chaos | 3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Analysis

max time kernel
1436s
max time network
1437s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe
Size

137KB
MD5

9b02b542834573f9502ca83719a73a01
SHA1

f3bc7cf16eec977772455f3fce87fed505fb18e3
SHA256

e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14
SHA512

290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031
SSDEEP

3072:Eoy7AHYqr9ACDYVbu4sijUtSWnFA22WnVaxs2gzx+IjBz2:0mr9AHVycjUgWnFAGms2gzoch

Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\andrianov.txt

Ransom Note

Your Personal Files has been Encrypted and Locked Your documents, photos, databases and other important files have been encrypted with strongest encryption and locked with unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. Caution: Removing of Blackhat will not restore access to your encrypted files. Frequently Asked Questions What happened to my files ? understanding the issue How can i get my files back ? the only way to restore your files What should i do next ? Buy decryption key Now you have the last chance to decrypt your files. 1. Buy Bitcoin (https://blockchain.info) 2. Send amount of 200 dollar to address: to 3QpLGGaeFwxtV61p1bBUpTBzPcKdtPQpNA 3. Transaction will take about 15-30 minutes to confirm. 4. When transaction is confirmed, send email to us at [email protected] Click here to restore and recovery your files

Emails

[email protected]

Wallets

3QpLGGaeFwxtV61p1bBUpTBzPcKdtPQpNA

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral27/memory/2836-1-0x00000000001C0000-0x00000000001E8000-memory.dmp	family_chaos
C:\Users\Admin\AppData\Roaming\svchost.exe	family_chaos
behavioral27/memory/2660-7-0x00000000003D0000-0x00000000003F8000-memory.dmp	family_chaos

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3060 bcdedit.exe
2016 bcdedit.exe
Renames multiple (239) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2300 wbadmin.exe

pid	process
3060	bcdedit.exe
2016	bcdedit.exe

pid	process
2300	wbadmin.exe

Drops startup file 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\andrianov.txt	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2660 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2660	svchost.exe

Drops desktop.ini file(s) 34 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b36da31oo.jpg"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2196 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1636 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid process

2660 svchost.exe

pid	process
2196	vssadmin.exe

pid	process
1636	NOTEPAD.EXE

pid	process
2660	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exesvchost.exe

pid	process
2836	e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe
2836	e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe
2836	e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exesvchost.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	2836	e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe
Token: SeDebugPrivilege	2660	svchost.exe
Token: SeBackupPrivilege	2188	vssvc.exe
Token: SeRestorePrivilege	2188	vssvc.exe
Token: SeAuditPrivilege	2188	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1464	WMIC.exe
Token: SeSecurityPrivilege	1464	WMIC.exe
Token: SeTakeOwnershipPrivilege	1464	WMIC.exe
Token: SeLoadDriverPrivilege	1464	WMIC.exe
Token: SeSystemProfilePrivilege	1464	WMIC.exe
Token: SeSystemtimePrivilege	1464	WMIC.exe
Token: SeProfSingleProcessPrivilege	1464	WMIC.exe
Token: SeIncBasePriorityPrivilege	1464	WMIC.exe
Token: SeCreatePagefilePrivilege	1464	WMIC.exe
Token: SeBackupPrivilege	1464	WMIC.exe
Token: SeRestorePrivilege	1464	WMIC.exe
Token: SeShutdownPrivilege	1464	WMIC.exe
Token: SeDebugPrivilege	1464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1464	WMIC.exe
Token: SeRemoteShutdownPrivilege	1464	WMIC.exe
Token: SeUndockPrivilege	1464	WMIC.exe
Token: SeManageVolumePrivilege	1464	WMIC.exe
Token: 33	1464	WMIC.exe
Token: 34	1464	WMIC.exe
Token: 35	1464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1464	WMIC.exe
Token: SeSecurityPrivilege	1464	WMIC.exe
Token: SeTakeOwnershipPrivilege	1464	WMIC.exe
Token: SeLoadDriverPrivilege	1464	WMIC.exe
Token: SeSystemProfilePrivilege	1464	WMIC.exe
Token: SeSystemtimePrivilege	1464	WMIC.exe
Token: SeProfSingleProcessPrivilege	1464	WMIC.exe
Token: SeIncBasePriorityPrivilege	1464	WMIC.exe
Token: SeCreatePagefilePrivilege	1464	WMIC.exe
Token: SeBackupPrivilege	1464	WMIC.exe
Token: SeRestorePrivilege	1464	WMIC.exe
Token: SeShutdownPrivilege	1464	WMIC.exe
Token: SeDebugPrivilege	1464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1464	WMIC.exe
Token: SeRemoteShutdownPrivilege	1464	WMIC.exe
Token: SeUndockPrivilege	1464	WMIC.exe
Token: SeManageVolumePrivilege	1464	WMIC.exe
Token: 33	1464	WMIC.exe
Token: 34	1464	WMIC.exe
Token: 35	1464	WMIC.exe
Token: SeBackupPrivilege	2504	wbengine.exe
Token: SeRestorePrivilege	2504	wbengine.exe
Token: SeSecurityPrivilege	2504	wbengine.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exesvchost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2836 wrote to memory of 2660	2836	e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe	svchost.exe
PID 2836 wrote to memory of 2660	2836	e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe	svchost.exe
PID 2836 wrote to memory of 2660	2836	e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe	svchost.exe
PID 2660 wrote to memory of 2124	2660	svchost.exe	cmd.exe
PID 2660 wrote to memory of 2124	2660	svchost.exe	cmd.exe
PID 2660 wrote to memory of 2124	2660	svchost.exe	cmd.exe
PID 2124 wrote to memory of 2196	2124	cmd.exe	vssadmin.exe
PID 2124 wrote to memory of 2196	2124	cmd.exe	vssadmin.exe
PID 2124 wrote to memory of 2196	2124	cmd.exe	vssadmin.exe
PID 2124 wrote to memory of 1464	2124	cmd.exe	WMIC.exe
PID 2124 wrote to memory of 1464	2124	cmd.exe	WMIC.exe
PID 2124 wrote to memory of 1464	2124	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 1048	2660	svchost.exe	cmd.exe
PID 2660 wrote to memory of 1048	2660	svchost.exe	cmd.exe
PID 2660 wrote to memory of 1048	2660	svchost.exe	cmd.exe
PID 1048 wrote to memory of 3060	1048	cmd.exe	bcdedit.exe
PID 1048 wrote to memory of 3060	1048	cmd.exe	bcdedit.exe
PID 1048 wrote to memory of 3060	1048	cmd.exe	bcdedit.exe
PID 1048 wrote to memory of 2016	1048	cmd.exe	bcdedit.exe
PID 1048 wrote to memory of 2016	1048	cmd.exe	bcdedit.exe
PID 1048 wrote to memory of 2016	1048	cmd.exe	bcdedit.exe
PID 2660 wrote to memory of 2476	2660	svchost.exe	cmd.exe
PID 2660 wrote to memory of 2476	2660	svchost.exe	cmd.exe
PID 2660 wrote to memory of 2476	2660	svchost.exe	cmd.exe
PID 2476 wrote to memory of 2300	2476	cmd.exe	wbadmin.exe
PID 2476 wrote to memory of 2300	2476	cmd.exe	wbadmin.exe
PID 2476 wrote to memory of 2300	2476	cmd.exe	wbadmin.exe
PID 2660 wrote to memory of 1636	2660	svchost.exe	NOTEPAD.EXE
PID 2660 wrote to memory of 1636	2660	svchost.exe	NOTEPAD.EXE
PID 2660 wrote to memory of 1636	2660	svchost.exe	NOTEPAD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe
"C:\Users\Admin\AppData\Local\Temp\e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2196

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
3⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:3060

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:2016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:2300

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\andrianov.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:1636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2316

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:280

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Direct Volume Access

T1006

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
137KB

MD5
9b02b542834573f9502ca83719a73a01

SHA1
f3bc7cf16eec977772455f3fce87fed505fb18e3

SHA256
e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14

SHA512
290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031

Download Submit
C:\Users\Admin\Documents\andrianov.txt
Filesize
987B

MD5
8d31c8f9e4bb13c044a9825aee0cdfa3

SHA1
6ff267b0179f7ddebe46e8ba855b5e4d176a9bbb

SHA256
5aca5bd47a3fd4a211121870f0124245a87528da86b07cb1a0934566ba0349bf

SHA512
878a8b06a392000fba503bcd16766c75c53ea033746fd74da02a5bb3a91bf3b9701fb9c89a5eafc179909727c5e16ac21b293fb5de134770bf30db8ed3ae216a

Download Submit
memory/2660-7-0x00000000003D0000-0x00000000003F8000-memory.dmp

Filesize
160KB

Download
memory/2660-9-0x000007FEF6650000-0x000007FEF703C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-10-0x000007FEF6650000-0x000007FEF703C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-543-0x000007FEF6650000-0x000007FEF703C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-0-0x000007FEF6653000-0x000007FEF6654000-memory.dmp

Filesize
4KB

Download
memory/2836-1-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads