Overview

overview

10

Static

static

10

cracker.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    73s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-04-2024 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cracker.exe

  • Size

    23KB

  • MD5

    ee711be5ac7e4d382c21cb6cb3f9631b

  • SHA1

    df2ad2e13d1160a900e730eeec7adc6503891088

  • SHA256

    96954af5f3a422d26951296adeb8d9a2cae1ada61f63ee1a2c884a4ef938cf87

  • SHA512

    bbd714ecbe31a75dd6d661cbcc7926e5cf2b7e0858f3931dc8ddd42d7254849e1b9a942f9ccc1140bd9f376a0149f4d79f1ef2e21b5aa45173c6f87e53fc12e2

  • SSDEEP

    384:H3MLWHn3kI3fmIOyERMpOsbW+ATLJIr91Crxbo9deU:zn3kIYy6Mpzi9Ir9SxboveU

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: 3Gq3M3xz5dstUaCn7iLLxLRTBMs3BLKwPn And If you try to ignore or just wipe your PC, I have all your passwords so you are fucked.
Wallets

3Gq3M3xz5dstUaCn7iLLxLRTBMs3BLKwPn

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\cracker.exe
    "C:\Users\Admin\AppData\Local\Temp\cracker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4628
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:4288
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1128
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2392
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3316
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5036
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:4212
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1960
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3928
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2268
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:4160
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:2076
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1568
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        1⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffef838ab58,0x7ffef838ab68,0x7ffef838ab78
          2⤵
            PID:1992
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1992,i,16735311449591188012,5512348073132699958,131072 /prefetch:2
            2⤵
              PID:4380
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1992,i,16735311449591188012,5512348073132699958,131072 /prefetch:8
              2⤵
                PID:1424
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1992,i,16735311449591188012,5512348073132699958,131072 /prefetch:8
                2⤵
                  PID:1624
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1992,i,16735311449591188012,5512348073132699958,131072 /prefetch:1
                  2⤵
                    PID:4952
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1992,i,16735311449591188012,5512348073132699958,131072 /prefetch:1
                    2⤵
                      PID:1980
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1992,i,16735311449591188012,5512348073132699958,131072 /prefetch:1
                      2⤵
                        PID:3600
                    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                      1⤵
                        PID:872

                      Network

                      MITRE ATT&CK Matrix ATT&CK v13

                      Initial Access

                      Execution

                      Command and Scripting Interpreter

                      1
                      T1059

                      Persistence

                      Privilege Escalation

                      Defense Evasion

                      Indicator Removal

                      3
                      T1070

                      File Deletion

                      3
                      T1070.004

                      Credential Access

                      Unsecured Credentials

                      1
                      T1552

                      Credentials In Files

                      1
                      T1552.001

                      Discovery

                      Query Registry

                      4
                      T1012

                      System Information Discovery

                      4
                      T1082

                      Peripheral Device Discovery

                      1
                      T1120

                      Lateral Movement

                      Collection

                      Data from Local System

                      1
                      T1005

                      Exfiltration

                      Command and Control

                      Impact

                      Inhibit System Recovery

                      4
                      T1490

                      Resource Development

                      Reconnaissance

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                        Filesize

                        1KB

                        MD5

                        6db5c64852810fc2cead96f5cebbd11e

                        SHA1

                        00353704980b5990c38683d444a53cda0c0a76af

                        SHA256

                        0e0d6fdb38f4f22a3b54566e54f50e5804b2cd639ac24b6ef741567c499a4529

                        SHA512

                        9560b157d13b9cdb7015107e8f1efa2f138dbfad8855bdc85765813499ebdfd5ac5a6c1fdc708d2aafa6ced2419a93409c3ebf9c42587b69f231410d73a11950

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                        Filesize

                        2B

                        MD5

                        d751713988987e9331980363e24189ce

                        SHA1

                        97d170e1550eee4afc0af065b78cda302a97674c

                        SHA256

                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                        SHA512

                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\bd4a5827-bf8f-48c9-8f51-a24b25b2667c.tmp
                        Filesize

                        6KB

                        MD5

                        0f8c2cd1b9f1261972cc0cc1e28e7c4e

                        SHA1

                        a1d65205892ab7f0dcb93919800414e379d46afa

                        SHA256

                        9515adf64974061167e0197e80ba6b26aff109efaa3ee40c5c957d3d7510a61c

                        SHA512

                        f8c33ac1960cba4b922c15976bc111c4a52ce97595dc74f8559a4158a1a3bbd3971c39abd65d6c17e735429fc8cbc526f19b91c0d8e09e29a70bd172d960ca1b

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                        Filesize

                        127KB

                        MD5

                        0c0119258de2d5500962eede69fd63e1

                        SHA1

                        9fae84367ff4ecfd475b76396e353c5053df1f2c

                        SHA256

                        1b41bf0ab4cb59a1d33bfb5f24457818430411f2208ecc345316d8aa1acc4d64

                        SHA512

                        d57164d906204f6bab789ff378bbafb90bb2de3268c83dbc9a452c4bea326194456dd454e7647f070460b70acb1296249eaed6ef308942c3d7afa8085fd490b0

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
                        Filesize

                        264KB

                        MD5

                        f50f89a0a91564d0b8a211f8921aa7de

                        SHA1

                        112403a17dd69d5b9018b8cede023cb3b54eab7d

                        SHA256

                        b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                        SHA512

                        bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\svchost.exe
                        Filesize

                        23KB

                        MD5

                        ee711be5ac7e4d382c21cb6cb3f9631b

                        SHA1

                        df2ad2e13d1160a900e730eeec7adc6503891088

                        SHA256

                        96954af5f3a422d26951296adeb8d9a2cae1ada61f63ee1a2c884a4ef938cf87

                        SHA512

                        bbd714ecbe31a75dd6d661cbcc7926e5cf2b7e0858f3931dc8ddd42d7254849e1b9a942f9ccc1140bd9f376a0149f4d79f1ef2e21b5aa45173c6f87e53fc12e2

                        Download Submit
                      • C:\Users\Admin\Desktop\read_it.txt
                        Filesize

                        1KB

                        MD5

                        b1a5c367bb7f0c30db6a506a3e3a2db8

                        SHA1

                        54b0d78890b96de58b22b718e04acd416bfb2f6d

                        SHA256

                        78e0b22120fa86f094a470a6b9f0ee786aa8dd3f683f172dc2a80a7194e41ba0

                        SHA512

                        b910fc7b20cf9c3b85548b1e212c4c0053014d6f4524787488052ec28dbebdc857d94b2fe3ca38efbfeab1bca73a9e6a345fc3578224410c757293e44b4d96a7

                        Download Submit
                      • \??\pipe\crashpad_1896_OEKLHXDXUDMPEXQM
                        MD5

                        d41d8cd98f00b204e9800998ecf8427e

                        SHA1

                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                        SHA256

                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                        SHA512

                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        Download Submit
                      • memory/3952-69-0x00007FFEFB0F0000-0x00007FFEFBBB1000-memory.dmp
                        Filesize

                        10.8MB

                        Download
                      • memory/3952-15-0x00007FFEFB0F0000-0x00007FFEFBBB1000-memory.dmp
                        Filesize

                        10.8MB

                        Download
                      • memory/4628-0-0x00000000004B0000-0x00000000004BC000-memory.dmp
                        Filesize

                        48KB

                        Download
                      • memory/4628-14-0x00007FFEFB0F0000-0x00007FFEFBBB1000-memory.dmp
                        Filesize

                        10.8MB

                        Download
                      • memory/4628-1-0x00007FFEFB0F0000-0x00007FFEFBBB1000-memory.dmp
                        Filesize

                        10.8MB

                        Download