Overview

overview

10

Static

static

10

020db58e3c...4c.exe

windows10-2004-x64

10

06cbef0e90...f8.exe

windows10-2004-x64

9

083c5b43df...fb.exe

windows10-2004-x64

10

15cb04fa5c...4f.exe

windows10-2004-x64

9

22a1f50db9...85.exe

windows10-2004-x64

9

24cb5e44b6...8d.exe

windows10-2004-x64

10

27c9f44e0c...d6.exe

windows10-2004-x64

10

2c2aa8458f...3d.exe

windows10-2004-x64

7

2e9e18954a...d1.exe

windows10-2004-x64

10

2ebb2a34dd...c6.exe

windows10-2004-x64

10

2fff52aa0c...21.exe

windows10-2004-x64

10

37ca1cfa1f...60.exe

windows10-2004-x64

10

38cd67a044...4c.exe

windows10-2004-x64

9

3d4f84e20d...96.exe

windows10-2004-x64

49cff73125...4b.exe

windows10-2004-x64

10

4c0153b979...a5.exe

windows10-2004-x64

10

4ded976d2e...5a.exe

windows10-2004-x64

10

4ee95ee627...68.exe

windows10-2004-x64

10

5b439daac4...d7.exe

windows10-2004-x64

10

67df6d4554...78.exe

windows10-2004-x64

3

6b3bf710cf...2e.exe

windows10-2004-x64

7

6df64a0a92...fe.exe

windows10-2004-x64

10

75b45fea60...34.exe

windows10-2004-x64

10

82e6b71b99...5a.exe

windows10-2004-x64

10

8a6aa9e5d5...47.exe

windows10-2004-x64

8bcfb60733...fd.exe

windows10-2004-x64

10

8bf1319fd0...6c.exe

windows10-2004-x64

10

8d76a9a577...20.exe

windows10-2004-x64

10

8dd283ca01...4c.exe

windows10-2004-x64

10

8edaee2550...e7.exe

windows10-2004-x64

10

9bff71afad...75.exe

windows10-2004-x64

10

9d7fb7050c...20.exe

windows10-2004-x64

10

Resubmissions

13/07/2024, 09:54 UTC

240713-lxbx6swdmm 10

13/07/2024, 09:50 UTC

240713-lvbvdsyapd 10

13/07/2024, 09:46 UTC

240713-lr1dksyajd 10

Analysis

  • max time kernel
    1356s
  • max time network
    1137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2024, 09:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24cb5e44b68c9dd2a115de3415ee96e78d2180dfd287133c54dfa29c90c1088d.exe

  • Size

    88KB

  • MD5

    e60df2922d5ceb45856f405e41a9d6cc

  • SHA1

    2e438348f4ec2fbd82ce944ad3697d58771ac170

  • SHA256

    24cb5e44b68c9dd2a115de3415ee96e78d2180dfd287133c54dfa29c90c1088d

  • SHA512

    21eac0c509698b0b257e0f8b304204b0f29bbca8f0fafbb33aee5d93af727859ec6e2977c45c658248858cbe362ee5438c37bf566c269e4b708a89f22c87cca3

  • SSDEEP

    768:/qo23p8xAcr9G5eH2SU2Ip4jBqltCF0AxEjenoB69+Fx:yo2iAcr9GYH2SFHBWAxEjc+

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (231) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\24cb5e44b68c9dd2a115de3415ee96e78d2180dfd287133c54dfa29c90c1088d.exe
    "C:\Users\Admin\AppData\Local\Temp\24cb5e44b68c9dd2a115de3415ee96e78d2180dfd287133c54dfa29c90c1088d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3460
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2304
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4764
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4456
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1632
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2404
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3544
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4000
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2708
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1664
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:376

    Network

    • flag-us
      DNS
      23.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      73.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.144.22.2.in-addr.arpa
      IN PTR
      Response
      73.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-73deploystaticakamaitechnologiescom
    • flag-us
      DNS
      26.35.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.35.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      16.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      16.173.189.20.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      23.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      23.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      73.144.22.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      73.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      26.35.223.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      26.35.223.20.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      56.126.166.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      56.126.166.20.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      16.173.189.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      16.173.189.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      88KB

      MD5

      e60df2922d5ceb45856f405e41a9d6cc

      SHA1

      2e438348f4ec2fbd82ce944ad3697d58771ac170

      SHA256

      24cb5e44b68c9dd2a115de3415ee96e78d2180dfd287133c54dfa29c90c1088d

      SHA512

      21eac0c509698b0b257e0f8b304204b0f29bbca8f0fafbb33aee5d93af727859ec6e2977c45c658248858cbe362ee5438c37bf566c269e4b708a89f22c87cca3

      Download Submit

    • C:\Users\Admin\Documents\readme.txt
      Filesize

      383B

      MD5

      83ed0a180949592c8f79f789175ea653

      SHA1

      19871ab2de4d5f8e0864c7b76ea0fdff036d9e45

      SHA256

      2a01b766122215da2478d0d8eb3cf23b19d111cbd49454794effabd1f20f47ca

      SHA512

      7c0c772951faebcd16b13247fbd7e4cbf2bfc28a63e579e2ea07f9a0c3dcc33adb927e0bc613f8a3bf5e02940a34c6ed2f525d85e33d6be231437d89a051233b

      Download Submit

    • memory/840-0-0x00007FFB1DD13000-0x00007FFB1DD15000-memory.dmp

      Filesize

      8KB

      Download

    • memory/840-1-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4372-14-0x00007FFB1DD10000-0x00007FFB1E7D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4372-532-0x00007FFB1DD10000-0x00007FFB1E7D1000-memory.dmp

      Filesize

      10.8MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.