Overview

overview

10

Static

static

7

Encrypter.vmp.exe

windows7-x64

10

Encrypter.vmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    28s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 08:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Encrypter.vmp.exe

  • Size

    5.5MB

  • MD5

    1e613de3965c7dbe1d5631ccde8faa7e

  • SHA1

    52ec6d728ffa8dd8b6e9164f5cc2503b73fcd290

  • SHA256

    5944b89d1e35e40c32c255f5c32d63432f535be4b3389834f2ecc21e9d9f36d5

  • SHA512

    059cce84953c9669520fca04228b4a83da707545693c7383ad03a9e4bf2bfed8f46c29c45ab8cbade69cda7adcecba1d157453356a76ef340c0bb706556c498a

  • SSDEEP

    98304:+/MTZVvwqToyi8HJLubfv+bpaaGBJZ+dLwgfSrzCRNUVhApSHe03:RTfZTnpqv+taHYwy6WRCLeo

Score
10/10
chaosransomwarevmprotect

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Ransom Note
----> You got ransom by FemboyCat <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Encrypter.vmp.exe
    "C:\Users\Admin\AppData\Local\Temp\Encrypter.vmp.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:2696
    • C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter.vmp.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter.vmp.exe"
      2⤵
        PID:1976
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          3⤵
            PID:5024
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
              4⤵
              • Opens file in notepad (likely ransom note)
              PID:2116
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
          2⤵
            PID:4296
            • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
              "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
              3⤵
                PID:1536
                • C:\Users\Admin\AppData\Roaming\svchost.exe
                  "C:\Users\Admin\AppData\Roaming\svchost.exe"
                  4⤵
                    PID:3332
            • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
              "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
              1⤵
                PID:784
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3760,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
                1⤵
                  PID:3188

                Network

                MITRE ATT&CK Matrix

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\Synaptics\Synaptics.exe
                  Filesize

                  5.5MB

                  MD5

                  1e613de3965c7dbe1d5631ccde8faa7e

                  SHA1

                  52ec6d728ffa8dd8b6e9164f5cc2503b73fcd290

                  SHA256

                  5944b89d1e35e40c32c255f5c32d63432f535be4b3389834f2ecc21e9d9f36d5

                  SHA512

                  059cce84953c9669520fca04228b4a83da707545693c7383ad03a9e4bf2bfed8f46c29c45ab8cbade69cda7adcecba1d157453356a76ef340c0bb706556c498a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter.vmp.exe
                  Filesize

                  22KB

                  MD5

                  6ac60b3f3fc089844b316b8edcb6cbdb

                  SHA1

                  b4fc7bfd470f3dc67a3b3a9ddcf2dbd26dcaf2b3

                  SHA256

                  657c0d869ee0e44742e138b18533577b7c9bca8d40ffe5b658d80459e4f8f4d9

                  SHA512

                  af218350125ea6ab9da68bb2edc7dfbdb023f0fc7ff2c446059d739fccc3891ad1974882275cedd2bf42fbbf2fd9ea50fa2d149a4c5cfbd9a23fa37e29071ecf

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\kcXE1myO.xlsm
                  Filesize

                  17KB

                  MD5

                  e566fc53051035e1e6fd0ed1823de0f9

                  SHA1

                  00bc96c48b98676ecd67e81a6f1d7754e4156044

                  SHA256

                  8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

                  SHA512

                  a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

                  Download Submit

                • C:\Users\Admin\Desktop\read_it.txt
                  Filesize

                  920B

                  MD5

                  96e58c047ee337ee491fbc24f95405a0

                  SHA1

                  00caeea02ff70f1e523a9d618ee22cac3b9cc30b

                  SHA256

                  e631d7ac377fb25957aef0cf348a9531682e88fb2c438b9e7ae828182d370419

                  SHA512

                  4d902a9c9a7b1b19d5e0d064da928d38c22d221405da9beb370fdef9cba252f8410a96a6d7c4e622cdccb4da1b06a92db8f09d300e7e7dc198068d9e72acb381

                  Download Submit

                • memory/784-215-0x00007FFC86C70000-0x00007FFC86C80000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/784-214-0x00007FFC86C70000-0x00007FFC86C80000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/784-216-0x00007FFC84310000-0x00007FFC84320000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/784-211-0x00007FFC86C70000-0x00007FFC86C80000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/784-212-0x00007FFC86C70000-0x00007FFC86C80000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/784-213-0x00007FFC86C70000-0x00007FFC86C80000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/784-217-0x00007FFC84310000-0x00007FFC84320000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1976-79-0x00000000004B0000-0x00000000004BC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/1976-80-0x00007FFCA7FB3000-0x00007FFCA7FB5000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2696-9-0x0000000002B50000-0x0000000002B51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2696-7-0x0000000002B30000-0x0000000002B31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2696-12-0x0000000000400000-0x0000000000D63000-memory.dmp

                  Filesize

                  9.4MB

                  Download

                • memory/2696-140-0x0000000000400000-0x0000000000D63000-memory.dmp

                  Filesize

                  9.4MB

                  Download

                • memory/2696-139-0x00000000004A5000-0x00000000007E9000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/2696-1-0x0000000000400000-0x0000000000D63000-memory.dmp

                  Filesize

                  9.4MB

                  Download

                • memory/2696-13-0x0000000000400000-0x0000000000D63000-memory.dmp

                  Filesize

                  9.4MB

                  Download

                • memory/2696-0-0x00000000004A5000-0x00000000007E9000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/2696-6-0x0000000002B20000-0x0000000002B21000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2696-5-0x0000000002B10000-0x0000000002B11000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2696-4-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2696-3-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2696-2-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2696-8-0x0000000002B40000-0x0000000002B41000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4296-145-0x0000000001030000-0x0000000001031000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4296-141-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4296-142-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4296-144-0x0000000001020000-0x0000000001021000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4296-146-0x0000000001040000-0x0000000001041000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4296-147-0x0000000001050000-0x0000000001051000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4296-148-0x0000000001060000-0x0000000001061000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4296-149-0x0000000000400000-0x0000000000D63000-memory.dmp

                  Filesize

                  9.4MB

                  Download

                • memory/4296-143-0x0000000001010000-0x0000000001011000-memory.dmp

                  Filesize

                  4KB

                  Download