Overview

overview

10

Static

static

10

067f997e6f...40.exe

windows7-x64

10

0c0c9a19db...c1.exe

windows7-x64

10

1a8f35d0f2...b9.exe

windows7-x64

2354403f00...3b.exe

windows7-x64

240ac12f9c...0b.exe

windows7-x64

10

276727bfac...36.exe

windows7-x64

10

280a75ca5c...8e.exe

windows7-x64

2e8af1ad4b...51.exe

windows7-x64

10

32c51906c1...ec.exe

windows7-x64

3e84def5ee...96.exe

windows7-x64

403b8f1ce9...40.exe

windows7-x64

4731758b5f...25.exe

windows7-x64

9

4c21b335ba...49.exe

windows7-x64

10

4c99ac9f69...35.exe

windows7-x64

4fbbd67a32...a7.exe

windows7-x64

10

622e2834e5...95.exe

windows7-x64

10

6734e7474c...fd.exe

windows7-x64

67a00565a4...5d.exe

windows7-x64

6e228df5e4...62.exe

windows7-x64

7b93299c45...03.exe

windows7-x64

7c2a9bae3b...c1.exe

windows7-x64

10

7d9c97a133...b5.exe

windows7-x64

10

83b294975e...74.exe

windows7-x64

9b0cfabed9...8e.exe

windows7-x64

10

aa63528bf7...cd.exe

windows7-x64

b54d6dc708...7d.exe

windows7-x64

10

b6b2c1f4bb...00.exe

windows7-x64

10

ba43b2eb48...fb.exe

windows7-x64

cc43fc18d6...e8.exe

windows7-x64

10

d50b23e12c...af.exe

windows7-x64

10

ebb17d81ff...0f.exe

windows7-x64

ec09cfa4a7...da.exe

windows7-x64

10

Resubmissions

16-03-2024 17:17

240316-vtswysfd2y 10

16-03-2024 15:31

240316-syg9xafg39 10

15-03-2024 08:15

240315-j5rmgsbg5z 10

Analysis

  • max time kernel
    1566s
  • max time network
    1567s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-03-2024 15:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51.exe

  • Size

    31KB

  • MD5

    3fdd9b2402350844b482aa6076e18d22

  • SHA1

    81034b4deb144ecdf21cb213e455a84ea319812c

  • SHA256

    2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51

  • SHA512

    cedd5b9899cac6cce702c011ea7b9168ede0fe3e83a9ccd20f4e42f726c9b0a78ada6bf8b6863aeafc14d62500af8e347c4627b69233f96a2ae4df02c21549a4

  • SSDEEP

    384:y3Mg/bqo284ujNI2pl6VwTwJrjr91CzJ8lC12ntnGeC:Iqo27uj+2pIw4rjr9kJ8lCEtGeC

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (189) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51.exe
    "C:\Users\Admin\AppData\Local\Temp\2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2620
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2332
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1668
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2232
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1900
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2220
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2240
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2120
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:320
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1624
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:2264

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Persistence

      Privilege Escalation

      Defense Evasion

      Indicator Removal

      3
      T1070

      File Deletion

      3
      T1070.004

      Modify Registry

      1
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      System Information Discovery

      1
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      4
      T1490

      Defacement

      1
      T1491

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        31KB

        MD5

        3fdd9b2402350844b482aa6076e18d22

        SHA1

        81034b4deb144ecdf21cb213e455a84ea319812c

        SHA256

        2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51

        SHA512

        cedd5b9899cac6cce702c011ea7b9168ede0fe3e83a9ccd20f4e42f726c9b0a78ada6bf8b6863aeafc14d62500af8e347c4627b69233f96a2ae4df02c21549a4

        Download Submit
      • C:\Users\Admin\Documents\read_it.txt
        Filesize

        76B

        MD5

        fdc5e26dd3c5a9eb5560d1d5e836a612

        SHA1

        d2292b9165636c5cca4ac33a09ba9c23eaa814d5

        SHA256

        5a90da73670cbedf2f45bf010aafb018ce6e8b8f8c7ea6e7b2d4cd9cb0ea0326

        SHA512

        3c6d61a7a9554b0de91adaf8773df48fe236d29fb7bbde358fdb4639bd64a576341684dbba447a1e101ea89a717739d8ebceacc24f26c59dda37b67bbfd5e1a2

        Download Submit
      • memory/1272-7-0x0000000001280000-0x000000000128E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1272-8-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/1272-10-0x0000000000450000-0x00000000004D0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1272-443-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/1272-444-0x0000000000450000-0x00000000004D0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2792-0-0x0000000000AC0000-0x0000000000ACE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/2792-1-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2792-442-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp
        Filesize

        9.9MB

        Download