chaos | 378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7

Analysis

max time kernel
129s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7.exe
Size

876KB
MD5

5668c99abad5da137b901ea5e024638f
SHA1

4718b08ab5f28437c972f030d23bd2a6535224a7
SHA256

378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7
SHA512

a700b70e24aaae69c68d0f9e74c5302dd821c62b165a85b383be5db9e281df558895e985ce51a2e1873306292105904d0e59b12daec1d26dcc5976e237ee9fc6
SSDEEP

12288:+nRqNW1UnNLCl3VwiMR9q9E8NB92AyE+5Qyo1oA+1Db5i6N28Hnn9znQ/8MAj9x:NW1BVVEJuOv

Score

10^/10

chaos evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SOLUTION_NOTE.txt

Ransom Note

Oh, what an exquisite predicament has befallen you! We take immense pleasure in informing you, without the slightest pang of regret that your server security has been breached & immortalized by LETHAL LOCK, a majestic entity in the realm of cyber command. Marvel at the masterpiece of encryption we have orchestrated, utilizing algorithms of such complexity and military-grade standards that they render your critical documents as elusive as a mirage in the desert. Your files now dance to the tune of an encryption algorithm so intricate, so enigmatic, that mortals tremble at its sight. Should you dare to defy our demands, be prepared for the consequences — your data will remain locked away forever and we will sell them to a third party on the Dark Web or use them as a trade by barter on the Dark-Web to get higher upgraded tools to dismantle your organization within a twinkle of an eye. Any futile attempts to decipher this cryptographic masterpiece, appeal to law enforcement, or seek assistance from less reputable cybersecurity entities will only hasten the irreversible disappearance of your confidential datas and the swift deletion of the decryption key. Your enduring rule, should you choose to accept it, is to comply with our ransom payment demands within 72 hours (3days). Failure to meet this demand will result in the permanent loss of your decryption key, accompanied by a symphony of data obfuscation maneuvers that thwart even the most valiant attempts at file recovery. To embark on this momentous path of payment and data liberation: 1) Reach out to our esteemed customer support service on Telegram: @lethallock (For those evading payment, we suggest enjoying a hot cup of coffee while witnessing the swift datas/files wipe out orchestrated by the Lethal Lock algorithms). 2) Acquire and transfer 25 bitcoins with express efficiency. Remember, our treasuries crave bitcoins, and in return, we will provide you with the coveted decryption key that unlocks the chest of digital wealth. Follow these crucial instructions: 1) Keep your computer powered on and connected to the digital world. 2) Resist all temptations to use data recovery tools without our permission. 3) Execute the bitcoin transfer with surgical precision before the time extinguish your chance for redemption. In your cryptographic triumph, Van Dmitry Vladimir Senior Director of Operations Lethal Lock Tech Company - LLTC

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 5 IoCs

resource	yara_rule
behavioral1/memory/2084-0-0x0000000001180000-0x0000000001260000-memory.dmp	family_chaos
behavioral1/files/0x000b00000001267a-6.dat	family_chaos
behavioral1/memory/3036-8-0x0000000000CE0000-0x0000000000DC0000-memory.dmp	family_chaos
behavioral1/memory/3036-10-0x000000001AC30000-0x000000001ACB0000-memory.dmp	family_chaos
behavioral1/memory/3036-865-0x000000001AC30000-0x000000001ACB0000-memory.dmp	family_chaos

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2748	bcdedit.exe
2756	bcdedit.exe

Renames multiple (165) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1464	wbadmin.exe

Disables Task Manager via registry modification
evasion

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SOLUTION_NOTE.txt	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3036	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\J3XTYXPF\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3J2LRC5A\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\108YEMNS\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F9UL0C6O\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JYWEBS5E\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PY5FLSJ8\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CYTS71XD\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\705ji0ni6.jpg"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2624	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1964	NOTEPAD.EXE
1816	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2084	378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7.exe
3036	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2084	378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7.exe
2084	378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7.exe
Token: SeDebugPrivilege	3036	svchost.exe
Token: SeBackupPrivilege	2628	vssvc.exe
Token: SeRestorePrivilege	2628	vssvc.exe
Token: SeAuditPrivilege	2628	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1004	WMIC.exe
Token: SeSecurityPrivilege	1004	WMIC.exe
Token: SeTakeOwnershipPrivilege	1004	WMIC.exe
Token: SeLoadDriverPrivilege	1004	WMIC.exe
Token: SeSystemProfilePrivilege	1004	WMIC.exe
Token: SeSystemtimePrivilege	1004	WMIC.exe
Token: SeProfSingleProcessPrivilege	1004	WMIC.exe
Token: SeIncBasePriorityPrivilege	1004	WMIC.exe
Token: SeCreatePagefilePrivilege	1004	WMIC.exe
Token: SeBackupPrivilege	1004	WMIC.exe
Token: SeRestorePrivilege	1004	WMIC.exe
Token: SeShutdownPrivilege	1004	WMIC.exe
Token: SeDebugPrivilege	1004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1004	WMIC.exe
Token: SeRemoteShutdownPrivilege	1004	WMIC.exe
Token: SeUndockPrivilege	1004	WMIC.exe
Token: SeManageVolumePrivilege	1004	WMIC.exe
Token: 33	1004	WMIC.exe
Token: 34	1004	WMIC.exe
Token: 35	1004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1004	WMIC.exe
Token: SeSecurityPrivilege	1004	WMIC.exe
Token: SeTakeOwnershipPrivilege	1004	WMIC.exe
Token: SeLoadDriverPrivilege	1004	WMIC.exe
Token: SeSystemProfilePrivilege	1004	WMIC.exe
Token: SeSystemtimePrivilege	1004	WMIC.exe
Token: SeProfSingleProcessPrivilege	1004	WMIC.exe
Token: SeIncBasePriorityPrivilege	1004	WMIC.exe
Token: SeCreatePagefilePrivilege	1004	WMIC.exe
Token: SeBackupPrivilege	1004	WMIC.exe
Token: SeRestorePrivilege	1004	WMIC.exe
Token: SeShutdownPrivilege	1004	WMIC.exe
Token: SeDebugPrivilege	1004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1004	WMIC.exe
Token: SeRemoteShutdownPrivilege	1004	WMIC.exe
Token: SeUndockPrivilege	1004	WMIC.exe
Token: SeManageVolumePrivilege	1004	WMIC.exe
Token: 33	1004	WMIC.exe
Token: 34	1004	WMIC.exe
Token: 35	1004	WMIC.exe
Token: SeBackupPrivilege	1232	wbengine.exe
Token: SeRestorePrivilege	1232	wbengine.exe
Token: SeSecurityPrivilege	1232	wbengine.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 3036	2084	378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7.exe	28
PID 2084 wrote to memory of 3036	2084	378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7.exe	28
PID 2084 wrote to memory of 3036	2084	378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7.exe	28
PID 3036 wrote to memory of 2556	3036	svchost.exe	29
PID 3036 wrote to memory of 2556	3036	svchost.exe	29
PID 3036 wrote to memory of 2556	3036	svchost.exe	29
PID 2556 wrote to memory of 2624	2556	cmd.exe	31
PID 2556 wrote to memory of 2624	2556	cmd.exe	31
PID 2556 wrote to memory of 2624	2556	cmd.exe	31
PID 2556 wrote to memory of 1004	2556	cmd.exe	34
PID 2556 wrote to memory of 1004	2556	cmd.exe	34
PID 2556 wrote to memory of 1004	2556	cmd.exe	34
PID 3036 wrote to memory of 2588	3036	svchost.exe	36
PID 3036 wrote to memory of 2588	3036	svchost.exe	36
PID 3036 wrote to memory of 2588	3036	svchost.exe	36
PID 2588 wrote to memory of 2748	2588	cmd.exe	38
PID 2588 wrote to memory of 2748	2588	cmd.exe	38
PID 2588 wrote to memory of 2748	2588	cmd.exe	38
PID 2588 wrote to memory of 2756	2588	cmd.exe	39
PID 2588 wrote to memory of 2756	2588	cmd.exe	39
PID 2588 wrote to memory of 2756	2588	cmd.exe	39
PID 3036 wrote to memory of 2784	3036	svchost.exe	40
PID 3036 wrote to memory of 2784	3036	svchost.exe	40
PID 3036 wrote to memory of 2784	3036	svchost.exe	40
PID 2784 wrote to memory of 1464	2784	cmd.exe	42
PID 2784 wrote to memory of 1464	2784	cmd.exe	42
PID 2784 wrote to memory of 1464	2784	cmd.exe	42
PID 3036 wrote to memory of 1964	3036	svchost.exe	48
PID 3036 wrote to memory of 1964	3036	svchost.exe	48
PID 3036 wrote to memory of 1964	3036	svchost.exe	48
PID 2000 wrote to memory of 1816	2000	rundll32.exe	52
PID 2000 wrote to memory of 1816	2000	rundll32.exe	52
PID 2000 wrote to memory of 1816	2000	rundll32.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7.exe
"C:\Users\Admin\AppData\Local\Temp\378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2624
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1004
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2748
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2756
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1464
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\SOLUTION_NOTE.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1932

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1476

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\ExitDisconnect.pdf. LethalLock
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\ExitDisconnect.pdf. LethalLock
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1816

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SOLUTION_NOTE.txt
1⤵
PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SOLUTION_NOTE.txt

Filesize
2KB

MD5
422c304e6cccb39e8a876d7eccc3cf1b

SHA1
29a656099c4439855679c90ae2e69f5fbdfe9c1d

SHA256
f6e57820707eb0d307c2dfafba94bf977c33f182e7c3377d9ab3f4662054e92a

SHA512
5322504ade08540e89839e4b32091cea7d172b537e121f62291a95560bb6c06fab7e12ee7ed149f29e3c5bbeab7a72c419ea5241cc6aeba027d93e470145331b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
876KB

MD5
5668c99abad5da137b901ea5e024638f

SHA1
4718b08ab5f28437c972f030d23bd2a6535224a7

SHA256
378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7

SHA512
a700b70e24aaae69c68d0f9e74c5302dd821c62b165a85b383be5db9e281df558895e985ce51a2e1873306292105904d0e59b12daec1d26dcc5976e237ee9fc6

Download Submit
C:\Users\Admin\Desktop\GrantFormat.wma

Filesize
1B

MD5
d1457b72c3fb323a2671125aef3eab5d

SHA1
5bab61eb53176449e25c2c82f172b82cb13ffb9d

SHA256
8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

SHA512
ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

Download Submit
C:\Users\Admin\Documents\ExitDisconnect.pdf. LethalLock

Filesize
447KB

MD5
d8d19ad7038b1c0a3aebb378a70d302d

SHA1
a5a2a05aa8442451f112307046c48ca353ca1512

SHA256
f5257eb951a85afe323efdb767e5392d70d4d56072fa7163262faa5720d4858c

SHA512
5b07f6bcfd9a3543a4b215e3078cac7a881a7abc3a4c33a0a26dfe08010d3daf3c67cf144bee038177a4e1366f61bba5791de0c21e5ae3324a9071ccb7c91c75

Download Submit
memory/2084-863-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-2-0x000000001AD40000-0x000000001ADC0000-memory.dmp

Filesize
512KB

Download
memory/2084-0-0x0000000001180000-0x0000000001260000-memory.dmp

Filesize
896KB

Download
memory/2084-1-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-8-0x0000000000CE0000-0x0000000000DC0000-memory.dmp

Filesize
896KB

Download
memory/3036-10-0x000000001AC30000-0x000000001ACB0000-memory.dmp

Filesize
512KB

Download
memory/3036-9-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-864-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-865-0x000000001AC30000-0x000000001ACB0000-memory.dmp

Filesize
512KB

Download