chaos | 2c1d1c6cc6fea441623d1cdc663656f171fa66d92809a157915c2ada06a121cf

Analysis

max time kernel
43s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 13:45

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

lime.dll
Size

7.8MB
MD5

10c074a00debe4a97608e78cb36247ab
SHA1

779125eb7faef7e549eff67eeb55c177a8dfbc70
SHA256

2c1d1c6cc6fea441623d1cdc663656f171fa66d92809a157915c2ada06a121cf
SHA512

86080ba0ad936148f46f3cc56c8b5c474c72b9089657e7bd21286a2a2114eb07f20870e0dd96318685024ab929d17a382529c383049b7bd056553c4565473485
SSDEEP

98304:z0A/ndXX+HO+M16KrdFLJRzdfiHy4AyBS6iHIA198:z0wXX+Hc1nrtRgz

Score

10^/10

chaos defense_evasion evasion execution impact ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001a419-416.dat	family_chaos
behavioral1/memory/1428-427-0x0000000000880000-0x000000000089E000-memory.dmp	family_chaos
behavioral1/memory/2032-433-0x0000000000A60000-0x0000000000A7E000-memory.dmp	family_chaos

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2908	bcdedit.exe
2168	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2884	wbadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
205	raw.githubusercontent.com
206	raw.githubusercontent.com
207	raw.githubusercontent.com
249	raw.githubusercontent.com
250	raw.githubusercontent.com
251	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2604	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2548	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
496	chrome.exe
496	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe
Token: SeShutdownPrivilege	496	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe
496	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 496 wrote to memory of 1904	496	chrome.exe	32
PID 496 wrote to memory of 1904	496	chrome.exe	32
PID 496 wrote to memory of 1904	496	chrome.exe	32
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2836	496	chrome.exe	34
PID 496 wrote to memory of 2828	496	chrome.exe	35
PID 496 wrote to memory of 2828	496	chrome.exe	35
PID 496 wrote to memory of 2828	496	chrome.exe	35
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36
PID 496 wrote to memory of 3052	496	chrome.exe	36

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lime.dll,#1
1⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef76f9758,0x7fef76f9768,0x7fef76f9778
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:2
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1148 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:2
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2700 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3692 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:8
  2⤵
  PID:296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3608 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3904 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3844 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2224 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:1
  2⤵
  PID:304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4232 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4264 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3824 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4416 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4400 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:8
  2⤵
  PID:1996
- C:\Users\Admin\Downloads\WareY666.exe
  "C:\Users\Admin\Downloads\WareY666.exe"
  2⤵
  PID:1428
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    PID:2032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
      4⤵
      PID:2788
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2604
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:1180
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      4⤵
      PID:2076
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2908
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2168
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      PID:2304
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:2884
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 --field-trial-handle=1284,i,1238446529573541441,3670763356002815159,131072 /prefetch:8
  2⤵
  PID:2504

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1124

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1224

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1900

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2348

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk.g45i
1⤵
PID:2004

C:\Windows\ehome\ehshell.exe
"C:\Windows\ehome\ehshell.exe"
1⤵
PID:1604

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x548
1⤵
PID:1428

C:\Windows\system32\SnippingTool.exe
"C:\Windows\system32\SnippingTool.exe"
1⤵
PID:2076
- C:\Windows\SYSTEM32\WISPTIS.EXE
  "C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;
  2⤵
  PID:1508

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2564

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c8d0f45689eb4b37f8b0bf8a15431930

SHA1
1687699aa1844960c6eecb7fe9e35536724a487a

SHA256
c0700730aecdf828f24b5265cfc9368e8370f2c464587c287a6dc359f9483ed9

SHA512
5d9b6aebea1ecafb9b285b44309b2ed7037717c8a259902b769895452e60f1dc04bc2074a7fd20015c8846041f12f494d5b576a49e75bd2e2552451158802eec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
86c20ea79a5c7a8ee46d959c28d9feb2

SHA1
6e4362b8c46b433855e70e9dd4ea61bac9d98d68

SHA256
6af99c5ab1ff380d73429ad82a525198c0139f33013760295b0e6f9549a0af76

SHA512
5be3a2429b8c08a24ebeff7e838ccc323d81adf51908961be690ea1bfc84165b94a4dbe3890dd59d18c3b8f3e0fba9686c86858067129be7f2b839da932efdfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
037c16f9017cc36ed5b9fbf7e2890156

SHA1
4492d7352b354b0600e7b907a4a41551837b49e4

SHA256
3c4ff202dde81f55cac668e442eb723d1f75488f48e8ca339dc6df3197dbe881

SHA512
022a1e84efafc61b1645baa799ffcbfdeb27b6ee731200a403476d82bb6ac941b7359e24bd0426e0b6620d3a1149b173cd4fd3a48c336b7375c0a68ea975ef17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
15d83d239d0b8dad10e49c09a837bd3f

SHA1
97e5b39c97dd4695bf6cfff4f35509831d84978d

SHA256
6e7033f4286314217f5f2c53a27945a39204847598d302be9a4c44081b646ccb

SHA512
8faf8664f4e718a93df5802cc4899916d949ad388cfbc3cfbcab279a0fb57360be840562e99be49f705ff9d4d2412a7710351c7236420fd9e2da1a96a2186957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9e0dc893-cc83-43fc-9525-fb7c9a3345f0.tmp

Filesize
6KB

MD5
f1b84f1c69aad663f47cd0c863ac03c4

SHA1
5c897fcf14f2a555d39d732c02c49c75fbaa2b7f

SHA256
28ee1ec5853f60cdeba4bf10e671ef84bb54f738ca6cc384bef3d57d90cf49bb

SHA512
b035d64761df74e918075bb70e4fbaaec2dd1b9b350e54d269a3bd8011455abf50bec6714893b3434814596bceade9047bcd6413cdcd194aa020cc3ab3062e01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
24866c0714e25b8f3569ad974f55f13e

SHA1
6a74a1dd22cde332c54de9f36877bf1d5687ad90

SHA256
0c85eed3339a012fb122647f444ae97b6a3d8cbed93461c90ba5acee28481d57

SHA512
e5faa83864bf32482906ea0bd14e0490ee1abe88d8dc1d2120244cf2db88cbea6da2e44da8086bec500d9c3b7d43b62fd24b06c278e53d72e14ded8cf05f67fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
9d45d9b4c75991eaf24c4751baea5576

SHA1
bdc0188380d7d1811039c5af30ce62c228a900cf

SHA256
73b519aaa50f1de1a2d20a401db11fd9f283d7eab79a092d5e3127bf23d206f3

SHA512
f61fb7214d7c2919cbbd6b2e72f76ffed1da9b59174f14324bab2a042851c4c369b8a158956d446293c0603e39e872ce09011ff3c3c12ba188b1b3b87f6113d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
5d46af086c3914a103c6e83e76bbe1a3

SHA1
7e4e58124c1bd2ca2f78372fab7af4ea709d7200

SHA256
c3a8e06e5bd31b2227c268736e79e5ff333ee8bd7aa1b64978328bfd5dfda03a

SHA512
e7ce72cf4c760619d498fa9b34e9a7190f2c108f2fdd65cc0e1c14423f38b4b178ab8433868ffd6fdc98c54f06571d1e64fdf5ea48523ce8d5fe7ea131c02bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8dbb7cd097a8f79d2890b6135f1c2b5c

SHA1
bfeee2597e48abde6463bf23b9237dd9e198c89b

SHA256
d1fde457e34751f3fc3efbf2d293eab4639cdb061f2fcc930bffb51033956d8d

SHA512
b913841b0ace618f82871907cd051638eed0bea5feeb2b743f267c596d1e0bd18c5f38e962d3e610f91d5fa78058aae0b60159f2d0473ebc8bf47853fb2d131c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
196c18346a1a5a9e329549bd461b0406

SHA1
e954db077b9100c17eb498cc6955e8a27d7c9323

SHA256
3bf8ad9f17fdd7cb63fc3c73519d8402839d6e04052aff0e687df0b5d86e701e

SHA512
f5c64f67f43ad7fdf7cb629435e5905cdc339484804d64c2681ec24e488945d4be441b66e7254bd0bacb2cb5e750e3a83a4bdc5d2220d4a332f9ef512e6ec6b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7ea502f34b57825106e1ddb20bde53f8

SHA1
63406fbc84f6c76640857bc8b3209b7a7975d0bd

SHA256
161dbdf49009388f98af357b47747a852f55af6fda2546cc595d39bed7d1f90c

SHA512
5d66318c9d9667d9987e7812f51fc932ca14db2b5c2fc5c9c93a3f508c334324ddf89f06755a013ac8ecc795f478a357cfb3cd72a429358eb76040a960c87a7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c852739e1427cde7a9a12c317a727dba

SHA1
c44c22ac537f04e6db837443a93374964cb809c4

SHA256
375ff49870fdf885807cb139adec16ae2d7f545e3f582ce9bffc6897d0fe7d15

SHA512
b984270a55c8852898412a1da231c8158172fb40ba2d4cb16c276c8946ab9e0507077305d6e2537e96386d3de749ac75013545d7de8eb61a04dcfbf0796979fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
305KB

MD5
b64b0418f43ac54689b513d162585c5f

SHA1
ec21233e5680d6ea9e5e9e22aebebe37694b4786

SHA256
e70d0dcad9d2f640caa74ba2b73368c8a0fb934a0f6d7b22c2026e6098413b9e

SHA512
52ca206dfce91287b48a069b10d1388f5395d036e9454b176c67e296da79b81152f4d147a1244c007877b97237a50d6cabcfb2b6c9bacadd1f6861ac0db2284b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
305KB

MD5
d869b3e5411d0cd0cb25c7a14f4f8c87

SHA1
fcd34b7decacc8411be75aedfa0301e1e00c5990

SHA256
032dd006cbf7f5fe5f7f8588fac2c39ff140826cafe8e32451a8c2349bc18cdd

SHA512
0e16cc1f7e38512a8e9e2962b2a1935b4329df07f7900ba3bef75c0a6d9d9fee624c3accba005bcef4c42fb8a3201e0e8fdf4b84fa9416702c1b8d053fcd15a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
75KB

MD5
9c0f4fd8e648da60adc52112953af5c1

SHA1
5ca33a59d13a7d18a6ce45909a9c6247a44b3a86

SHA256
a2176fdc73aabad1a727ac28551d7f6d39bbfc958f8ececcfdde352b785a8f6b

SHA512
17045c65aa41c9f83fafa3dff5d15048426d7d1043ae12e4b98cea9576fe0436b15bff51cfd950f815112c5f04b1fe3533af9f8e38c40d5498048d2fc2135259

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDB9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDCB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Documents\read_it.txt

Filesize
300B

MD5
b82fa86880debe41392d18b4dd41621a

SHA1
421bd2faec03d7b3f770b093cafbf312f35d3905

SHA256
3e64fbd082f64b545bc146bd6352e722312928774ee6313de956a0e48b06ed5c

SHA512
7abbe18cdabf6103e419a53cb24d45006b6f33267cc4a9c5b90d3b1390d34263758751b1cf4df4f7ee6c846c2590ea815fe089f853538511a8ad06f3d13cbf7e

Download Submit
C:\Users\Admin\Downloads\WareY666.exe

Filesize
95KB

MD5
d44d6282848f874a0ebd46f60d285870

SHA1
028b8bff4165fe717ba96c748955f77d294039aa

SHA256
e401968fc258152cf64bd3d66842eb76037905cdb3e82ef09f06cc06f8995d12

SHA512
a1fb1c0dbde4c4cfbdecf039c71af903297b7d2eb178c89c677c4742129b053d13e8f8708e78e06b2b5de41928a174917f01a089ef61b54e0338804b2a903e8b

Download Submit
memory/1428-427-0x0000000000880000-0x000000000089E000-memory.dmp

Filesize
120KB

Download
memory/1428-426-0x000007FEF3FC3000-0x000007FEF3FC4000-memory.dmp

Filesize
4KB

Download
memory/1604-940-0x000000001E160000-0x000000001E768000-memory.dmp

Filesize
6.0MB

Download
memory/1604-943-0x000000001F020000-0x000000001F0D8000-memory.dmp

Filesize
736KB

Download
memory/1604-942-0x000000001CD20000-0x000000001CDBE000-memory.dmp

Filesize
632KB

Download
memory/1604-941-0x000000001E770000-0x000000001E8F4000-memory.dmp

Filesize
1.5MB

Download
memory/1604-955-0x000000001D110000-0x000000001D147000-memory.dmp

Filesize
220KB

Download
memory/1604-956-0x000000001B9E0000-0x000000001B9EA000-memory.dmp

Filesize
40KB

Download
memory/2032-433-0x0000000000A60000-0x0000000000A7E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads