Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
13-07-2024 09:29
General
-
Target
0f18f6547a1c8e86963a9e9f9dd9e6e42bd506de21c034ec884c3b55a789ac57.exe
-
Size
23KB
-
MD5
4cc6ec4d961a14c4fc4b45dfe939ca00
-
SHA1
7a115dcc3ca91877b70de091b122259503d7109f
-
SHA256
0f18f6547a1c8e86963a9e9f9dd9e6e42bd506de21c034ec884c3b55a789ac57
-
SHA512
9bcdb453be961b88ae3a85a9d68e8f2e8ea6394e27641a46f4a28c9b56133cf97f5cf74699feab475563f5e9617120dffa944c8d3554d06749071e104cd237fd
-
SSDEEP
384:m3Mg/bqo2uda2duoiXslkpaDKB+98SJer91CCob5LeU:Uqo2ka2kAkpaDuNGer9pobJeU
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f18f6547a1c8e86963a9e9f9dd9e6e42bd506de21c034ec884c3b55a789ac57.exe"C:\Users\Admin\AppData\Local\Temp\0f18f6547a1c8e86963a9e9f9dd9e6e42bd506de21c034ec884c3b55a789ac57.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Garsomware.exe"C:\Users\Admin\AppData\Roaming\Garsomware.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Garsomware.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Garsomware.exeFilesize
23KB
MD54cc6ec4d961a14c4fc4b45dfe939ca00
SHA17a115dcc3ca91877b70de091b122259503d7109f
SHA2560f18f6547a1c8e86963a9e9f9dd9e6e42bd506de21c034ec884c3b55a789ac57
SHA5129bcdb453be961b88ae3a85a9d68e8f2e8ea6394e27641a46f4a28c9b56133cf97f5cf74699feab475563f5e9617120dffa944c8d3554d06749071e104cd237fd
-
C:\Users\Admin\Documents\Garsomware.txtFilesize
772B
MD599af09472bd282b52375d6975efbd348
SHA1aad9c614d344e764c12b1fb23c183f54be45961e
SHA256c5850864ce7ea579386398d350e762a8b7a7d11d964d38cbe6c54adc6844989b
SHA512c036a9058080deb37346fb1dd4634a140744d561226e0cf7b026ec95ae2ea135e04c0a6e6d439e237eaa1ce32576940f4452139476649a706e2d9039b4380548
-
memory/2720-7-0x00000000003C0000-0x00000000003CC000-memory.dmpFilesize
48KB
-
memory/2720-19-0x000007FEF5A60000-0x000007FEF644C000-memory.dmpFilesize
9.9MB
-
memory/2720-28-0x000007FEF5A60000-0x000007FEF644C000-memory.dmpFilesize
9.9MB
-
memory/2720-496-0x000007FEF5A60000-0x000007FEF644C000-memory.dmpFilesize
9.9MB
-
memory/2752-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmpFilesize
4KB
-
memory/2752-1-0x0000000001000000-0x000000000100C000-memory.dmpFilesize
48KB