chaos | a9abad54fc0edbec207aa78275dde697b408f64ec15593982dd1db743c1a82ff

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe
Size

294KB
MD5

5de3be7387ae4c84f1c3931f8f4a4bdb
SHA1

a291b128d79e06bc35a3d7103b6e17aeefe1bfa9
SHA256

a9abad54fc0edbec207aa78275dde697b408f64ec15593982dd1db743c1a82ff
SHA512

57267d315dd75771a7711bf04d8289380e7608f553d03d5e1b0e4918a912c579b50ff01c401aae9fb1de67802ad28e66b82559cf3e0783bff3a9b7ab3f0fc766
SSDEEP

1536:ixDkHJ/b+BgGt+ilZ7K1CM0yt9z6+yMdhvkod5jbuvSf7:FVb+BhMEXUOwdhvNvjbxf7

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted By Salvation X Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $300. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.0043 BTC Bitcoin Address: bc1qfwd8hd2amxc8fc8mrc0m8a83ckyrudnjs6905r Contact Us Telegram- Telegram Group:- https://t.me/DecrypteKey

URLs

https://t.me/DecrypteKey

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Detects command variations typically used by ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2992-0-0x0000000000D80000-0x0000000000DD0000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/files/0x0009000000012251-5.dat	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/1156-7-0x0000000000F90000-0x0000000000FE0000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1156	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2608	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1156	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2992	2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe
2992	2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe
1156	svchost.exe
1156	svchost.exe
1156	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe
Token: SeDebugPrivilege	1156	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 1156	2992	2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe	28
PID 2992 wrote to memory of 1156	2992	2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe	28
PID 2992 wrote to memory of 1156	2992	2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe	28
PID 1156 wrote to memory of 2608	1156	svchost.exe	30
PID 1156 wrote to memory of 2608	1156	svchost.exe	30
PID 1156 wrote to memory of 2608	1156	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
294KB

MD5
5de3be7387ae4c84f1c3931f8f4a4bdb

SHA1
a291b128d79e06bc35a3d7103b6e17aeefe1bfa9

SHA256
a9abad54fc0edbec207aa78275dde697b408f64ec15593982dd1db743c1a82ff

SHA512
57267d315dd75771a7711bf04d8289380e7608f553d03d5e1b0e4918a912c579b50ff01c401aae9fb1de67802ad28e66b82559cf3e0783bff3a9b7ab3f0fc766

Download Submit
C:\Users\Admin\Desktop\read_it.txt

Filesize
1KB

MD5
033c70e11bd9d61f2132307be4740963

SHA1
9db63c9f7873de81235c63ffa52477ab3c7e844d

SHA256
e2e467b32be5706cc6d660cfa23d5b1e53f66a7d5017265e7f0b3b37596fbacd

SHA512
484b47d0a064d5d7a724ac5d4d1a264513da158e881d0c74c43546243fe504a9c830626a1fb085a232943881833f8b61e76ddc5ac4a4c78ee1e109cc0433bc44

Download Submit
memory/1156-7-0x0000000000F90000-0x0000000000FE0000-memory.dmp

Filesize
320KB

Download
memory/1156-9-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download
memory/1156-71-0x000000001AEB0000-0x000000001AF30000-memory.dmp

Filesize
512KB

Download
memory/1156-72-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download
memory/1156-73-0x000000001AEB0000-0x000000001AF30000-memory.dmp

Filesize
512KB

Download
memory/2992-0-0x0000000000D80000-0x0000000000DD0000-memory.dmp

Filesize
320KB

Download
memory/2992-1-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-8-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download