024 15:31

240316-syg9xafg39 10

15-03-2024 08:15

240315-j5rmgsbg5z 10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2024 08:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    067f997e6fe9eac1a47d9a54d6dd22414721ad895e6352714a11779de8d66540.exe

  • Size

    24KB

  • MD5

    3aea97ef58d132d994d6160ae232c6e7

  • SHA1

    de2146322b6a533ccf5ace0f1edcb6cf92d34179

  • SHA256

    067f997e6fe9eac1a47d9a54d6dd22414721ad895e6352714a11779de8d66540

  • SHA512

    a48d3ab7b7e35d1f24f1319831ffdc1c2dc9f4ededa0007684ff2515edf39e727915eafc124fa752082b0e1534ddf37a2ed12be18d9aadc72391b57cf5b6f9c4

  • SSDEEP

    384:Y3Mg/bqo2CUTermpEdwdcJAr91Ci7IJvOe2:mqo2Yrmpfd0Ar9xame2

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
READ THE FOLLOWING VERY CAREFULLY Your computer has become infected with a ransomware virus. Every file and folder has been encrypted with a military grade encryption algorithm and you will not be able to decrypt anything without our help. If you want all your files back to normal like this never happened you simply have to buy our decryption software by sending Bitcoin to the below specified BTC Wallet Address in which you will immediately receive the program and a special decryption key. Within 10 minutes of using the program all of you files and folders will be back to normal, and your system will be completely unencrypted and void of the ransomware virus. The price for the software will only cost you 0.1474 Bitcoin and Payment can be made in Bitcoin ONLY. If you have never used cryptocurrency before, it is very simple, just read about it on official website www.bitcoin.org or doing a simple google search on how to buy and send bitcoin. You now have exactly 36 hours to send the payment to the below Bitcoin Wallet Address or you will never be able to retrieve your files again, and everything will be forever encrypted and unrecoverable. AMOUNT: 0.1474 BTC BITCOIN ADDRESS WHERE YOU SEND IT: bc1qjt25ualzd0j0lvj0pq7mfrh23n9klnk29k22tf

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (191) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\067f997e6fe9eac1a47d9a54d6dd22414721ad895e6352714a11779de8d66540.exe
    "C:\Users\Admin\AppData\Local\Temp\067f997e6fe9eac1a47d9a54d6dd22414721ad895e6352714a11779de8d66540.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1076
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1336
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2232
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2236
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1468
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2136
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1668
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1084
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2864
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:620
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:2368

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Persistence

      Privilege Escalation

      Defense Evasion

      Indicator Removal

      3
      T1070

      File Deletion

      3
      T1070.004

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      System Information Discovery

      1
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      4
      T1490

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        24KB

        MD5

        3aea97ef58d132d994d6160ae232c6e7

        SHA1

        de2146322b6a533ccf5ace0f1edcb6cf92d34179

        SHA256

        067f997e6fe9eac1a47d9a54d6dd22414721ad895e6352714a11779de8d66540

        SHA512

        a48d3ab7b7e35d1f24f1319831ffdc1c2dc9f4ededa0007684ff2515edf39e727915eafc124fa752082b0e1534ddf37a2ed12be18d9aadc72391b57cf5b6f9c4

        Download Submit
      • C:\Users\Admin\Documents\read_it.txt
        Filesize

        1KB

        MD5

        8b7c16186eda725a280ae9f7e7ea9b43

        SHA1

        a7bd3384999e829ccc4c828fc4511d6ef0228670

        SHA256

        f59448977db86356cffdf951cef0b2273f83641db68a8bd1f6170f8fb07ac44b

        SHA512

        77a985b454dde88b1c30ad61b0eb672edec45aa1e84310c9a9e06db4bd31b95b36b34fb5fb2560f07a3d4dcb06e932c969b51652770d719378dc15b448f43136

        Download Submit
      • memory/2092-7-0x0000000000BB0000-0x0000000000BBC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/2092-9-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2092-11-0x000000001ABA0000-0x000000001AC20000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2092-445-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2092-446-0x000000001ABA0000-0x000000001AC20000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2884-0-0x0000000000FC0000-0x0000000000FCC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/2884-1-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2884-8-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp
        Filesize

        9.9MB

        Download