Overview

overview

10

Static

static

3

trabajo escuela.exe

windows7-x64

10

trabajo escuela.exe

windows10-1703-x64

10

trabajo escuela.exe

windows10-2004-x64

10

trabajo escuela.exe

windows11-21h2-x64

10

Resubmissions

09-04-2024 21:00

240409-ztcbesed8x 10

13-10-2021 12:07

211013-paebkaeah7 9

Analysis

  • max time kernel
    198s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-04-2024 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    trabajo escuela.exe

  • Size

    614KB

  • MD5

    535994874b99eea69b30569bc7176440

  • SHA1

    e10245fd72b3ff5f219b18fb292fb3b33ae3a3e5

  • SHA256

    79c0f9223e6861b8bf5f6f3ef860bc517e8fcb544efee34bb5f2cc9867af75a7

  • SHA512

    12bb6e3737f545ecbef371e079d6764d8e35ff8f940258b430f16e07d34e214c030f6ce0518461639178209fe2da62941a1de763fc25490c0e02e8e064da596f

  • SSDEEP

    12288:YctEagGmcl4gBF1BRnI6hAVebOe1qOX+t4Z3Fy0RMDbXScaTRM:ZR+cl7X1BRnI6hmebOe1qMuJXifu

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (200) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\trabajo escuela.exe
    "C:\Users\Admin\AppData\Local\Temp\trabajo escuela.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Users\Admin\AppData\Local\Temp\CRYpt0r V3.0.exe
      "C:\Users\Admin\AppData\Local\Temp\CRYpt0r V3.0.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Sets desktop wallpaper using registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:2756
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2296
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2200
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1624
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2112
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1876
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            5⤵
            • Deletes backup catalog
            PID:836
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\LEER IMPORTANTE.txt
          4⤵
            PID:1084
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1532
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1032
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:2032
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:2312

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\CRYpt0r V3.0.exe
          Filesize

          652KB

          MD5

          f04e2d871aac9bca6b4cbb87a7c4b583

          SHA1

          17d06a123d289510e9bbeb9d2ec89da4caa8f9d5

          SHA256

          24761b824fa4baf33ef574f1fff99a72ab5b7e2272aecf365d39b65748b01f6d

          SHA512

          c6624289766aeb87d9a3387130c3afc9c1ddb8f6d1ccc789f14af2d7858303629c1ac75fc89eeceb3069d0e94a0a9242c4ce705f3ec846e8f5be2566f095074a

          Download Submit

        • C:\Users\Admin\Documents\LEER IMPORTANTE.txt
          Filesize

          1KB

          MD5

          c330fe6230777cc10704e18bc35f4b5a

          SHA1

          03003156eefe7b2224afc900d58e15ac62f43fea

          SHA256

          fc668aa6ea357639d9cf3320018dededde311a70b8d12932907dfa0416c4dc14

          SHA512

          bd719db8e6e73f8c7feae0fb1b5b4592c789468f34aa7dfb7ce603e2c2fe3f43542687c533fb542e8f6fbf652ab5d8e818f91049d93343971038f648ddb5bc10

          Download Submit

        • memory/2288-19-0x00000000003B0000-0x000000000045A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2288-20-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2288-27-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2516-26-0x0000000001360000-0x000000000140A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2516-28-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2516-30-0x000000001AE80000-0x000000001AF00000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2516-479-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2516-485-0x000000001AE80000-0x000000001AF00000-memory.dmp

          Filesize

          512KB

          Download