Resubmissions
19-04-2024 22:44
240419-2n14psad3w 10Analysis
-
max time kernel
50s -
max time network
52s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-04-2024 22:44
Behavioral task
behavioral1
Sample
C11Setup.exe
Resource
win11-20240412-en
windows11-21h2-x64
22 signatures
1800 seconds
Errors
Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-19T22:45:35Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win11-20240412-en/instance_5-dirty.qcow2\"}"
General
-
Target
C11Setup.exe
-
Size
301KB
-
MD5
d8c4b902a949a1f83d1f83d351a54dab
-
SHA1
87194675e37df056847ca708fd273366c33b0763
-
SHA256
b522599154e233cec2ae4299d46cd0f2f59133d3ef79d6a630511bf5dd7360a6
-
SHA512
825197109538f4a746f2b5d8289d2dba68631c0b112840eaa003116bdb3c3c14e404c1b75e225023a80643e88dfaac2b88694a8a3cc3db049f904eb3fd011f7d
-
SSDEEP
3072:v3kCIQUr9irIKH11poMiMiHuZDL0SYR7c2ytBcL5BdkwvTkmEd:XInr9irIavaPdWwvqd
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\Hacked by Team TIB
Family
chaos
Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <----
All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help.What can I do to get my files back?You can buy our special
decryption software, this software will allow you to recover all of your data and remove the
ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.
How do I pay, where do I get Bitcoin?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
Payment informationAmount: 0.1473766 BTC
Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/memory/3652-0-0x0000000000F10000-0x0000000000F62000-memory.dmp family_chaos behavioral1/files/0x000100000002a9fc-6.dat family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2328 bcdedit.exe 2324 bcdedit.exe -
pid Process 3220 wbadmin.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C11Setup.url C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C11Setup.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hacked by Team TIB C11Setup.exe -
Executes dropped EXE 1 IoCs
pid Process 3636 C11Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Public\Videos\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\Music\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C11Setup.exe File opened for modification C:\Users\Public\Documents\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C11Setup.exe File opened for modification C:\Users\Public\Music\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\Videos\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C11Setup.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-801765966-3955847401-2235691403-1000\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\Searches\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini C11Setup.exe File opened for modification C:\Users\Public\Pictures\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\Links\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\Documents\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini C11Setup.exe File opened for modification C:\Users\Public\Desktop\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C11Setup.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f2gw0jn7x.jpg" C11Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2348 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings C11Setup.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3636 C11Setup.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3652 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe 3636 C11Setup.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 3652 C11Setup.exe Token: SeDebugPrivilege 3636 C11Setup.exe Token: SeBackupPrivilege 4152 vssvc.exe Token: SeRestorePrivilege 4152 vssvc.exe Token: SeAuditPrivilege 4152 vssvc.exe Token: SeIncreaseQuotaPrivilege 2928 WMIC.exe Token: SeSecurityPrivilege 2928 WMIC.exe Token: SeTakeOwnershipPrivilege 2928 WMIC.exe Token: SeLoadDriverPrivilege 2928 WMIC.exe Token: SeSystemProfilePrivilege 2928 WMIC.exe Token: SeSystemtimePrivilege 2928 WMIC.exe Token: SeProfSingleProcessPrivilege 2928 WMIC.exe Token: SeIncBasePriorityPrivilege 2928 WMIC.exe Token: SeCreatePagefilePrivilege 2928 WMIC.exe Token: SeBackupPrivilege 2928 WMIC.exe Token: SeRestorePrivilege 2928 WMIC.exe Token: SeShutdownPrivilege 2928 WMIC.exe Token: SeDebugPrivilege 2928 WMIC.exe Token: SeSystemEnvironmentPrivilege 2928 WMIC.exe Token: SeRemoteShutdownPrivilege 2928 WMIC.exe Token: SeUndockPrivilege 2928 WMIC.exe Token: SeManageVolumePrivilege 2928 WMIC.exe Token: 33 2928 WMIC.exe Token: 34 2928 WMIC.exe Token: 35 2928 WMIC.exe Token: 36 2928 WMIC.exe Token: SeIncreaseQuotaPrivilege 2928 WMIC.exe Token: SeSecurityPrivilege 2928 WMIC.exe Token: SeTakeOwnershipPrivilege 2928 WMIC.exe Token: SeLoadDriverPrivilege 2928 WMIC.exe Token: SeSystemProfilePrivilege 2928 WMIC.exe Token: SeSystemtimePrivilege 2928 WMIC.exe Token: SeProfSingleProcessPrivilege 2928 WMIC.exe Token: SeIncBasePriorityPrivilege 2928 WMIC.exe Token: SeCreatePagefilePrivilege 2928 WMIC.exe Token: SeBackupPrivilege 2928 WMIC.exe Token: SeRestorePrivilege 2928 WMIC.exe Token: SeShutdownPrivilege 2928 WMIC.exe Token: SeDebugPrivilege 2928 WMIC.exe Token: SeSystemEnvironmentPrivilege 2928 WMIC.exe Token: SeRemoteShutdownPrivilege 2928 WMIC.exe Token: SeUndockPrivilege 2928 WMIC.exe Token: SeManageVolumePrivilege 2928 WMIC.exe Token: 33 2928 WMIC.exe Token: 34 2928 WMIC.exe Token: 35 2928 WMIC.exe Token: 36 2928 WMIC.exe Token: SeBackupPrivilege 1796 wbengine.exe Token: SeRestorePrivilege 1796 wbengine.exe Token: SeSecurityPrivilege 1796 wbengine.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 5028 OpenWith.exe 5028 OpenWith.exe 5028 OpenWith.exe 5028 OpenWith.exe 5028 OpenWith.exe 5028 OpenWith.exe 5028 OpenWith.exe 5028 OpenWith.exe 5028 OpenWith.exe 5028 OpenWith.exe 5028 OpenWith.exe 2704 MiniSearchHost.exe 4880 LogonUI.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3652 wrote to memory of 3636 3652 C11Setup.exe 79 PID 3652 wrote to memory of 3636 3652 C11Setup.exe 79 PID 3636 wrote to memory of 2100 3636 C11Setup.exe 81 PID 3636 wrote to memory of 2100 3636 C11Setup.exe 81 PID 2100 wrote to memory of 2348 2100 cmd.exe 83 PID 2100 wrote to memory of 2348 2100 cmd.exe 83 PID 2100 wrote to memory of 2928 2100 cmd.exe 86 PID 2100 wrote to memory of 2928 2100 cmd.exe 86 PID 3636 wrote to memory of 1832 3636 C11Setup.exe 88 PID 3636 wrote to memory of 1832 3636 C11Setup.exe 88 PID 1832 wrote to memory of 2328 1832 cmd.exe 90 PID 1832 wrote to memory of 2328 1832 cmd.exe 90 PID 1832 wrote to memory of 2324 1832 cmd.exe 91 PID 1832 wrote to memory of 2324 1832 cmd.exe 91 PID 3636 wrote to memory of 1456 3636 C11Setup.exe 92 PID 3636 wrote to memory of 1456 3636 C11Setup.exe 92 PID 1456 wrote to memory of 3220 1456 cmd.exe 94 PID 1456 wrote to memory of 3220 1456 cmd.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\C11Setup.exe"C:\Users\Admin\AppData\Local\Temp\C11Setup.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Roaming\C11Setup.exe"C:\Users\Admin\AppData\Roaming\C11Setup.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2348
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2328
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:3220
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1888
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3632
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5028
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2704
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a1b055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD54ae344179932dc8e2c6fe2079f9753ef
SHA160eacc624412b1f34809780769e3b212f138ea9c
SHA2563063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4
SHA512fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19
-
Filesize
301KB
MD5d8c4b902a949a1f83d1f83d351a54dab
SHA187194675e37df056847ca708fd273366c33b0763
SHA256b522599154e233cec2ae4299d46cd0f2f59133d3ef79d6a630511bf5dd7360a6
SHA512825197109538f4a746f2b5d8289d2dba68631c0b112840eaa003116bdb3c3c14e404c1b75e225023a80643e88dfaac2b88694a8a3cc3db049f904eb3fd011f7d
-
Filesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740