Malware Analysis Report

2024-08-06 16:04

Sample ID 240419-2n14psad3w
Target C11Setup.exe
SHA256 b522599154e233cec2ae4299d46cd0f2f59133d3ef79d6a630511bf5dd7360a6
Tags
chaos evasion ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b522599154e233cec2ae4299d46cd0f2f59133d3ef79d6a630511bf5dd7360a6

Threat Level: Known bad

The file C11Setup.exe was found to be: Known bad.

Malicious Activity Summary

chaos evasion ransomware spyware stealer

Chaos

Chaos Ransomware

Chaos family

Modifies boot configuration data using bcdedit

Deletes shadow copies

Deletes backup catalog

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Defacement
T1491
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-19 22:44

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 22:44

Reported

2024-04-19 22:45

Platform

win11-20240412-en

Max time kernel

50s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\C11Setup.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C11Setup.url C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hacked by Team TIB C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-801765966-3955847401-2235691403-1000\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f2gw0jn7x.jpg" C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3652 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe C:\Users\Admin\AppData\Roaming\C11Setup.exe
PID 3652 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\C11Setup.exe C:\Users\Admin\AppData\Roaming\C11Setup.exe
PID 3636 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe C:\Windows\System32\cmd.exe
PID 3636 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe C:\Windows\System32\cmd.exe
PID 2100 wrote to memory of 2348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2100 wrote to memory of 2348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2100 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2100 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3636 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe C:\Windows\System32\cmd.exe
PID 3636 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe C:\Windows\System32\cmd.exe
PID 1832 wrote to memory of 2328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1832 wrote to memory of 2328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1832 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1832 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3636 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe C:\Windows\System32\cmd.exe
PID 3636 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Roaming\C11Setup.exe C:\Windows\System32\cmd.exe
PID 1456 wrote to memory of 3220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1456 wrote to memory of 3220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\C11Setup.exe

"C:\Users\Admin\AppData\Local\Temp\C11Setup.exe"

C:\Users\Admin\AppData\Roaming\C11Setup.exe

"C:\Users\Admin\AppData\Roaming\C11Setup.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a1b055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
GB 2.18.66.83:443 tcp
GB 51.132.193.104:443 browser.pipe.aria.microsoft.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/3652-0-0x0000000000F10000-0x0000000000F62000-memory.dmp

memory/3652-1-0x00007FFDA6590000-0x00007FFDA7052000-memory.dmp

C:\Users\Admin\AppData\Roaming\C11Setup.exe

MD5 d8c4b902a949a1f83d1f83d351a54dab
SHA1 87194675e37df056847ca708fd273366c33b0763
SHA256 b522599154e233cec2ae4299d46cd0f2f59133d3ef79d6a630511bf5dd7360a6
SHA512 825197109538f4a746f2b5d8289d2dba68631c0b112840eaa003116bdb3c3c14e404c1b75e225023a80643e88dfaac2b88694a8a3cc3db049f904eb3fd011f7d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\C11Setup.exe.log

MD5 4ae344179932dc8e2c6fe2079f9753ef
SHA1 60eacc624412b1f34809780769e3b212f138ea9c
SHA256 3063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4
SHA512 fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19

memory/3636-16-0x00007FFDA6590000-0x00007FFDA7052000-memory.dmp

memory/3652-15-0x00007FFDA6590000-0x00007FFDA7052000-memory.dmp

C:\Users\Admin\Desktop\Hacked by Team TIB

MD5 4217b8b83ce3c3f70029a056546f8fd0
SHA1 487cdb5733d073a0427418888e8f7070fe782a03
SHA256 7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA512 2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

memory/3636-70-0x000000001B300000-0x000000001B310000-memory.dmp

memory/3636-71-0x00007FFDA6590000-0x00007FFDA7052000-memory.dmp

memory/3636-72-0x000000001B300000-0x000000001B310000-memory.dmp

memory/3636-73-0x00007FFDA6590000-0x00007FFDA7052000-memory.dmp