Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-03-2024 01:52
Behavioral task
behavioral1
Sample
d4eb2a62ee12659fab50fbf927a6e9ab.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d4eb2a62ee12659fab50fbf927a6e9ab.exe
Resource
win10v2004-20240226-en
General
-
Target
d4eb2a62ee12659fab50fbf927a6e9ab.exe
-
Size
23KB
-
MD5
d4eb2a62ee12659fab50fbf927a6e9ab
-
SHA1
529f9e09d02a107d6b50387c976b1209229545aa
-
SHA256
db4b65445f8a7d1f8827e510affccf6a1fd557daf81b49b50b93beea759153f8
-
SHA512
2ddd79445b40cb8f8ec5874b0ce2842bc0d6a5045b3d5d35efa7130b3fc88c6c8482499ee2ab6d24919556b69790758469934fae943f0058d1e13a3a11511a9e
-
SSDEEP
384:oOgHs6cYgBznHTQliJYcxr91CnWzwnbJ/yS:oOgHs7hznzQl2Y4r9FwnbwS
Malware Config
Extracted
C:\Users\Admin\Documents\read_it.txt
chaos
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2340-0-0x0000000000E00000-0x0000000000E0C000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos behavioral1/memory/2832-7-0x00000000008E0000-0x00000000008EC000-memory.dmp family_chaos -
Drops startup file 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2832 svchost.exe -
Drops desktop.ini file(s) 14 IoCs
Processes:
svchost.exedescription ioc process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1516 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid process 2832 svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
d4eb2a62ee12659fab50fbf927a6e9ab.exesvchost.exepid process 2340 d4eb2a62ee12659fab50fbf927a6e9ab.exe 2340 d4eb2a62ee12659fab50fbf927a6e9ab.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d4eb2a62ee12659fab50fbf927a6e9ab.exesvchost.exedescription pid process Token: SeDebugPrivilege 2340 d4eb2a62ee12659fab50fbf927a6e9ab.exe Token: SeDebugPrivilege 2832 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d4eb2a62ee12659fab50fbf927a6e9ab.exesvchost.exedescription pid process target process PID 2340 wrote to memory of 2832 2340 d4eb2a62ee12659fab50fbf927a6e9ab.exe svchost.exe PID 2340 wrote to memory of 2832 2340 d4eb2a62ee12659fab50fbf927a6e9ab.exe svchost.exe PID 2340 wrote to memory of 2832 2340 d4eb2a62ee12659fab50fbf927a6e9ab.exe svchost.exe PID 2832 wrote to memory of 1516 2832 svchost.exe NOTEPAD.EXE PID 2832 wrote to memory of 1516 2832 svchost.exe NOTEPAD.EXE PID 2832 wrote to memory of 1516 2832 svchost.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4eb2a62ee12659fab50fbf927a6e9ab.exe"C:\Users\Admin\AppData\Local\Temp\d4eb2a62ee12659fab50fbf927a6e9ab.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5d4eb2a62ee12659fab50fbf927a6e9ab
SHA1529f9e09d02a107d6b50387c976b1209229545aa
SHA256db4b65445f8a7d1f8827e510affccf6a1fd557daf81b49b50b93beea759153f8
SHA5122ddd79445b40cb8f8ec5874b0ce2842bc0d6a5045b3d5d35efa7130b3fc88c6c8482499ee2ab6d24919556b69790758469934fae943f0058d1e13a3a11511a9e
-
Filesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740