Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06-04-2024 09:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe

  • Size

    2.3MB

  • MD5

    8392650851d29f54e051d8a6499889a5

  • SHA1

    d5814cff46164e3011bfce0d3bd7f6692ec63c64

  • SHA256

    b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08

  • SHA512

    f518039b485bc675383c11b435f2b6eab2dd8d1ffac3e0aed29d972effedeb69aa039191b0986a05c275a9ccb2d65d0efc98a21db96c9cde2c54a8fa3f0f1cd8

  • SSDEEP

    49152:4EWDvY84YWarHKnuQDuZu/RJJlB8xsDDckz8YKBg1i1IIMoq:OxkDumRJJlQuDcXMDJ

Score
10/10
chaoshermeticwiperxwormzgratpersistenceransomwarerattrojanwiper

Malware Config

Extracted

Family

xworm

Version

3.1

C2

gamemodz.duckdns.org:4678

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Detect HermeticWiper 1 IoCs

    Detect HermeticWiper Payload.

    wiper
  • Detect Xworm Payload 1 IoCs
  • Detect ZGRat V1 34 IoCs
  • HermeticWiper

    HermeticWiper is a partition-corrupting malware used in cyberattacks against Ukrainian organizations.

    wiperhermeticwiper
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Drops file in Drivers directory 3 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe
    "C:\Users\Admin\AppData\Local\Temp\b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4276
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4120
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cvtres" /tr "C:\Users\Admin\AppData\Roaming\cvtres.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2984
      • C:\Users\Admin\AppData\Local\Temp\npfftz.exe
        "C:\Users\Admin\AppData\Local\Temp\npfftz.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4988
      • C:\Users\Admin\AppData\Local\Temp\btqbax.exe
        "C:\Users\Admin\AppData\Local\Temp\btqbax.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1924
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
          PID:4372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\btqbax.exe
      Filesize

      114KB

      MD5

      3f4a16b29f2f0532b7ce3e7656799125

      SHA1

      61b25d11392172e587d8da3045812a66c3385451

      SHA256

      1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

      SHA512

      32acaceda42128ef9e0a9f36ee2678d2fc296fda2df38629eb223939c8a9352b3bb2b7021bb84e9f223a4a26df57b528a711447b1451213a013fe00f9b971d80

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\npfftz.exe
      Filesize

      84KB

      MD5

      7051dcbe9a0837a312b09a5ae3b42430

      SHA1

      3553ff8725a57929e438228bf141b695c13cecb4

      SHA256

      ce750c7054359e9e88556d48f7eea341374b74f494caed48251185b54c9ed644

      SHA512

      2e82160bff1fbdd6f6a9f0210dfaf831650fdefdf8e3bb70c3c2717122b107ef3610c5c5f55908843df7ba3bd3bbefc40b9d1dda07877083cbd2ab8b090a276c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\cvtres.exe
      Filesize

      45KB

      MD5

      70d838a7dc5b359c3f938a71fad77db0

      SHA1

      66b83eb16481c334719eed406bc58a3c2b910923

      SHA256

      e4dbdbf7888ea96f3f8aa5c4c7f2bcf6e57d724dd8194fe5f35b673c6ef724ea

      SHA512

      9c9a945db5b5e7ff8105bfe74578e6f00b5f707f7c3d8f1f1fb41553a6d0eab29cef026e77877a1ad6435fa7bc369141921442e1485f2b0894c6bbcbd7791034

      Download Submit

    • memory/4120-4894-0x0000000074930000-0x00000000750E1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4120-4939-0x00000000064E0000-0x00000000064FC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4120-4909-0x00000000050D0000-0x00000000050E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4120-4908-0x0000000074930000-0x00000000750E1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4120-4907-0x0000000006B50000-0x0000000006B5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4120-4898-0x00000000050D0000-0x00000000050E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4120-4897-0x0000000004FF0000-0x0000000005056000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4120-4896-0x0000000004F50000-0x0000000004FEC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4120-4895-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4276-24-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-64-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-22-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-0-0x0000000000ED0000-0x000000000111A000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/4276-26-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-28-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-30-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-32-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-34-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-38-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-36-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-40-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-42-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-44-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-46-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-48-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-50-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-52-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-54-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-56-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-58-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-62-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-60-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-20-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-66-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-68-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-3334-0x0000000074930000-0x00000000750E1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4276-4886-0x0000000005BD0000-0x0000000005BE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4276-4887-0x0000000006F30000-0x0000000006F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4276-4888-0x0000000007170000-0x00000000071D2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4276-4889-0x0000000007310000-0x000000000735C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4276-4890-0x0000000007380000-0x00000000073D4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4276-4893-0x0000000074930000-0x00000000750E1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4276-18-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-16-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-12-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-14-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-10-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-8-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-6-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-5-0x0000000006D10000-0x0000000006F2F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4276-4-0x0000000006FD0000-0x0000000007062000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4276-3-0x00000000074E0000-0x0000000007A86000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4276-1-0x0000000074930000-0x00000000750E1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4276-2-0x0000000006D10000-0x0000000006F36000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4988-4923-0x00007FFB75000000-0x00007FFB75AC2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4988-4922-0x00007FFB75000000-0x00007FFB75AC2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4988-4921-0x0000000000210000-0x000000000022C000-memory.dmp

      Filesize

      112KB

      Download