Overview

overview

10

Static

static

10

084c57449c...0e.exe

windows7-x64

10

14b94844b9...c3.exe

windows7-x64

10

2daa514408...2e.exe

windows7-x64

10

2e6f094748...ec.exe

windows7-x64

2e96b55980...ea.exe

windows7-x64

1

34c392448f...ea.exe

windows7-x64

10

37d8add251...4c.exe

windows7-x64

10

3a72653053...59.exe

windows7-x64

10

49aca08f5b...24.exe

windows7-x64

10

4a2ad49c93...9f.exe

windows7-x64

3

5199b64b50...3c.exe

windows7-x64

55c30024ae...15.exe

windows7-x64

10

56f7b48f38...59.exe

windows7-x64

10

5a96b92938...a4.exe

windows7-x64

10

606b88fce1...c4.exe

windows7-x64

1

6bda9faf71...4b.exe

windows7-x64

10

71b46e95fb...a8.exe

windows7-x64

10

7d98972d5c...9c.exe

windows7-x64

9

87b9b910d5...cb.exe

windows7-x64

10

8958d7b8c5...e2.exe

windows7-x64

10

ab5be9e691...09.exe

windows7-x64

10

b228a698ee...c0.exe

windows7-x64

c864a70f78...1d.exe

windows7-x64

cfd5d9a4e6...f0.exe

windows7-x64

da6f543313...2e.exe

windows7-x64

6

e05323d9ca...62.exe

windows7-x64

1

e48bd2f16b...14.exe

windows7-x64

10

ecfb5c95d0...9d.exe

windows7-x64

10

f08c1c26d3...3f.exe

windows7-x64

6

f354148b5f...0f.exe

windows7-x64

6

f7caf7d69c...6a.exe

windows7-x64

10

fcb6844506...93.exe

windows7-x64

1

Analysis

  • max time kernel
    1558s
  • max time network
    1560s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2024 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24.exe

  • Size

    44KB

  • MD5

    7977bc8781a00875b4d465bc2a90d5d4

  • SHA1

    9f4b2858edcff694fee76636bf8cf33a366fc237

  • SHA256

    49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24

  • SHA512

    245d65b9301b759097cded2a2f078e4e41c7b68e303a71fccd465a6fa230b48e13e571c4e57e03710934a5e6b9536ed634e0edc502ba35433b02147760e5f05b

  • SSDEEP

    768:0AxEin+Z8W9KCZLhaY4m9lUOmMayPpfHlynRUhMgAA9dEmCJ:7xESW9KC1hxJ9lJPQLH

Score
10/10
chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\لفك تشفير ملفات اضغط هنا

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back? Contact me to decrypt your files : https://t.me/+aZZ3tv3FBVM5ODk8
URLs

https://t.me/+aZZ3tv3FBVM5ODk8

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24.exe
    "C:\Users\Admin\AppData\Local\Temp\49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Roaming\windowsdefender.exe
      "C:\Users\Admin\AppData\Roaming\windowsdefender.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:3064
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2784
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2248
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2224
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3048
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1728
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\لفك تشفير ملفات اضغط هنا
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\لفك تشفير ملفات اضغط هنا"
          4⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:1340
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2672
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:752
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2060
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:532
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\لفك تشفير ملفات اضغط هنا.txt
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:3068

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
        Filesize

        1B

        MD5

        d1457b72c3fb323a2671125aef3eab5d

        SHA1

        5bab61eb53176449e25c2c82f172b82cb13ffb9d

        SHA256

        8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

        SHA512

        ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

        Download Submit

      • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\لفك تشفير ملفات اضغط هنا
        Filesize

        377B

        MD5

        3b8d73c95c31911b53b39895d1c2a588

        SHA1

        ca48d939e174ec33f27af1cb821517be10ac1b02

        SHA256

        4e258e6c04d087af311791d39279e6dc5656418e7dcdc08825a7356d0cfef5e8

        SHA512

        1ceadb0c5a49939346ebb782edb520c2e4d36c56be866495a51cedc1a02c216d9f005f430c4085855564331c715262c01a55296460f096f0927436595c879acb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
        Filesize

        3KB

        MD5

        78018de436b0476722478edc44693d61

        SHA1

        a0cb88ce14b39210f0d9e8e86d567a614c5aaa2e

        SHA256

        372cc23e070df08c1ee2e88ea9101cd5db4db3cd94b0949c03812a278e148214

        SHA512

        650ebdb33d55f97de027c04b7a62d3b4ff7ab06fb675b1fa83c6a81323cdf1145b9a0b149dafa82564845fb0123c9908655879dc6679c26ed451ebf0701cadc8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\windowsdefender.exe
        Filesize

        44KB

        MD5

        7977bc8781a00875b4d465bc2a90d5d4

        SHA1

        9f4b2858edcff694fee76636bf8cf33a366fc237

        SHA256

        49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24

        SHA512

        245d65b9301b759097cded2a2f078e4e41c7b68e303a71fccd465a6fa230b48e13e571c4e57e03710934a5e6b9536ed634e0edc502ba35433b02147760e5f05b

        Download Submit

      • memory/2108-7-0x00000000008F0000-0x0000000000902000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-8-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2108-19-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2108-1273-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2168-0-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2168-1-0x0000000000D30000-0x0000000000D42000-memory.dmp

        Filesize

        72KB

        Download