Malware Analysis Report

2024-08-06 16:13

Sample ID 240702-j82a4atfpd
Target Encrypter_protected.exe
SHA256 11b11b72193938040f5ae32ebd1eb238c9fcd6ba30f8127bd0a0ca5b2cecc5f0
Tags
themida chaos evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11b11b72193938040f5ae32ebd1eb238c9fcd6ba30f8127bd0a0ca5b2cecc5f0

Threat Level: Known bad

The file Encrypter_protected.exe was found to be: Known bad.

Malicious Activity Summary

themida chaos evasion persistence ransomware spyware stealer trojan

Chaos Ransomware

Chaos

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Reads user/profile data of web browsers

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Checks computer location settings

Drops startup file

Checks whether UAC is enabled

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-02 08:21

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 08:21

Reported

2024-07-02 08:21

Platform

win7-20240611-en

Max time kernel

12s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\Synaptics\Synaptics.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Synaptics\Synaptics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Synaptics\Synaptics.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Synaptics\Synaptics.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2812790648-3157963462-487717889-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe
PID 2116 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe
PID 2116 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe
PID 2116 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe
PID 2116 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2116 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2116 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2116 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2116 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe C:\Windows\SysWOW64\WerFault.exe
PID 2116 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe C:\Windows\SysWOW64\WerFault.exe
PID 2116 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe C:\Windows\SysWOW64\WerFault.exe
PID 2116 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe C:\Windows\SysWOW64\WerFault.exe
PID 2320 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2320 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2320 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2884 wrote to memory of 2476 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2884 wrote to memory of 2476 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2884 wrote to memory of 2476 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2884 wrote to memory of 2476 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2476 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2476 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2476 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe

"C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 652

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

N/A

Files

memory/2116-0-0x00000000002E0000-0x0000000000F1E000-memory.dmp

memory/2116-1-0x0000000076F30000-0x0000000076F32000-memory.dmp

memory/2116-2-0x00000000002E0000-0x0000000000F1E000-memory.dmp

memory/2116-4-0x00000000002E0000-0x0000000000F1E000-memory.dmp

memory/2116-3-0x00000000002E0000-0x0000000000F1E000-memory.dmp

memory/2116-5-0x00000000002E0000-0x0000000000F1E000-memory.dmp

memory/2116-8-0x00000000000E0000-0x00000000000E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe

MD5 6ac60b3f3fc089844b316b8edcb6cbdb
SHA1 b4fc7bfd470f3dc67a3b3a9ddcf2dbd26dcaf2b3
SHA256 657c0d869ee0e44742e138b18533577b7c9bca8d40ffe5b658d80459e4f8f4d9
SHA512 af218350125ea6ab9da68bb2edc7dfbdb023f0fc7ff2c446059d739fccc3891ad1974882275cedd2bf42fbbf2fd9ea50fa2d149a4c5cfbd9a23fa37e29071ecf

C:\ProgramData\Synaptics\Synaptics.exe

MD5 0ab2a8b3f487b14f24db2d611eaa1627
SHA1 927990d479f9c6bb3df78442004feccad4577920
SHA256 11b11b72193938040f5ae32ebd1eb238c9fcd6ba30f8127bd0a0ca5b2cecc5f0
SHA512 bedcf4c0bee5a90a72ba1d17fa9358ae8001cead67280e6edc2b82df440b177f6a97ac3c7aade237e9753ee9eec966aebe4fece1b4c0fcc2e062c5055781357a

memory/2116-19-0x0000000004470000-0x0000000004480000-memory.dmp

memory/2116-27-0x0000000006B20000-0x000000000775E000-memory.dmp

memory/2116-29-0x0000000006B20000-0x000000000775E000-memory.dmp

memory/2884-30-0x0000000000840000-0x000000000147E000-memory.dmp

memory/2320-31-0x0000000000930000-0x000000000093C000-memory.dmp

memory/2884-39-0x0000000000840000-0x000000000147E000-memory.dmp

memory/2884-34-0x0000000000840000-0x000000000147E000-memory.dmp

memory/2884-36-0x0000000000840000-0x000000000147E000-memory.dmp

memory/2884-35-0x0000000000840000-0x000000000147E000-memory.dmp

C:\Users\Admin\Desktop\read_it.txt

MD5 96e58c047ee337ee491fbc24f95405a0
SHA1 00caeea02ff70f1e523a9d618ee22cac3b9cc30b
SHA256 e631d7ac377fb25957aef0cf348a9531682e88fb2c438b9e7ae828182d370419
SHA512 4d902a9c9a7b1b19d5e0d064da928d38c22d221405da9beb370fdef9cba252f8410a96a6d7c4e622cdccb4da1b06a92db8f09d300e7e7dc198068d9e72acb381

memory/2116-97-0x00000000002E0000-0x0000000000F1E000-memory.dmp

memory/2884-107-0x00000000035A0000-0x00000000035B0000-memory.dmp

memory/2476-112-0x0000000000C60000-0x0000000000C6C000-memory.dmp

memory/2884-115-0x0000000000840000-0x000000000147E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 08:21

Reported

2024-07-02 08:22

Platform

win10v2004-20240226-en

Max time kernel

37s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 628 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe
PID 628 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe

"C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 628 -ip 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1172

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4028 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp

Files

memory/628-0-0x0000000000B90000-0x00000000017CE000-memory.dmp

memory/628-1-0x0000000000B90000-0x00000000017CE000-memory.dmp

memory/628-2-0x0000000077954000-0x0000000077956000-memory.dmp

memory/628-3-0x0000000000B90000-0x00000000017CE000-memory.dmp

memory/628-5-0x0000000000B90000-0x00000000017CE000-memory.dmp

memory/628-4-0x0000000000B90000-0x00000000017CE000-memory.dmp

memory/628-6-0x0000000000B90000-0x00000000017CE000-memory.dmp

memory/628-7-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/628-10-0x0000000000B90000-0x00000000017CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe

MD5 6ac60b3f3fc089844b316b8edcb6cbdb
SHA1 b4fc7bfd470f3dc67a3b3a9ddcf2dbd26dcaf2b3
SHA256 657c0d869ee0e44742e138b18533577b7c9bca8d40ffe5b658d80459e4f8f4d9
SHA512 af218350125ea6ab9da68bb2edc7dfbdb023f0fc7ff2c446059d739fccc3891ad1974882275cedd2bf42fbbf2fd9ea50fa2d149a4c5cfbd9a23fa37e29071ecf

C:\ProgramData\Synaptics\Synaptics.exe

MD5 0ab2a8b3f487b14f24db2d611eaa1627
SHA1 927990d479f9c6bb3df78442004feccad4577920
SHA256 11b11b72193938040f5ae32ebd1eb238c9fcd6ba30f8127bd0a0ca5b2cecc5f0
SHA512 bedcf4c0bee5a90a72ba1d17fa9358ae8001cead67280e6edc2b82df440b177f6a97ac3c7aade237e9753ee9eec966aebe4fece1b4c0fcc2e062c5055781357a

memory/1256-75-0x00007FF9D4853000-0x00007FF9D4855000-memory.dmp

memory/1256-77-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

memory/3316-135-0x0000000000360000-0x0000000000F9E000-memory.dmp

memory/3316-136-0x0000000000360000-0x0000000000F9E000-memory.dmp

memory/3316-137-0x0000000000360000-0x0000000000F9E000-memory.dmp

memory/3316-138-0x0000000000360000-0x0000000000F9E000-memory.dmp

memory/3316-139-0x0000000000360000-0x0000000000F9E000-memory.dmp

memory/628-140-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/628-143-0x0000000000B90000-0x00000000017CE000-memory.dmp