Overview

overview

10

Static

static

10

020db58e3c...4c.exe

windows10-2004-x64

10

06cbef0e90...f8.exe

windows10-2004-x64

9

083c5b43df...fb.exe

windows10-2004-x64

10

15cb04fa5c...4f.exe

windows10-2004-x64

9

22a1f50db9...85.exe

windows10-2004-x64

9

24cb5e44b6...8d.exe

windows10-2004-x64

10

27c9f44e0c...d6.exe

windows10-2004-x64

10

2c2aa8458f...3d.exe

windows10-2004-x64

7

2e9e18954a...d1.exe

windows10-2004-x64

10

2ebb2a34dd...c6.exe

windows10-2004-x64

10

2fff52aa0c...21.exe

windows10-2004-x64

10

37ca1cfa1f...60.exe

windows10-2004-x64

10

38cd67a044...4c.exe

windows10-2004-x64

9

3d4f84e20d...96.exe

windows10-2004-x64

49cff73125...4b.exe

windows10-2004-x64

10

4c0153b979...a5.exe

windows10-2004-x64

10

4ded976d2e...5a.exe

windows10-2004-x64

10

4ee95ee627...68.exe

windows10-2004-x64

10

5b439daac4...d7.exe

windows10-2004-x64

10

67df6d4554...78.exe

windows10-2004-x64

3

6b3bf710cf...2e.exe

windows10-2004-x64

7

6df64a0a92...fe.exe

windows10-2004-x64

10

75b45fea60...34.exe

windows10-2004-x64

10

82e6b71b99...5a.exe

windows10-2004-x64

10

8a6aa9e5d5...47.exe

windows10-2004-x64

8bcfb60733...fd.exe

windows10-2004-x64

10

8bf1319fd0...6c.exe

windows10-2004-x64

10

8d76a9a577...20.exe

windows10-2004-x64

10

8dd283ca01...4c.exe

windows10-2004-x64

10

8edaee2550...e7.exe

windows10-2004-x64

10

9bff71afad...75.exe

windows10-2004-x64

10

9d7fb7050c...20.exe

windows10-2004-x64

10

Resubmissions

13-07-2024 09:54

240713-lxbx6swdmm 10

13-07-2024 09:50

240713-lvbvdsyapd 10

13-07-2024 09:46

240713-lr1dksyajd 10

Analysis

  • max time kernel
    1370s
  • max time network
    1162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e9e18954a73762ae06eaa6fa85c4dbdabf607fee4ec2ed016a689c7173dbfd1.exe

  • Size

    283KB

  • MD5

    f5a0c315b535c5a65bbbad8352592221

  • SHA1

    97e4cff4bece35cbcea863045025645f931fce14

  • SHA256

    2e9e18954a73762ae06eaa6fa85c4dbdabf607fee4ec2ed016a689c7173dbfd1

  • SHA512

    58560e1f409fb5cbd70517594d47d2e6145b17d3e64170ef6c1ae583cdf59fe670c2f1c468733ecca0a99c8ec893426a6ca9a8263be12a8845e87af3be50d335

  • SSDEEP

    3072:4W2W9AU+AUae0RgBhr2TLJY74vSePjxi4vLE3YKFcLhNLUt/sVZuQ5kROFz8C9uk:4jW9/+AGBOLS4cvIpNYqa6kIFzn9/x

Score
10/10
chaospersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\3D Objects\read_it.txt

Ransom Note
-‐--‐ ◇ ATTENTION BRUH ◇ ----- YOUR ALL FILES HAVE BEEN ENCRYPTED ! IT'S A RANSOMWARE ATTACK , ALL YOUR FILES DOCUMENTS PDF VEDIOS IMAGE'S EXE FILES TXT FILES ALL ARE ENCRYPTED. WHAT YOU DO FOR DECRYPT FILES ? = JUST COME IN TELEGRAM AND PAY 150$ FOR YOUR DECRYPTOR AND GET BACK YOUR FILES NORMAL. PAYMENT METHODS :- BTC , ETH , LTC TELEGRAM LINK :- https://t.me/+CaD1Kgd5Hj9mM2E9 COME FIRST HAPPY JOURNEY........
URLs

https://t.me/+CaD1Kgd5Hj9mM2E9

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e9e18954a73762ae06eaa6fa85c4dbdabf607fee4ec2ed016a689c7173dbfd1.exe
    "C:\Users\Admin\AppData\Local\Temp\2e9e18954a73762ae06eaa6fa85c4dbdabf607fee4ec2ed016a689c7173dbfd1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\3D Objects\read_it.txt
    Filesize

    449B

    MD5

    3e892097785178c6b685b4f8d425c71a

    SHA1

    e8edaf757b2078f40fa7597f51b1aedded9016ba

    SHA256

    5383a8da410d702429721bb7fdfa0521faaafac21e08834390da7fec4bb65217

    SHA512

    88e0340dfc5980ebb3219d58f261363c7866d06f8fdf7f85f4fa08303079073510b18b2f562a0deccd7e173788c1984d05c041ae6639e8bb68473677f9a375f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2e9e18954a73762ae06eaa6fa85c4dbdabf607fee4ec2ed016a689c7173dbfd1.exe.log
    Filesize

    226B

    MD5

    28d7fcc2b910da5e67ebb99451a5f598

    SHA1

    a5bf77a53eda1208f4f37d09d82da0b9915a6747

    SHA256

    2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

    SHA512

    2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\LockUnpublish.asp
    Filesize

    1B

    MD5

    d1457b72c3fb323a2671125aef3eab5d

    SHA1

    5bab61eb53176449e25c2c82f172b82cb13ffb9d

    SHA256

    8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

    SHA512

    ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    283KB

    MD5

    f5a0c315b535c5a65bbbad8352592221

    SHA1

    97e4cff4bece35cbcea863045025645f931fce14

    SHA256

    2e9e18954a73762ae06eaa6fa85c4dbdabf607fee4ec2ed016a689c7173dbfd1

    SHA512

    58560e1f409fb5cbd70517594d47d2e6145b17d3e64170ef6c1ae583cdf59fe670c2f1c468733ecca0a99c8ec893426a6ca9a8263be12a8845e87af3be50d335

    Download Submit

  • memory/3620-0-0x0000000000B40000-0x0000000000B8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3620-1-0x00007FFF5BCD3000-0x00007FFF5BCD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5060-14-0x00007FFF5BCD0000-0x00007FFF5C791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5060-1152-0x00007FFF5BCD0000-0x00007FFF5C791000-memory.dmp

    Filesize

    10.8MB

    Download