Overview

overview

10

Static

static

3

Encrypter_...ed.exe

windows7-x64

10

Encrypter_...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    5s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    02-07-2024 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Encrypter_protected.exe

  • Size

    1.9MB

  • MD5

    753dd955052999e94e9b4defc316c92d

  • SHA1

    49e5fee7f9acc3eb5253744d789ea43dd67b11eb

  • SHA256

    dfd96d2413181b137eaa22f2feeda2291f93a99404f327772b52ac98dc5eef60

  • SHA512

    e28b03bd990e4d0a500f50a57bfa026c4081374b98d3cad969a941354cf47c0258b23de133c8e3b490a44662aabbca69246e0372c130b868dc421778a0d3b7c8

  • SSDEEP

    49152:3DJk+6MbP/ZyRemj4rH3R/Y/4w6wL73WvXyXo:zJpPxysmjCB/YmwuvX6o

Score
10/10
chaosransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Ransom Note
----> You got ransom by FemboyCat <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 8 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\Encrypter_protected.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe"
      2⤵
        PID:2608
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          3⤵
            PID:2544
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
              4⤵
              • Opens file in notepad (likely ransom note)
              PID:1120
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
          2⤵
            PID:2776
            • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
              "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
              3⤵
                PID:2164
                • C:\Users\Admin\AppData\Roaming\svchost.exe
                  "C:\Users\Admin\AppData\Roaming\svchost.exe"
                  4⤵
                    PID:2680

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Synaptics\Synaptics.exe
              Filesize

              1.9MB

              MD5

              753dd955052999e94e9b4defc316c92d

              SHA1

              49e5fee7f9acc3eb5253744d789ea43dd67b11eb

              SHA256

              dfd96d2413181b137eaa22f2feeda2291f93a99404f327772b52ac98dc5eef60

              SHA512

              e28b03bd990e4d0a500f50a57bfa026c4081374b98d3cad969a941354cf47c0258b23de133c8e3b490a44662aabbca69246e0372c130b868dc421778a0d3b7c8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\._cache_Encrypter_protected.exe
              Filesize

              22KB

              MD5

              6ac60b3f3fc089844b316b8edcb6cbdb

              SHA1

              b4fc7bfd470f3dc67a3b3a9ddcf2dbd26dcaf2b3

              SHA256

              657c0d869ee0e44742e138b18533577b7c9bca8d40ffe5b658d80459e4f8f4d9

              SHA512

              af218350125ea6ab9da68bb2edc7dfbdb023f0fc7ff2c446059d739fccc3891ad1974882275cedd2bf42fbbf2fd9ea50fa2d149a4c5cfbd9a23fa37e29071ecf

              Download Submit

            • C:\Users\Admin\Desktop\read_it.txt
              Filesize

              920B

              MD5

              96e58c047ee337ee491fbc24f95405a0

              SHA1

              00caeea02ff70f1e523a9d618ee22cac3b9cc30b

              SHA256

              e631d7ac377fb25957aef0cf348a9531682e88fb2c438b9e7ae828182d370419

              SHA512

              4d902a9c9a7b1b19d5e0d064da928d38c22d221405da9beb370fdef9cba252f8410a96a6d7c4e622cdccb4da1b06a92db8f09d300e7e7dc198068d9e72acb381

              Download Submit

            • memory/1724-24-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1724-2-0x000000000077C000-0x0000000000871000-memory.dmp

              Filesize

              980KB

              Download

            • memory/1724-6-0x0000000000400000-0x0000000000871000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/1724-9-0x0000000000400000-0x0000000000871000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/1724-3-0x0000000000400000-0x0000000000871000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/1724-4-0x0000000000400000-0x0000000000871000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/1724-0-0x0000000000400000-0x0000000000871000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/1724-1-0x0000000000400000-0x0000000000871000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/1724-39-0x0000000006360000-0x00000000067D1000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/1724-5-0x0000000000400000-0x0000000000871000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/1724-37-0x0000000000400000-0x0000000000871000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/1724-36-0x000000000077C000-0x0000000000871000-memory.dmp

              Filesize

              980KB

              Download

            • memory/2164-120-0x0000000000F40000-0x0000000000F4C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2544-46-0x0000000001000000-0x000000000100C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2608-25-0x0000000000E90000-0x0000000000E9C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2776-40-0x0000000000400000-0x0000000000871000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/2776-115-0x0000000004B60000-0x0000000004B70000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2776-122-0x0000000000400000-0x0000000000871000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/2776-123-0x0000000000400000-0x0000000000871000-memory.dmp

              Filesize

              4.4MB

              Download