Resubmissions
16-03-2024 17:17
240316-vtswysfd2y 1016-03-2024 15:31
240316-syg9xafg39 1015-03-2024 08:15
240315-j5rmgsbg5z 10Analysis
-
max time kernel
523s -
max time network
453s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
16-03-2024 17:17
General
-
Target
2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51.exe
-
Size
31KB
-
MD5
3fdd9b2402350844b482aa6076e18d22
-
SHA1
81034b4deb144ecdf21cb213e455a84ea319812c
-
SHA256
2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51
-
SHA512
cedd5b9899cac6cce702c011ea7b9168ede0fe3e83a9ccd20f4e42f726c9b0a78ada6bf8b6863aeafc14d62500af8e347c4627b69233f96a2ae4df02c21549a4
-
SSDEEP
384:y3Mg/bqo284ujNI2pl6VwTwJrjr91CzJ8lC12ntnGeC:Iqo27uj+2pIw4rjr9kJ8lCEtGeC
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Renames multiple (191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51.exe"C:\Users\Admin\AppData\Local\Temp\2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
31KB
MD53fdd9b2402350844b482aa6076e18d22
SHA181034b4deb144ecdf21cb213e455a84ea319812c
SHA2562e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51
SHA512cedd5b9899cac6cce702c011ea7b9168ede0fe3e83a9ccd20f4e42f726c9b0a78ada6bf8b6863aeafc14d62500af8e347c4627b69233f96a2ae4df02c21549a4
-
C:\Users\Admin\Documents\read_it.txtFilesize
76B
MD5fdc5e26dd3c5a9eb5560d1d5e836a612
SHA1d2292b9165636c5cca4ac33a09ba9c23eaa814d5
SHA2565a90da73670cbedf2f45bf010aafb018ce6e8b8f8c7ea6e7b2d4cd9cb0ea0326
SHA5123c6d61a7a9554b0de91adaf8773df48fe236d29fb7bbde358fdb4639bd64a576341684dbba447a1e101ea89a717739d8ebceacc24f26c59dda37b67bbfd5e1a2
-
memory/968-15-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmpFilesize
10.8MB
-
memory/968-259-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmpFilesize
10.8MB
-
memory/1584-0-0x0000000000F70000-0x0000000000F7E000-memory.dmpFilesize
56KB
-
memory/1584-2-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmpFilesize
10.8MB
-
memory/1584-14-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmpFilesize
10.8MB