Resubmissions
18-04-2024 20:00
240418-yrb27sef61 1029-03-2024 09:48
240329-ls75tafa83 1023-03-2024 00:07
240323-aetjqaag89 1019-03-2024 21:11
240319-z1p6vsgd61 1019-03-2024 21:07
240319-zygrpsgc9y 10Analysis
-
max time kernel
41s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
19-03-2024 21:07
General
-
Target
Ransomware.exe
-
Size
127KB
-
MD5
6f014d20774a7ec9869e54fe3d977f11
-
SHA1
2f05737ded3e8f2a6c7468482a6d500ec32d7d30
-
SHA256
3688345fc9eaee1073bfb24872d397a180a784e263b7a3b0ef91a8cd2bdad747
-
SHA512
c67358c788beab21c192032fd157dbfaa81398c719a4d4091d49bef2d02c364760f1fac23721e433d7d10a7f25779db143a5f4f68cc07a500e14cb6b544852a8
-
SSDEEP
1536:KNboAHq9CTesdi+y1WAPoRD9AuH7x9Z2eVGjzfnvI7BpxZe2WyKlsEX7xuTI3:ulHq9CliXWAPEV9Ue4znvqg2WVrxua
Malware Config
Extracted
C:\Users\Admin\AppData\Local\read_it.txt
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SubmitMeasure.rm"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\01c7dab75f9641cd85beaf2e645f7cd6 /t 6692 /p 65641⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b4e91d2e5f40d5e2586a86cf3bb4df24
SHA131920b3a41aa4400d4a0230a7622848789b38672
SHA2565d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319
-
Filesize
582B
MD5ed5cc52876db869de48a4783069c2a5e
SHA1a9d51ceaeff715ace430f9462ab2ee4e7f33e70e
SHA25645726f2f29967ef016f8d556fb6468a577307d67388cc4530295a9ca10fdfa36
SHA5121745aefb9b4db4cdd7c08ee3a7d133db08f35a336fd18b598211519b481ef25ac84a3e8a3da3db06caef9f531288d1cf0ca8d4b2560637945e7953e8b45421f5
-
Filesize
127KB
MD56f014d20774a7ec9869e54fe3d977f11
SHA12f05737ded3e8f2a6c7468482a6d500ec32d7d30
SHA2563688345fc9eaee1073bfb24872d397a180a784e263b7a3b0ef91a8cd2bdad747
SHA512c67358c788beab21c192032fd157dbfaa81398c719a4d4091d49bef2d02c364760f1fac23721e433d7d10a7f25779db143a5f4f68cc07a500e14cb6b544852a8
-
Filesize
78B
MD53b877d3673b5b43fe8f62d2e056b5b28
SHA1544f99e75a7cbb0078afa51ac508db5906bd2948
SHA2568045c9273a507fcd26923532c21b3c11e53225f53ca176e965a84a3806c2d0fd
SHA5129c1bd66258d8f8e1ce2ecb8f7e089158e9013f9dd957dd62643c504d49150afff04f4a7445edbf49fc5c47b52da86b5281484a8250b0e04394831fc89b4b9746
-
Filesize
485KB
MD5389089be1efcba43ec9e553f4476b01a
SHA13c0d421bbba2b2cf3560ef94b2c975e41d03da27
SHA25647749b20937c627f60ceefb55d5ebdc7eb6140b1ae89faf4246e5c358dd7f846
SHA5125a8ba673a1acc72cdeb4cae22879c07768d8477589541189a302b93833b1f0edcf3970cdce146682709ee026b00c91e9a498908b6dbf4df8822e65e8ac4bceab
-
Filesize
563KB
MD56e3f1e133c8c08aed4ab4c5242cf7448
SHA1c981749d38de777e5d1a93b6b10f3aebab23cc1a
SHA25676ba47a0000f935caa9373ed44beed998af4d58e598bdfe931aac73086b3b46b
SHA512f117bf961a05bad36e65c740290ad17ca825f90fdacf7edbed708e5f81aba2c66f2174b057bc8531829aa664ff3da78a2caa5577d42ab313119c56e8ee55fa4e
-
Filesize
511KB
MD51be3b42e0ff747a73ed4251a27eb1d5c
SHA1a0eadc318cf2875a12e94e46604438724282f3dc
SHA256ff6b8b8a3b9ed386c1efb82377893cae425d9b8c62dc812555f78b3340247f2f
SHA512dfade50f754fef087ae725ef20dde174c3156b4f19d89934a7d6f70b6cc6f917fa98a05977dbd5643eaf60cd7df270f3f8e6a32fd5bd0d007309d052d29a2276
-
Filesize
537KB
MD59b24aaace4853d8639f5826e84bd48fb
SHA11cae5f9a72912002fcc3c26ddfa82ba6b3d8b3bf
SHA25697f649a47436c81ac82e5fe2b7d0a9120173c02f87d8efb825db1c53287f5b97
SHA512ff17109223c31254c6992d3d4edc7c513263a497d06c3a9835bf0b5f9783ee054ad862a02c26593bda1077f471d347e614445c4fbe0436616669e0294515257e
-
Filesize
2KB
MD558734c18a60abedf381a0ff109c7e52a
SHA183672b64c0999bcc80d6204ab9a218bdcfc8627a
SHA256c39135f145dd2e5283cefe226c238ed16812fb132d7575801ecd85fae8bec65f
SHA512ff09ac265919fa300f9b46059e85be537b1a3ad231bf9e181ce6369a57cd00b16f28fefa10b4da3ab1782c16cd5899859d89172ef76872a2bf438acdc360f4a4
-
Filesize
459KB
MD5fd165b1e79f80af2f0ad145cd0d92e9a
SHA12f0622fa4d0ff91fc0ae855e3920162f3075cff4
SHA2564f79c3c762966a64e28d8dcc733dc900f5020897ee74f93280fee5cdf8724fd1
SHA512de918d0924697c9194f8ef7f7613c16dd25c07e4e66d68826753a891793f81b0f25785f7774fef2f5a50dc8f44347a9b3046f585a4753e6439f24bce3f14645a
-
Filesize
380KB
MD59ac82555473ccd6f646616deade83d41
SHA10fb062d6d627aa029e8b7dabc074deb3ae7913f3
SHA2560c1ceb3d7b12f136a01e81517bb696afd6fea1d217321a6359d1bcfb1d128a85
SHA512f8400b8ab02d254385d0036dc6fbfb3afb7c297e16021e0ac0ea46240162453a906b167bbe19e6bef29863d51fa97b3e1206f9f993cce5a74f460485c778e9b0
-
Filesize
852KB
MD53bd2b6a533e1d06bafffc30626edb25b
SHA103b9997c797641c181e2b4ee4df5ce2605cf26a2
SHA256fb7634227a23165f8b434e02a6ae055cbd250bc57caf1b10fc506e18dc91a6da
SHA512b98724a4a5360f2baf68ff329c05cc8aa6b1885078c8a7cc6e52fe2c3f4799f01eb73912cb2415d54c212ad57b60774bb64c3808856873b1dad8ad1315c39a63
-
Filesize
773KB
MD5174a3f3f9ce922b50c6e380d12e41d4c
SHA104650ef071dfdbb10093677b48470a41a8c10ad2
SHA256ecc7164d293339258b17af2a6f7991f158f974c684466367def8ad3c17955438
SHA512a38ccf45df89dc7bd8a2fa956fbc74a34cc607f5a9c4568b42ba0b167ef9c6ab7bc98d155b13e3e9d70b9228d0f0966af2bd4727e0f6fc31048189b369dba77b
-
Filesize
747KB
MD5e3ca9616043bbdf0c766329b92616e93
SHA1072920c9350608328648dc92f1e70b5eaa6ce157
SHA2560322ac3487cda8c55ba1008a227c1ceb2742ed9599ecf53065d92cf933c00852
SHA512724d63cc02d49fd834ff02b14c8e28b6b62b22fca3c9f348298f26051459bf1ea79331977120acbb5b3388e7f2b9e8f2a36979e08a5b3b232fbef4c2331c2975
-
Filesize
904KB
MD58067766a2d88a4f1fcc2fe4eec8ed9b0
SHA19bf9be633b48724793ae995a0e50de87bedb9942
SHA2566ff545c3cf8d6108d7bdd7a432c9581616be4e46a543587f6ffe968404a5be43
SHA5128cd7f132df62d7cbc8d71470ceeb8226e61f8db832fd9900418e66428fca3d7743ed523955450a212f7d14dd4bb6a04b1faff510a84d9d59f50d8f2618dfb0be
-
Filesize
799KB
MD52e47b7bba45220c169c84b5451dd3ed0
SHA1602a5390d2862a3260a24416d97990d612e4395c
SHA25684e64d6c1fcda8831252747a7158cdeec40b7898bee33d6468cf0d439d8b6747
SHA512f41f867daede9700b06ae069e331004e0c33076cc8ac2c6e45664196608c80179a4bb48a3fafac9255d178ef8c7f421d438fdb1c659ea67139b828e588898794
-
Filesize
1.3MB
MD55a919e2bc84d2a58e3ef5d5f72a2fc4f
SHA1027d68a443db2c5db8dc2935a3840a8912e74afd
SHA256c55553a27caef3c12cb9d5538fdbbba7eb012c03df2e3a47e5ae48c5752d06dc
SHA5126e53f0143cbd6cdd3da3cb42c07f41a4925aa563ffc1f6de8a1d61cd8e311a540a3aeb763303e4ef4ad2d0064a940818f0522ad74be8106169b13768a11cefe2
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
152KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
192KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
116KB
-
Filesize
2.0MB
-
Filesize
68KB
-
Filesize
252KB
-
Filesize
132KB
-
Filesize
96KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
16.7MB
-
Filesize
68KB
-
Filesize
108KB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
208KB
-
Filesize
412KB
-
Filesize
444KB
-
Filesize
68KB
-
Filesize
344KB
-
Filesize
160KB
-
Filesize
144KB
-
Filesize
92KB
-
Filesize
140KB
-
Filesize
68KB
-
Filesize
132KB
-
Filesize
2.7MB
-
Filesize
76KB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
176KB
-
Filesize
1.7MB
-
Filesize
368KB
-
Filesize
604KB
-
Filesize
68KB
-
Filesize
72KB
-
Filesize
2.2MB
-
Filesize
212KB
-
Filesize
148KB
-
Filesize
68KB
-
Filesize
388KB
-
Filesize
68KB
-
Filesize
72KB
-
Filesize
636KB
-
Filesize
76KB
-
Filesize
68KB
-
Filesize
1.0MB
-
Filesize
68KB
-
Filesize
1.5MB
-
Filesize
92KB
-
Filesize
1.1MB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
164KB
-
Filesize
72KB
-
Filesize
992KB
