Resubmissions
16-03-2024 17:17
240316-vtswysfd2y 1016-03-2024 15:31
240316-syg9xafg39 1015-03-2024 08:15
240315-j5rmgsbg5z 10Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
15-03-2024 08:15
General
-
Target
2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51.exe
-
Size
31KB
-
MD5
3fdd9b2402350844b482aa6076e18d22
-
SHA1
81034b4deb144ecdf21cb213e455a84ea319812c
-
SHA256
2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51
-
SHA512
cedd5b9899cac6cce702c011ea7b9168ede0fe3e83a9ccd20f4e42f726c9b0a78ada6bf8b6863aeafc14d62500af8e347c4627b69233f96a2ae4df02c21549a4
-
SSDEEP
384:y3Mg/bqo284ujNI2pl6VwTwJrjr91CzJ8lC12ntnGeC:Iqo27uj+2pIw4rjr9kJ8lCEtGeC
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Renames multiple (205) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51.exe"C:\Users\Admin\AppData\Local\Temp\2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
31KB
MD53fdd9b2402350844b482aa6076e18d22
SHA181034b4deb144ecdf21cb213e455a84ea319812c
SHA2562e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51
SHA512cedd5b9899cac6cce702c011ea7b9168ede0fe3e83a9ccd20f4e42f726c9b0a78ada6bf8b6863aeafc14d62500af8e347c4627b69233f96a2ae4df02c21549a4
-
C:\Users\Admin\Documents\read_it.txtFilesize
76B
MD5fdc5e26dd3c5a9eb5560d1d5e836a612
SHA1d2292b9165636c5cca4ac33a09ba9c23eaa814d5
SHA2565a90da73670cbedf2f45bf010aafb018ce6e8b8f8c7ea6e7b2d4cd9cb0ea0326
SHA5123c6d61a7a9554b0de91adaf8773df48fe236d29fb7bbde358fdb4639bd64a576341684dbba447a1e101ea89a717739d8ebceacc24f26c59dda37b67bbfd5e1a2
-
memory/2680-7-0x0000000001020000-0x000000000102E000-memory.dmpFilesize
56KB
-
memory/2680-9-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/2680-11-0x0000000000E40000-0x0000000000EC0000-memory.dmpFilesize
512KB
-
memory/2680-472-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/2680-476-0x0000000000E40000-0x0000000000EC0000-memory.dmpFilesize
512KB
-
memory/2856-0-0x0000000000360000-0x000000000036E000-memory.dmpFilesize
56KB
-
memory/2856-1-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/2856-8-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB