Resubmissions
13-07-2024 09:54
240713-lxbx6swdmm 1013-07-2024 09:50
240713-lvbvdsyapd 1013-07-2024 09:46
240713-lr1dksyajd 10Analysis
-
max time kernel
1687s -
max time network
1162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
13-07-2024 09:54
General
-
Target
27c9f44e0c5de68792b684355a68ad83eba89cbe46cc9cf3a6efeb448c9f39d6.exe
-
Size
352KB
-
MD5
b431bf2649aee55b729f1668a7bc4b12
-
SHA1
f618c191798cd8a809120bbf6b09ff79d8877138
-
SHA256
27c9f44e0c5de68792b684355a68ad83eba89cbe46cc9cf3a6efeb448c9f39d6
-
SHA512
b31ac84b8d41c4d77536763acf3daa75c437b62e792329f232892e7939b35ed8731f3aaaa3e406cf1bf6121a64c920dd03df4da07847debdd2caae3dc70ed544
-
SSDEEP
3072:L3kLEir9ihicEQ23lcjxXedA3MYRjuOGK2OIcVtkzuwOYHYHYN4YHYHYcSuCexyM:Ur9ikcL2mj4d6riOZ+qSHej/Kd+bN
Malware Config
Extracted
C:\Users\Admin\Desktop\read_it.txt
chaos
https://www.binance.com
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\27c9f44e0c5de68792b684355a68ad83eba89cbe46cc9cf3a6efeb448c9f39d6.exe"C:\Users\Admin\AppData\Local\Temp\27c9f44e0c5de68792b684355a68ad83eba89cbe46cc9cf3a6efeb448c9f39d6.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352KB
MD5b431bf2649aee55b729f1668a7bc4b12
SHA1f618c191798cd8a809120bbf6b09ff79d8877138
SHA25627c9f44e0c5de68792b684355a68ad83eba89cbe46cc9cf3a6efeb448c9f39d6
SHA512b31ac84b8d41c4d77536763acf3daa75c437b62e792329f232892e7939b35ed8731f3aaaa3e406cf1bf6121a64c920dd03df4da07847debdd2caae3dc70ed544
-
Filesize
973B
MD576988bff758f9226768719b023900431
SHA16e4644424162e07d6d81020fe7c8f850ae5c85f3
SHA256e1e6a69aff85dfa728e4ce3b9834f04ad6f393c11abeec8c9f604476f7b6c49a
SHA512268450c56d91b98e277d7bcffa66cb612f23dcbd441a59a4b1892c0929e6e756389b8a7ee9268d815c2c9b39101b27d16ddcd688308dd1b299a0f4c52b033c35
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
376KB
-
Filesize
8KB