Overview

overview

10

Static

static

10

378048eb77...b7.exe

windows7-x64

10

378048eb77...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7.exe

  • Size

    876KB

  • MD5

    5668c99abad5da137b901ea5e024638f

  • SHA1

    4718b08ab5f28437c972f030d23bd2a6535224a7

  • SHA256

    378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7

  • SHA512

    a700b70e24aaae69c68d0f9e74c5302dd821c62b165a85b383be5db9e281df558895e985ce51a2e1873306292105904d0e59b12daec1d26dcc5976e237ee9fc6

  • SSDEEP

    12288:+nRqNW1UnNLCl3VwiMR9q9E8NB92AyE+5Qyo1oA+1Db5i6N28Hnn9znQ/8MAj9x:NW1BVVEJuOv

Score
10/10
chaosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SOLUTION_NOTE.txt

Ransom Note
Oh, what an exquisite predicament has befallen you! We take immense pleasure in informing you, without the slightest pang of regret that your server security has been breached & immortalized by LETHAL LOCK, a majestic entity in the realm of cyber command. Marvel at the masterpiece of encryption we have orchestrated, utilizing algorithms of such complexity and military-grade standards that they render your critical documents as elusive as a mirage in the desert. Your files now dance to the tune of an encryption algorithm so intricate, so enigmatic, that mortals tremble at its sight. Should you dare to defy our demands, be prepared for the consequences — your data will remain locked away forever and we will sell them to a third party on the Dark Web or use them as a trade by barter on the Dark-Web to get higher upgraded tools to dismantle your organization within a twinkle of an eye. Any futile attempts to decipher this cryptographic masterpiece, appeal to law enforcement, or seek assistance from less reputable cybersecurity entities will only hasten the irreversible disappearance of your confidential datas and the swift deletion of the decryption key. Your enduring rule, should you choose to accept it, is to comply with our ransom payment demands within 72 hours (3days). Failure to meet this demand will result in the permanent loss of your decryption key, accompanied by a symphony of data obfuscation maneuvers that thwart even the most valiant attempts at file recovery. To embark on this momentous path of payment and data liberation: 1) Reach out to our esteemed customer support service on Telegram: @lethallock (For those evading payment, we suggest enjoying a hot cup of coffee while witnessing the swift datas/files wipe out orchestrated by the Lethal Lock algorithms). 2) Acquire and transfer 25 bitcoins with express efficiency. Remember, our treasuries crave bitcoins, and in return, we will provide you with the coveted decryption key that unlocks the chest of digital wealth. Follow these crucial instructions: 1) Keep your computer powered on and connected to the digital world. 2) Resist all temptations to use data recovery tools without our permission. 3) Execute the bitcoin transfer with surgical precision before the time extinguish your chance for redemption. In your cryptographic triumph, Van Dmitry Vladimir Senior Director of Operations Lethal Lock Tech Company - LLTC

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 5 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (165) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7.exe
    "C:\Users\Admin\AppData\Local\Temp\378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7.exe"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2624
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1004
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2748
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2756
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1464
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\SOLUTION_NOTE.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1964
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2628
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1232
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1932
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1476
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\ExitDisconnect.pdf. LethalLock
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\ExitDisconnect.pdf. LethalLock
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:1816
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SOLUTION_NOTE.txt
        1⤵
          PID:980

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Indicator Removal

        3
        T1070

        File Deletion

        3
        T1070.004

        Modify Registry

        2
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        4
        T1490

        Defacement

        1
        T1491

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SOLUTION_NOTE.txt
          Filesize

          2KB

          MD5

          422c304e6cccb39e8a876d7eccc3cf1b

          SHA1

          29a656099c4439855679c90ae2e69f5fbdfe9c1d

          SHA256

          f6e57820707eb0d307c2dfafba94bf977c33f182e7c3377d9ab3f4662054e92a

          SHA512

          5322504ade08540e89839e4b32091cea7d172b537e121f62291a95560bb6c06fab7e12ee7ed149f29e3c5bbeab7a72c419ea5241cc6aeba027d93e470145331b

          Download Submit
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          876KB

          MD5

          5668c99abad5da137b901ea5e024638f

          SHA1

          4718b08ab5f28437c972f030d23bd2a6535224a7

          SHA256

          378048eb77eec0197bedba1659883e06d43fb6b0c8bf312f9a7ef90d115022b7

          SHA512

          a700b70e24aaae69c68d0f9e74c5302dd821c62b165a85b383be5db9e281df558895e985ce51a2e1873306292105904d0e59b12daec1d26dcc5976e237ee9fc6

          Download Submit
        • C:\Users\Admin\Desktop\GrantFormat.wma
          Filesize

          1B

          MD5

          d1457b72c3fb323a2671125aef3eab5d

          SHA1

          5bab61eb53176449e25c2c82f172b82cb13ffb9d

          SHA256

          8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

          SHA512

          ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

          Download Submit
        • C:\Users\Admin\Documents\ExitDisconnect.pdf. LethalLock
          Filesize

          447KB

          MD5

          d8d19ad7038b1c0a3aebb378a70d302d

          SHA1

          a5a2a05aa8442451f112307046c48ca353ca1512

          SHA256

          f5257eb951a85afe323efdb767e5392d70d4d56072fa7163262faa5720d4858c

          SHA512

          5b07f6bcfd9a3543a4b215e3078cac7a881a7abc3a4c33a0a26dfe08010d3daf3c67cf144bee038177a4e1366f61bba5791de0c21e5ae3324a9071ccb7c91c75

          Download Submit
        • memory/2084-863-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp
          Filesize

          9.9MB

          Download
        • memory/2084-2-0x000000001AD40000-0x000000001ADC0000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2084-0-0x0000000001180000-0x0000000001260000-memory.dmp
          Filesize

          896KB

          Download
        • memory/2084-1-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp
          Filesize

          9.9MB

          Download
        • memory/3036-8-0x0000000000CE0000-0x0000000000DC0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/3036-10-0x000000001AC30000-0x000000001ACB0000-memory.dmp
          Filesize

          512KB

          Download
        • memory/3036-9-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp
          Filesize

          9.9MB

          Download
        • memory/3036-864-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp
          Filesize

          9.9MB

          Download
        • memory/3036-865-0x000000001AC30000-0x000000001ACB0000-memory.dmp
          Filesize

          512KB

          Download