chaos | 68ec37ccb2e6682f6f444b13b9d6f0098ef45774dcf856328d7c9af440891679

Resubmissions

31/03/2024, 14:56

240331-sa6ycsdg9y 10

27/03/2024, 12:31

240327-pp4vrsfc3z 10

Analysis

max time kernel
177s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2024, 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1ac6283bd50e46c49ea0cfae49e4a8f.exe
Size

40KB
MD5

e1ac6283bd50e46c49ea0cfae49e4a8f
SHA1

e0f4c6caf5e8b119a1b302591a39511872eb11cd
SHA256

68ec37ccb2e6682f6f444b13b9d6f0098ef45774dcf856328d7c9af440891679
SHA512

ca612f7b82e178feddaa14cdde0a1e25a65e5d1c0868ff39bb4db3447cba909ffa5bb813b8bf5ab038d33d45a7ea95de200cfd59d5cae890507aba8cc7556223
SSDEEP

768:UzctJwrPdpe9rrG5XdO1AF97rds0/poHWFC6JORwxIpizMAO2:actJgPW9rrGNdO1AjvWqS246WNizg2

Score

10^/10

chaos ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/1488-23-0x0000000000400000-0x000000000040C000-memory.dmp	family_chaos
behavioral1/memory/5076-145-0x00000000747E0000-0x0000000074F90000-memory.dmp	family_chaos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	e1ac6283bd50e46c49ea0cfae49e4a8f.exe

Executes dropped EXE 3 IoCs

pid	Process
5068	svchost.exe
1440	svchost.exe
5076	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3260 set thread context of 1488	3260	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	100
PID 5068 set thread context of 5076	5068	svchost.exe	117
PID 4504 set thread context of 984	4504	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	123

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3948	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4844	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4844	taskmgr.exe
Token: SeSystemProfilePrivilege	4844	taskmgr.exe
Token: SeCreateGlobalPrivilege	4844	taskmgr.exe
Token: SeDebugPrivilege	1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
Token: SeDebugPrivilege	5068	svchost.exe
Token: SeDebugPrivilege	5076	svchost.exe
Token: SeRestorePrivilege	2120	7zFM.exe
Token: 35	2120	7zFM.exe
Token: SeSecurityPrivilege	2120	7zFM.exe
Token: SeDebugPrivilege	984	e1ac6283bd50e46c49ea0cfae49e4a8f.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4844	taskmgr.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 1488	3260	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	100
PID 3260 wrote to memory of 1488	3260	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	100
PID 3260 wrote to memory of 1488	3260	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	100
PID 3260 wrote to memory of 1488	3260	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	100
PID 3260 wrote to memory of 1488	3260	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	100
PID 3260 wrote to memory of 1488	3260	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	100
PID 3260 wrote to memory of 1488	3260	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	100
PID 3260 wrote to memory of 1488	3260	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	100
PID 1488 wrote to memory of 5068	1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	102
PID 1488 wrote to memory of 5068	1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	102
PID 1488 wrote to memory of 5068	1488	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	102
PID 4536 wrote to memory of 220	4536	msedge.exe	105
PID 4536 wrote to memory of 220	4536	msedge.exe	105
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3760	4536	msedge.exe	106
PID 4536 wrote to memory of 3664	4536	msedge.exe	107
PID 4536 wrote to memory of 3664	4536	msedge.exe	107
PID 4536 wrote to memory of 3860	4536	msedge.exe	108
PID 4536 wrote to memory of 3860	4536	msedge.exe	108
PID 4536 wrote to memory of 3860	4536	msedge.exe	108
PID 4536 wrote to memory of 3860	4536	msedge.exe	108
PID 4536 wrote to memory of 3860	4536	msedge.exe	108
PID 4536 wrote to memory of 3860	4536	msedge.exe	108
PID 4536 wrote to memory of 3860	4536	msedge.exe	108
PID 4536 wrote to memory of 3860	4536	msedge.exe	108
PID 4536 wrote to memory of 3860	4536	msedge.exe	108

C:\Users\Admin\AppData\Local\Temp\e1ac6283bd50e46c49ea0cfae49e4a8f.exe
"C:\Users\Admin\AppData\Local\Temp\e1ac6283bd50e46c49ea0cfae49e4a8f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Local\Temp\e1ac6283bd50e46c49ea0cfae49e4a8f.exe
  "C:\Users\Admin\AppData\Local\Temp\e1ac6283bd50e46c49ea0cfae49e4a8f.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:1440
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5076

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://appdata/
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffd47746f8,0x7fffd4774708,0x7fffd4774718
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17681918612754965445,6422720376791662497,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,17681918612754965445,6422720376791662497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,17681918612754965445,6422720376791662497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17681918612754965445,6422720376791662497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17681918612754965445,6422720376791662497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17681918612754965445,6422720376791662497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17681918612754965445,6422720376791662497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:2724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\e1ac6283bd50e46c49ea0cfae49e4a8f.exe
"C:\Users\Admin\AppData\Local\Temp\e1ac6283bd50e46c49ea0cfae49e4a8f.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4504
- C:\Users\Admin\AppData\Local\Temp\e1ac6283bd50e46c49ea0cfae49e4a8f.exe
  "C:\Users\Admin\AppData\Local\Temp\e1ac6283bd50e46c49ea0cfae49e4a8f.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:984

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\e1ac6283bd50e46c49ea0cfae49e4a8f.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2120
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO848FB959\version.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e1ac6283bd50e46c49ea0cfae49e4a8f.exe.log

Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a774512b00820b61a51258335097b2c9

SHA1
38c28d1ea3907a1af6c0443255ab610dd9285095

SHA256
01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

SHA512
ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd7944a4ff1be37517983ffaf5700b11

SHA1
c4287796d78e00969af85b7e16a2d04230961240

SHA256
b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

SHA512
28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7090dd773c5af0e0739c734ddb145aa0

SHA1
b2d3cf2c7f56d1438fb862096a92442a2405ae3c

SHA256
154df7813650b6bc9516a20799142232dc4b975b62275e4f9fefd057b7817a76

SHA512
096dc7ac7a0a8a6ef13bf070cf8838f847301a985e7efd04ba6fee286dada7c10d99de0f33628665066cb84bc654543f53ca15929fa2af2f731f6e6cab27d872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1e9c6669491bb3cec21940bd916809b

SHA1
0fe70bae01120adbb6b0b6ff8acb093cbf398f1a

SHA256
25ffb3380a0e69a22e5dd054f7822e154ed33362f6306c424827641fa27c21a7

SHA512
63b3621beef3393c5fe74e6d99e6cc68e7e8b5d5262ddc0871bd1f9f108187e66aeb82f59f42154aec0bef374df771e805a4a46031aabf7066052a03e104ade5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6327e5a354b685c0a514803fbcffe3c1

SHA1
22db875d81ee0d749c4c054a634e1c35eff15ac9

SHA256
0a566359609010f5c0269b437d305c54af054b1f56a7e9dff13667acb2f99a2e

SHA512
5aaaafc94e19565d59cc1f4510a367baf5ccb241ffd59708b21f58f647f70f30b16d0dab9441bb1e6f41025745789e1749e78486fef13472ac8bfcf430037d86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO848FB959\version.txt

Filesize
1KB

MD5
5774cc976190ee3bc459b0d3f35fff5d

SHA1
7173646be8e44289c5350dc6ec71b9c0f6b2d6b4

SHA256
26934c2e9d6d34c6ce800ddbe4bf7e39c52951697e7278b6131eb71f8536bcb9

SHA512
e49e63a4163b72be21a9e01bcfd4a37971b3fdc7b05d3de5af99f7ed4ee3b00f55cc467a66265d747fd1f28c5134d1fbe8e7b97407fc276d7d2f3fb484c6dfa9

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
40KB

MD5
e1ac6283bd50e46c49ea0cfae49e4a8f

SHA1
e0f4c6caf5e8b119a1b302591a39511872eb11cd

SHA256
68ec37ccb2e6682f6f444b13b9d6f0098ef45774dcf856328d7c9af440891679

SHA512
ca612f7b82e178feddaa14cdde0a1e25a65e5d1c0868ff39bb4db3447cba909ffa5bb813b8bf5ab038d33d45a7ea95de200cfd59d5cae890507aba8cc7556223

Download Submit
memory/984-154-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/984-157-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1488-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1488-39-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1488-26-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/3260-27-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/3260-6-0x0000000004CF0000-0x0000000004D66000-memory.dmp

Filesize
472KB

Download
memory/3260-1-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/3260-20-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/3260-21-0x0000000004A80000-0x0000000004A8E000-memory.dmp

Filesize
56KB

Download
memory/3260-22-0x0000000004D90000-0x0000000004DAE000-memory.dmp

Filesize
120KB

Download
memory/3260-2-0x0000000005120000-0x00000000056C4000-memory.dmp

Filesize
5.6MB

Download
memory/3260-3-0x0000000004AA0000-0x0000000004B32000-memory.dmp

Filesize
584KB

Download
memory/3260-0-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/3260-4-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/3260-5-0x0000000004A90000-0x0000000004A9A000-memory.dmp

Filesize
40KB

Download
memory/4504-146-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/4504-147-0x00000000059D0000-0x00000000059E0000-memory.dmp

Filesize
64KB

Download
memory/4504-155-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/4504-153-0x00000000059D0000-0x00000000059E0000-memory.dmp

Filesize
64KB

Download
memory/4504-148-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/4844-16-0x0000021197BB0000-0x0000021197BB1000-memory.dmp

Filesize
4KB

Download
memory/4844-8-0x0000021197BB0000-0x0000021197BB1000-memory.dmp

Filesize
4KB

Download
memory/4844-13-0x0000021197BB0000-0x0000021197BB1000-memory.dmp

Filesize
4KB

Download
memory/4844-14-0x0000021197BB0000-0x0000021197BB1000-memory.dmp

Filesize
4KB

Download
memory/4844-18-0x0000021197BB0000-0x0000021197BB1000-memory.dmp

Filesize
4KB

Download
memory/4844-9-0x0000021197BB0000-0x0000021197BB1000-memory.dmp

Filesize
4KB

Download
memory/4844-19-0x0000021197BB0000-0x0000021197BB1000-memory.dmp

Filesize
4KB

Download
memory/4844-17-0x0000021197BB0000-0x0000021197BB1000-memory.dmp

Filesize
4KB

Download
memory/4844-7-0x0000021197BB0000-0x0000021197BB1000-memory.dmp

Filesize
4KB

Download
memory/4844-15-0x0000021197BB0000-0x0000021197BB1000-memory.dmp

Filesize
4KB

Download
memory/5068-40-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/5068-72-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/5076-145-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/5076-73-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download