Overview

overview

10

Static

static

10

PrivateChat V2.0.exe

windows7-x64

10

PrivateChat V2.0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2024 22:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PrivateChat V2.0.exe

  • Size

    87KB

  • MD5

    4e0daa19b125c8e2703e9de440b1340b

  • SHA1

    8dd7592a40384093ab296ea4a0ae14102441b884

  • SHA256

    2dcc9c629488710a424dba2eefcfbecbf1edcc092a8387be7929db59f9692e71

  • SHA512

    8bf90f3d89e0592b5e5f1f6b1d5a362b1db84612eb8f737bec7e17c25e8e9748dd0293e40addea8f77c4f49e7e3a1e345ff78e1ee150dc29bfb643bbdb78e040

  • SSDEEP

    1536:SPvg251EzYY2MkcqhQP6xY9G+beYZFy+U0/A1OG36zvO5d2LueRISbfX:SPvg2szr5kcqhgx8+be+yTL+OjOusr

Score
10/10
chaosxwormevasionransomwareratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

employees-resolution.gl.at.ply.gg:35582

Attributes
  • install_file

    USB.exe

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\PrivateChat V2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\PrivateChat V2.0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PrivateChat V2.0.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PrivateChat V2.0.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1936
    • C:\Users\Admin\AppData\Local\Temp\cujwyn.exe
      "C:\Users\Admin\AppData\Local\Temp\cujwyn.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Users\Admin\AppData\Roaming\PrivateChat.exe
        "C:\Users\Admin\AppData\Roaming\PrivateChat.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Sets desktop wallpaper using registry
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3776
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3744
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:408
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3228
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:636
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:3736
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1164
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5084
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            5⤵
            • Deletes backup catalog
            PID:4428
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt
          4⤵
          • Opens file in notepad (likely ransom note)
          PID:4364
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2964
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4928
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:3076
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3992

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      d28a889fd956d5cb3accfbaf1143eb6f

      SHA1

      157ba54b365341f8ff06707d996b3635da8446f7

      SHA256

      21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

      SHA512

      0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_motgrd4g.at1.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cujwyn.exe
      Filesize

      120KB

      MD5

      5d4c5f3457c4487fe26df768ed8f3d2b

      SHA1

      f5f3df7d11e06dc158ac8183a8bde5895f8ea251

      SHA256

      19c393a4787d325984d850d8f02db1f302819b808952f72c332251d5d95f7c32

      SHA512

      793b8917ad068b77bcc7d771a28069ac432cfb441438e1a1f159fe94cbb2aa550fb2cc47d7354e30275ce2df402774902c987ad9b9be900f3748281f13a30e9a

      Download Submit

    • C:\Users\Admin\Documents\README.txt
      Filesize

      366B

      MD5

      a9739643e50a5d9ca0f162feb7846dd5

      SHA1

      d10c5feedd35fd2a24cd1266014ae8adaad22fd3

      SHA256

      e611bd6ae4702f7496dda7ae78a5df097d1e6858c7fa38b3b9b7140379f7d51c

      SHA512

      cb5e3943ccce39f10a899a4900952b702601840a2e6dd8e385ebed1e4e7b041f8440dd7dde229c5d28cf82f380b17f498a3e6cb8426d984b71a4115de3df9552

      Download Submit

    • memory/1936-22-0x000001E6BDC60000-0x000001E6BDC70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1936-19-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1936-20-0x000001E6BDC60000-0x000001E6BDC70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1936-32-0x000001E6BDC60000-0x000001E6BDC70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1936-34-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3420-37-0x000000001BC10000-0x000000001BC1C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3420-38-0x000000001BC30000-0x000000001BC40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3420-0-0x0000000000E60000-0x0000000000E7C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3420-1-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3420-36-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3420-35-0x000000001BC30000-0x000000001BC40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3476-17-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3476-14-0x000001566FC10000-0x000001566FC20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3476-9-0x000001566FC10000-0x000001566FC20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3476-2-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3476-8-0x000001566FD20000-0x000001566FD42000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3776-65-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3776-70-0x000000001B030000-0x000000001B040000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3776-539-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3776-540-0x000000001B030000-0x000000001B040000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4080-50-0x0000000000160000-0x0000000000184000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4080-51-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4080-64-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

      Filesize

      10.8MB

      Download