Analysis
-
max time kernel
567s -
max time network
567s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10-04-2024 16:30
General
-
Target
freddo.exe
-
Size
14.3MB
-
MD5
54624a787c53efc6b2b2f0adb02303c3
-
SHA1
f9ac2cb0fab7d6024a5e9e078edede8e1bb8848c
-
SHA256
a78d6caa0a4b98ca054410bc97416093e9ed3746215f621d67c1b6da93c58427
-
SHA512
987e73b269889c2668bb626edbef4dfeb589b36361b58f8f983a08bcd2120656fd1b85b33f92fb6ae86878b2c7d60eef945d1c0ca274f7740ce56f5e77882ed6
-
SSDEEP
393216:YHFuDKw9va/tx9L+zn7DJTa1TsUS4uPVJGbahsWPJ2i:YHFuDKw9vUtvQn7DJT0sU7u9c5EJ2i
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Documents\FREDDO.txt
Family
chaos
Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <----
All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help.What can I do to get my files back?You can buy our special
decryption software, this software will allow you to recover all of your data and remove the
ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.
How do I pay, where do I get Bitcoin?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
Payment informationAmount: 0.1473766 BTC
Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 5 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 64 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 58 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\freddo.exe"C:\Users\Admin\AppData\Local\Temp\freddo.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4144 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3636 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5380 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5508 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x3c81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=3940 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5852 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=4144 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6088 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=4460 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6408 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6460 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=5488 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=4788 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=3932 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=4040 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7072 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=7076 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=4104 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=6412 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=6036 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=6016 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=7200 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=7336 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=7368 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7896 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5352 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Chaos_Ransomware_Builder_v4_Cleaned.rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zO8941FEE9\Chaos Ransomware Builder v4 Cleaned.exe"C:\Users\Admin\AppData\Local\Temp\7zO8941FEE9\Chaos Ransomware Builder v4 Cleaned.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zO8944E34A\Chaos Ransomware Builder v4 Cleaned.exe"C:\Users\Admin\AppData\Local\Temp\7zO8944E34A\Chaos Ransomware Builder v4 Cleaned.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zO89480E0A\Chaos Ransomware Builderv4.exe"C:\Users\Admin\AppData\Local\Temp\7zO89480E0A\Chaos Ransomware Builderv4.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ho222szk\ho222szk.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF6F.tmp" "c:\Users\Admin\3D Objects\CSCAF57768ED315433A81C63071C35848F5.TMP"4⤵
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\17a74af36f984ba4abbd5fc876d82818 /t 5416 /p 54121⤵
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\a7a6111757f64c698762030a4baa1db5 /t 5688 /p 56841⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=6844 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=7224 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=7664 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --mojo-platform-channel-handle=7300 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=5408 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --mojo-platform-channel-handle=7584 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=7424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7808 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --mojo-platform-channel-handle=4792 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=8416 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3908 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\3D Objects\freddo.exe"C:\Users\Admin\3D Objects\freddo.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\freddoisalive.exe"C:\Users\Admin\AppData\Roaming\freddoisalive.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\FREDDO.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\3D Objects\freddo.exeFilesize
90KB
MD5e6f35fd2416c7c1b184bbea56f6a8822
SHA15bcb2e5a4c12284413b371258444b9c67a31c3f8
SHA256a568351bceeb16a4f177e568e559b4707f66549130e7e3b0b8873fa746cf43ff
SHA51203a714c0b060f3aca71c531b95f36a74b7de500cce13c9445c74c3744287edd8b2a6f4d1a0fd4d3b3735323149786723cf18df644e129ca73b0aca4d198e2afb
-
C:\Users\Admin\AppData\Local\Temp\7zO8941FEE9\Chaos Ransomware Builder v4 Cleaned.exeFilesize
345KB
MD530caa962e1ee863f2fcbed2b8e38f207
SHA13ea3d0fdbdf6339756983152df6e3a28d5873a11
SHA256c5004c691b576c3f3899d628176ade9d8c87b7bf6d44d96945b4d1df1254a132
SHA51261ce53a94d0a4695368d33f9e3a1435800b9fd828e7e0c14144a0e45ac3ae7c4b4c04ecf9c5a5b794c2049759dc34df6e23ac39741c98bbd8cf18bda9d1c2a21
-
C:\Users\Admin\AppData\Local\Temp\7zO89480E0A\Chaos Ransomware Builderv4.exeFilesize
548KB
MD59a44537dfcf8ceac515c4aa92f30f4af
SHA19a26c3ff3251f69950ce09e3692ce14b5dd536b1
SHA2563246be7f25f8f4cd9ade8f0a8faf12847df126eecf65d7e8012f35ab45e73a40
SHA51294da6f1aaae6c25e47e31ac246a8703ec8f7b2893a44ae10f7600cc79ba673bca60d7fb41b2ebac8a4b5497ab98a0a195a32d93f4fc140ba7c9cd25811943500
-
C:\Users\Admin\AppData\Local\Temp\RESEF6F.tmpFilesize
1KB
MD593b04e04ff89d3059a90dcabd212e2ab
SHA13ba88c5682bf129cf1fc4a281323f8b7e722c7d3
SHA25694fb210a157a9e8781aca9919b6516c7089b64cd11194a572f2b3e616150ee84
SHA5122feebd8c707e96aa3fe3a2a2d62347ff111254b7feea67f3185a624307eade74e8615d05e89f03dff7bf131da6683717bc16502c98808bac0eba5066241a004a
-
C:\Users\Admin\AppData\Local\Temp\mrt364D.tmp\kcini.mfxFilesize
28KB
MD5e8d589ec9987e568726f882c8792c06b
SHA13ddaab03befb496629f4208ebd0e01c63e69a857
SHA256499d3e1b9720ea6cc10f8b56378bdfce2622008f45243a0fc273446662ca0cfa
SHA51289d658f1380938b78fbb9475ac0a942414360704df6e739a96a26c2ea15268fcb0ad11b28b614bab2fe3aaa3d4c14dc8a79ea2dbe11e9e0a327199c76178d4fd
-
C:\Users\Admin\AppData\Local\Temp\mrt364D.tmp\mmf2d3d9.dllFilesize
1.1MB
MD5ba4baf4220ede3a3bd32123e9c0fd952
SHA1e1186c6746d67e42fc57f72a6ed07e600755305e
SHA256a38d94169881d68a20c5031895492fa2bae58e70332b2f08fca79e62f4359edd
SHA51255827a02e2617bc94b9990ff348d893eda39fdc6251abe506e0ac1f656ac2cd9bdae8197de437b277c434482e8a1c6782f7ab5b8993d1aa0b779d21b6349dece
-
C:\Users\Admin\AppData\Local\Temp\mrt364D.tmp\mmfs2.dllFilesize
460KB
MD54758d460ecbb307ed90d59643046f00b
SHA12bd87c39f97b73b9db6d205bb10ae37eb82f2372
SHA2563293a93c6d8a2ce529538fbdd2a81dc623fc40464efdb5348c8e039788ad1b22
SHA512970a44102539ed3116c125bfcf9075e3acb8f710a338ff8ba881bbebf5111d236b3c27bf325a77d83d295aba8e836439fb6fd54a899e3ef075e1e45b6e2a1fdb
-
C:\Users\Admin\AppData\Local\Temp\mrt364D.tmp\mp3flt.sftFilesize
24KB
MD5f0ebc8596156d8ebf6201a10f9864305
SHA10efd689d027d2d592369c3585cdd9a0b879e6562
SHA256fcca0e08e8a64081d71f3ad7455cb5bea48e73f158f0773e856fa100914fe192
SHA5127752fb5d3d114791c7940088b98c03252d6fb151ad11774a8fd8b4fdf2d289c66b5d54a56feddda2e2e4de125f7f6b75c1197eae276add1774e3290becd8bcf7
-
C:\Users\Admin\AppData\Local\Temp\mrt364D.tmp\oggflt.sftFilesize
130KB
MD53c63ea4611008fbcf86435559e9dffab
SHA1fdc9c6302fcc427530b2dbff63aad1b6d204125a
SHA2569efb0b4cff5bb033cf1e04bdeabc581db7d787399c5238f4fb40a1e820aac6b8
SHA512938c6ebbd0a7248f32bc83d2548791b35764417a74728b8b861d2bd539c182ced6f5168a604679e20c150dc6741fd6868768e7d1ffce224667546d3ea80787d3
-
C:\Users\Admin\AppData\Roaming\sdf.txtFilesize
33KB
MD5ce460a60f31539005b67109403a867dd
SHA1924b3f0eddd4131e577e073a2942131193cb2520
SHA2568fe509807fca1ceeae5c624fd81951aaae0d617a00651f5eb45a55f79394182c
SHA5123003ecc2c3feafda47288aef4fc9d30c19b17395fd98c1f02ada1f46b065b1518ee0d0e06f745e00d60563df102fae752c28c08369d61e2e3118bca2e1827adf
-
C:\Users\Admin\Documents\FREDDO.txtFilesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740
-
\??\c:\Users\Admin\3D Objects\CSCAF57768ED315433A81C63071C35848F5.TMPFilesize
1KB
MD5b4b8e8a8d97be07e18f495d1ca441898
SHA1115ea79252dedcf36b3ebfca4272400e603780b4
SHA256e33a6dd420e36079a151715da5eebb97389299889a20a7a5133897c33af75d15
SHA512a113fa01d3ea93141714895f84ff42eb58383a818d46c933cc5a806dd91725a46145529ddc578e00457d40cc8bf63cf10c18a17dfee07f0595a733deb611e870
-
\??\c:\Users\Admin\AppData\Local\Temp\ho222szk\ho222szk.0.csFilesize
64KB
MD567f8b1f2ebf501ecd630a3c45caa9ae4
SHA1d75dbe5bd35e1610986f6300cb69fc073bf1676b
SHA2567ca0ffb7be7c98d38b3b4e740ad93165090867df543bb0b344d10d0474180ec1
SHA51214f54966f5c419c0c6f1c47320827487f570f626253647ac9bf602c1aa3a9ab3e2215a6fd5e99bf01b72c49f509c408dcca364fbe6debbfca5d370c04a140f25
-
\??\c:\Users\Admin\AppData\Local\Temp\ho222szk\ho222szk.cmdlineFilesize
335B
MD5902c1634dfa605fad3a5afd726ff6282
SHA1bbf26c9c5a7069441d2f508885af586e8cc76b68
SHA256d1ba3ec60d0f833061d91867df2ae7194be8f8b922b37ea389d8d18ff8fea553
SHA512b685a488849bd9ff7291b7f6ebb0e14a0bc6c241bbb45199f845084db8f0b4783e62b88494fd68aa9b04b98f9272fa1130fae46e75877e3f8609cc6480a160bc
-
memory/4108-101-0x00007FFAE1170000-0x00007FFAE1C31000-memory.dmpFilesize
10.8MB
-
memory/4108-87-0x00007FFAE1170000-0x00007FFAE1C31000-memory.dmpFilesize
10.8MB
-
memory/4108-86-0x00000000002D0000-0x00000000002EC000-memory.dmpFilesize
112KB
-
memory/4896-20-0x0000000002F20000-0x0000000002F44000-memory.dmpFilesize
144KB
-
memory/5952-52-0x0000000000BF0000-0x0000000000C7E000-memory.dmpFilesize
568KB
-
memory/5952-56-0x000000001B990000-0x000000001B9A0000-memory.dmpFilesize
64KB
-
memory/5952-61-0x000000001B990000-0x000000001B9A0000-memory.dmpFilesize
64KB
-
memory/5952-60-0x000000001B990000-0x000000001B9A0000-memory.dmpFilesize
64KB
-
memory/5952-59-0x000000001B990000-0x000000001B9A0000-memory.dmpFilesize
64KB
-
memory/5952-58-0x00007FFAE1170000-0x00007FFAE1C31000-memory.dmpFilesize
10.8MB
-
memory/5952-57-0x000000001B990000-0x000000001B9A0000-memory.dmpFilesize
64KB
-
memory/5952-62-0x000000001B990000-0x000000001B9A0000-memory.dmpFilesize
64KB
-
memory/5952-55-0x000000001B990000-0x000000001B9A0000-memory.dmpFilesize
64KB
-
memory/5952-53-0x00007FFAE1170000-0x00007FFAE1C31000-memory.dmpFilesize
10.8MB
-
memory/5952-54-0x000000001B990000-0x000000001B9A0000-memory.dmpFilesize
64KB
-
memory/6000-104-0x000000001B540000-0x000000001B550000-memory.dmpFilesize
64KB
-
memory/6000-102-0x00007FFAE1170000-0x00007FFAE1C31000-memory.dmpFilesize
10.8MB
-
memory/6000-573-0x00007FFAE1170000-0x00007FFAE1C31000-memory.dmpFilesize
10.8MB