Analysis

  • max time kernel
    123s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-07-2024 18:49

General

  • Target

    rizzler.exe

  • Size

    348KB

  • MD5

    fc031cdd7fe84e5221305c87e6375e13

  • SHA1

    57f0e3cd6bf5dc09fbaacd0d9fcb7bf35af8eed7

  • SHA256

    1e93d49cb048b0bf26ddd4cf728fc9e7900b33222de596140cac44dc41bc14f4

  • SHA512

    67f4094e826d990e26de3e0770ad7eb87046dc6fefdc1278ebe0995b5e33282dc05b025f9b49aafedcaca491f563f48963be559456c1fe1b6e401250e8659546

  • SSDEEP

    6144:Ic9HqFqv+GIIIIIIIhIIIIIIIIIIIIIIIU:7qkQ

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (206) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\rizzler.exe
    "C:\Users\Admin\AppData\Local\Temp\rizzler.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Users\Admin\AppData\Roaming\rizz.exe
      "C:\Users\Admin\AppData\Roaming\rizz.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2328
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:720
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3136
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3520
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3632
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:4264
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3108
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4888
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:660
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:4864
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:228

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rizzler.exe.log

      Filesize

      226B

      MD5

      28d7fcc2b910da5e67ebb99451a5f598

      SHA1

      a5bf77a53eda1208f4f37d09d82da0b9915a6747

      SHA256

      2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

      SHA512

      2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

    • C:\Users\Admin\AppData\Local\README.txt

      Filesize

      86B

      MD5

      112b5f9570b63d4b6dd4fd5e592f20af

      SHA1

      bcb355601f10844d84c6ea910ff1d8b983d43041

      SHA256

      37dee262da5bb8982909a2d9a13804d14e0477edc90363221603d4ca152218c9

      SHA512

      83619661aa20224c847330e3e79c74ae1554692054c7189efdff1d1c89e86b6f85f6927fde0db628bd4727e5ae44e80caf1d370f9923a4e822463fcf426f5f65

    • C:\Users\Admin\AppData\Roaming\MountShow.wav

      Filesize

      1B

      MD5

      d1457b72c3fb323a2671125aef3eab5d

      SHA1

      5bab61eb53176449e25c2c82f172b82cb13ffb9d

      SHA256

      8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

      SHA512

      ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

    • C:\Users\Admin\AppData\Roaming\rizz.exe

      Filesize

      348KB

      MD5

      fc031cdd7fe84e5221305c87e6375e13

      SHA1

      57f0e3cd6bf5dc09fbaacd0d9fcb7bf35af8eed7

      SHA256

      1e93d49cb048b0bf26ddd4cf728fc9e7900b33222de596140cac44dc41bc14f4

      SHA512

      67f4094e826d990e26de3e0770ad7eb87046dc6fefdc1278ebe0995b5e33282dc05b025f9b49aafedcaca491f563f48963be559456c1fe1b6e401250e8659546

    • memory/944-0-0x00000000000B0000-0x000000000010E000-memory.dmp

      Filesize

      376KB

    • memory/944-1-0x00007FFFD4733000-0x00007FFFD4735000-memory.dmp

      Filesize

      8KB

    • memory/1016-14-0x00007FFFD4730000-0x00007FFFD51F1000-memory.dmp

      Filesize

      10.8MB

    • memory/1016-52-0x00007FFFD4730000-0x00007FFFD51F1000-memory.dmp

      Filesize

      10.8MB

    • memory/1016-1283-0x00007FFFD4730000-0x00007FFFD51F1000-memory.dmp

      Filesize

      10.8MB