chaos | f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

Resubmissions

30-05-2024 09:29

240530-lf8wksea65 10

30-05-2024 09:22

240530-lb9mbach7y 10

Analysis

max time kernel
316s
max time network
316s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chaos Ransomware Builder v4.exe
Size

550KB
MD5

8b855e56e41a6e10d28522a20c1e0341
SHA1

17ea75272cfe3749c6727388fd444d2c970f9d01
SHA256

f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
SHA512

eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
SSDEEP

3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 6 IoCs

resource	yara_rule
behavioral1/memory/2400-1-0x0000000000100000-0x000000000018E000-memory.dmp	family_chaos
behavioral1/files/0x0009000000015d83-19.dat	family_chaos
behavioral1/files/0x0006000000016cc1-29.dat	family_chaos
behavioral1/memory/1072-31-0x0000000001320000-0x000000000132C000-memory.dmp	family_chaos
behavioral1/memory/2396-40-0x00000000011C0000-0x00000000011CC000-memory.dmp	family_chaos
behavioral1/memory/1000-499-0x00000000013E0000-0x00000000013EC000-memory.dmp	family_chaos

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2784	bcdedit.exe
1908	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1884	wbadmin.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.url	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	winlogon.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Important file.txt	winlogon.exe

Executes dropped EXE 5 IoCs

pid	Process
1072	goodli.exe
1360	goodli.exe
2396	winlogon.exe
1000	surprise.exe
212	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	winlogon.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	winlogon.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	winlogon.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	winlogon.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2080	vssadmin.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe

Modifies registry class 52 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f806d7a8722a1371a4691b0dbda5aaebc990000	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874433"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Chaos Ransomware Builder v4.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2396	winlogon.exe
1208	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	Chaos Ransomware Builder v4.exe
2400	Chaos Ransomware Builder v4.exe
2400	Chaos Ransomware Builder v4.exe
1072	goodli.exe
1072	goodli.exe
1072	goodli.exe
1360	goodli.exe
1360	goodli.exe
1360	goodli.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
2396	winlogon.exe
2396	winlogon.exe
2396	winlogon.exe
2396	winlogon.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1000	surprise.exe
1000	surprise.exe
1000	surprise.exe
1716	taskmgr.exe
1716	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2400	Chaos Ransomware Builder v4.exe
1716	taskmgr.exe
1208	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	Chaos Ransomware Builder v4.exe
Token: 33	2176	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2176	AUDIODG.EXE
Token: 33	2176	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2176	AUDIODG.EXE
Token: SeDebugPrivilege	1072	goodli.exe
Token: SeDebugPrivilege	1360	goodli.exe
Token: SeDebugPrivilege	1716	taskmgr.exe
Token: SeDebugPrivilege	2396	winlogon.exe
Token: SeBackupPrivilege	2952	vssvc.exe
Token: SeRestorePrivilege	2952	vssvc.exe
Token: SeAuditPrivilege	2952	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1604	WMIC.exe
Token: SeSecurityPrivilege	1604	WMIC.exe
Token: SeTakeOwnershipPrivilege	1604	WMIC.exe
Token: SeLoadDriverPrivilege	1604	WMIC.exe
Token: SeSystemProfilePrivilege	1604	WMIC.exe
Token: SeSystemtimePrivilege	1604	WMIC.exe
Token: SeProfSingleProcessPrivilege	1604	WMIC.exe
Token: SeIncBasePriorityPrivilege	1604	WMIC.exe
Token: SeCreatePagefilePrivilege	1604	WMIC.exe
Token: SeBackupPrivilege	1604	WMIC.exe
Token: SeRestorePrivilege	1604	WMIC.exe
Token: SeShutdownPrivilege	1604	WMIC.exe
Token: SeDebugPrivilege	1604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1604	WMIC.exe
Token: SeRemoteShutdownPrivilege	1604	WMIC.exe
Token: SeUndockPrivilege	1604	WMIC.exe
Token: SeManageVolumePrivilege	1604	WMIC.exe
Token: 33	1604	WMIC.exe
Token: 34	1604	WMIC.exe
Token: 35	1604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1604	WMIC.exe
Token: SeSecurityPrivilege	1604	WMIC.exe
Token: SeTakeOwnershipPrivilege	1604	WMIC.exe
Token: SeLoadDriverPrivilege	1604	WMIC.exe
Token: SeSystemProfilePrivilege	1604	WMIC.exe
Token: SeSystemtimePrivilege	1604	WMIC.exe
Token: SeProfSingleProcessPrivilege	1604	WMIC.exe
Token: SeIncBasePriorityPrivilege	1604	WMIC.exe
Token: SeCreatePagefilePrivilege	1604	WMIC.exe
Token: SeBackupPrivilege	1604	WMIC.exe
Token: SeRestorePrivilege	1604	WMIC.exe
Token: SeShutdownPrivilege	1604	WMIC.exe
Token: SeDebugPrivilege	1604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1604	WMIC.exe
Token: SeRemoteShutdownPrivilege	1604	WMIC.exe
Token: SeUndockPrivilege	1604	WMIC.exe
Token: SeManageVolumePrivilege	1604	WMIC.exe
Token: 33	1604	WMIC.exe
Token: 34	1604	WMIC.exe
Token: 35	1604	WMIC.exe
Token: SeBackupPrivilege	2172	wbengine.exe
Token: SeRestorePrivilege	2172	wbengine.exe
Token: SeSecurityPrivilege	2172	wbengine.exe
Token: SeDebugPrivilege	1000	surprise.exe
Token: SeDebugPrivilege	212	winlogon.exe
Token: SeShutdownPrivilege	2348	LogonUI.exe
Token: SeShutdownPrivilege	2348	LogonUI.exe
Token: SeSecurityPrivilege	1740	winlogon.exe
Token: SeBackupPrivilege	1740	winlogon.exe
Token: SeSecurityPrivilege	1740	winlogon.exe
Token: SeTcbPrivilege	1740	winlogon.exe
Token: SeShutdownPrivilege	2348	LogonUI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2400	Chaos Ransomware Builder v4.exe
2400	Chaos Ransomware Builder v4.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1208	vlc.exe
1208	vlc.exe
1208	vlc.exe
1208	vlc.exe
1208	vlc.exe
1208	vlc.exe
1208	vlc.exe
1208	vlc.exe
1716	taskmgr.exe
1716	taskmgr.exe
1208	vlc.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1208	vlc.exe
1208	vlc.exe
1208	vlc.exe
1208	vlc.exe
1208	vlc.exe
1208	vlc.exe
1208	vlc.exe
1716	taskmgr.exe
1716	taskmgr.exe
1208	vlc.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe
1716	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2400	Chaos Ransomware Builder v4.exe
2400	Chaos Ransomware Builder v4.exe
1208	vlc.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1708	2400	Chaos Ransomware Builder v4.exe	30
PID 2400 wrote to memory of 1708	2400	Chaos Ransomware Builder v4.exe	30
PID 2400 wrote to memory of 1708	2400	Chaos Ransomware Builder v4.exe	30
PID 1708 wrote to memory of 1748	1708	csc.exe	32
PID 1708 wrote to memory of 1748	1708	csc.exe	32
PID 1708 wrote to memory of 1748	1708	csc.exe	32
PID 1072 wrote to memory of 2396	1072	goodli.exe	42
PID 1072 wrote to memory of 2396	1072	goodli.exe	42
PID 1072 wrote to memory of 2396	1072	goodli.exe	42
PID 2396 wrote to memory of 2340	2396	winlogon.exe	44
PID 2396 wrote to memory of 2340	2396	winlogon.exe	44
PID 2396 wrote to memory of 2340	2396	winlogon.exe	44
PID 2340 wrote to memory of 2080	2340	cmd.exe	46
PID 2340 wrote to memory of 2080	2340	cmd.exe	46
PID 2340 wrote to memory of 2080	2340	cmd.exe	46
PID 2340 wrote to memory of 1604	2340	cmd.exe	49
PID 2340 wrote to memory of 1604	2340	cmd.exe	49
PID 2340 wrote to memory of 1604	2340	cmd.exe	49
PID 2396 wrote to memory of 2764	2396	winlogon.exe	51
PID 2396 wrote to memory of 2764	2396	winlogon.exe	51
PID 2396 wrote to memory of 2764	2396	winlogon.exe	51
PID 2764 wrote to memory of 2784	2764	cmd.exe	53
PID 2764 wrote to memory of 2784	2764	cmd.exe	53
PID 2764 wrote to memory of 2784	2764	cmd.exe	53
PID 2764 wrote to memory of 1908	2764	cmd.exe	54
PID 2764 wrote to memory of 1908	2764	cmd.exe	54
PID 2764 wrote to memory of 1908	2764	cmd.exe	54
PID 2396 wrote to memory of 1736	2396	winlogon.exe	55
PID 2396 wrote to memory of 1736	2396	winlogon.exe	55
PID 2396 wrote to memory of 1736	2396	winlogon.exe	55
PID 1736 wrote to memory of 1884	1736	cmd.exe	57
PID 1736 wrote to memory of 1884	1736	cmd.exe	57
PID 1736 wrote to memory of 1884	1736	cmd.exe	57
PID 2396 wrote to memory of 864	2396	winlogon.exe	61
PID 2396 wrote to memory of 864	2396	winlogon.exe	61
PID 2396 wrote to memory of 864	2396	winlogon.exe	61
PID 1000 wrote to memory of 212	1000	surprise.exe	67
PID 1000 wrote to memory of 212	1000	surprise.exe	67
PID 1000 wrote to memory of 212	1000	surprise.exe	67
PID 1876 wrote to memory of 2348	1876	csrss.exe	72
PID 1876 wrote to memory of 2348	1876	csrss.exe	72
PID 1740 wrote to memory of 2348	1740	winlogon.exe	72
PID 1740 wrote to memory of 2348	1740	winlogon.exe	72
PID 1740 wrote to memory of 2348	1740	winlogon.exe	72
PID 1876 wrote to memory of 2348	1876	csrss.exe	72
PID 1876 wrote to memory of 2348	1876	csrss.exe	72
PID 1876 wrote to memory of 2348	1876	csrss.exe	72
PID 1876 wrote to memory of 2348	1876	csrss.exe	72
PID 1876 wrote to memory of 2348	1876	csrss.exe	72
PID 1876 wrote to memory of 2348	1876	csrss.exe	72
PID 1876 wrote to memory of 2348	1876	csrss.exe	72
PID 1876 wrote to memory of 2348	1876	csrss.exe	72
PID 1876 wrote to memory of 2348	1876	csrss.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe
"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5bjk0t50\5bjk0t50.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA795.tmp" "c:\Users\Admin\Documents\CSC3F2D0D0E5A874AF983BAA04258BC7A1.TMP"
    3⤵
    PID:1748

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2796

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x560
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Users\Admin\Desktop\goodli.exe
"C:\Users\Admin\Desktop\goodli.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Roaming\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\winlogon.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2080
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1604
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2784
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1908
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1884
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Important file.txt
    3⤵
    PID:864

C:\Users\Admin\Desktop\goodli.exe
"C:\Users\Admin\Desktop\goodli.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:756

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1440

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EditRequest.MOD"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1208

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\EnableRedo.rar.d76s
1⤵
- Modifies registry class
PID:2128

F:\surprise.exe
"F:\surprise.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Roaming\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:212

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1908

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA795.tmp

Filesize
1KB

MD5
131a6db1dc7dba8799c7ed1ad2e988d9

SHA1
93b03719f4816766d85e5dd5facd5c88c922ccf8

SHA256
e765726e71f24ee418a77d185fff5a5177a8fad0a1c3f9ef09048ad50fb20d0b

SHA512
a4f6612f735f2e70be1fd4a0dfc539a71df898344127b71f3fb1c3c8c172425a6c4a6c93a8303a21ef88c5da42e753ce0dbc2883a0f35111d474a2abfa5bb3bf

Download Submit
C:\Users\Admin\Desktop\goodli.exe

Filesize
22KB

MD5
56a1fd203197d07008ebd509d0297e73

SHA1
01fb87a0f8ed3f6ffe5fb85d3e4d574712f7ea91

SHA256
2d419e9b2dc09f1a6e76102e59440c57609ef361393ebea311951b7af2508498

SHA512
9c70ddaaf012c9e6f995857f02869fc63b7b232fc49a62797122ed4561c703db48fdcc707ff04c7d4f7a5271d5bd8c6f43bbf35769da0bd463d1928cf54936b1

Download Submit
C:\Users\Admin\Documents\Important file.txt

Filesize
57B

MD5
b143053f53d38633f2ce51429a924759

SHA1
b68ea31104b3e47501d3bb07a42e141269837b21

SHA256
ef26327e4165f43f797585123121c358b4d790ee11443d83ad34cddacf724f0f

SHA512
66ceba6d91129bd28557bc2310de6c4ca2db8d09542d47fa3d5bf865b897f120a64787438a5d61dcacc6b142b3ecdc3d542c965bd43fa0f776d07b88dd438b8e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5bjk0t50\5bjk0t50.0.cs

Filesize
30KB

MD5
a95f2d5af3c86c13c5dc852756f18196

SHA1
606f8c107e0a09329cc00bc3c03005bd30d911ea

SHA256
d12fa2e8a78a7dc2a7d9dda8e75a7819b8a6dd5a5ba1bede83ccb41bfd88acd5

SHA512
b0204ed24e830a0d3ea0894d6dc3014de78faf67cd4ff43333ef66d91e84382e4412331bfb2fdfd319ecc069a0d3489dd8bf9a957983f93577f6316d61e3d338

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5bjk0t50\5bjk0t50.cmdline

Filesize
334B

MD5
777f38effc19ebb3878119e87ae95fbc

SHA1
1dc9c42d0f915bcfcebe8c6eb0e0682a33f43b13

SHA256
f1e0baa3db013868cdc76c0d0dd0f30f42ebb87a25de441fd2bda9d86ea2822e

SHA512
19805f214d1380036db65759f3edd3bc9c4702958e18dddf02d4a93eea04275686b31f632cd199b4e5e804c1a324a94ec0c370b1977f660fd406b93375889418

Download Submit
\??\c:\Users\Admin\Documents\CSC3F2D0D0E5A874AF983BAA04258BC7A1.TMP

Filesize
1KB

MD5
41555e95ae96a65e1a8db6ddbc1e2a04

SHA1
c0e912191ee2010dbaf6c7e6cf294abb973a8ec2

SHA256
eba0b5a5af16742b840cf3c8144a0ab1b3812becb58507aba1cf639d623d4406

SHA512
632c343f66a898b15d49111750e2ccab51de782de2fbd76714d5bc54f5246a66d3a122cffe0e9a9b9a8bcda2c1927b8e061739eb9d755547261eebdf456f456c

Download Submit
memory/1000-499-0x00000000013E0000-0x00000000013EC000-memory.dmp

Filesize
48KB

Download
memory/1072-31-0x0000000001320000-0x000000000132C000-memory.dmp

Filesize
48KB

Download
memory/1208-493-0x000000013F0C0000-0x000000013F1B8000-memory.dmp

Filesize
992KB

Download
memory/1208-494-0x000007FEF43B0000-0x000007FEF43E4000-memory.dmp

Filesize
208KB

Download
memory/1208-495-0x000007FEF2380000-0x000007FEF2636000-memory.dmp

Filesize
2.7MB

Download
memory/1208-496-0x000007FEEABD0000-0x000007FEEBC80000-memory.dmp

Filesize
16.7MB

Download
memory/1716-34-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1716-484-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1716-33-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1716-485-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2396-40-0x00000000011C0000-0x00000000011CC000-memory.dmp

Filesize
48KB

Download
memory/2400-13-0x000000001ED70000-0x000000001ED80000-memory.dmp

Filesize
64KB

Download
memory/2400-4-0x000007FEF5BF3000-0x000007FEF5BF4000-memory.dmp

Filesize
4KB

Download
memory/2400-14-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2400-3-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2400-0-0x000007FEF5BF3000-0x000007FEF5BF4000-memory.dmp

Filesize
4KB

Download
memory/2400-12-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2400-1-0x0000000000100000-0x000000000018E000-memory.dmp

Filesize
568KB

Download
memory/2400-11-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2400-6-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2400-5-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2400-2-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2400-28-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download