chaos | f3bfcddc0c2f5a2842ee4cf114783a3ab3c44cde03892ed71b31ec2564cd2041

Analysis

max time kernel
137s
max time network
140s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08-08-2024 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FridayBoycrazy123.exe
Size

279KB
MD5

8f34508c833a7f2d6bd306fbe5e90086
SHA1

d04dd0fca1c332112fa8261f55638e268ba941a9
SHA256

f3bfcddc0c2f5a2842ee4cf114783a3ab3c44cde03892ed71b31ec2564cd2041
SHA512

056b1ee68c9f9de9f5ec92d8a20fb01ba66d2cf2a61523ff492f6489c142dbcb81828f8b938a3f6dfb2dd2cc9b1ad245c495070b3a2250f410b81ca4381fb372
SSDEEP

6144:iFr9SiyJ7/+WZT1kRnSeXSX9MNzxiMwP2OswI:CyJ7/+Wd1kRnFX4mNzxyeOswI

Score

10^/10

chaos defense_evasion discovery evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Warning.txt

Ransom Note

Your files has been encrypted By FridayBoycrazy and you won't be able to decrypt them without our help What can I do to get my files back You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer The price for the software is $100 Dollars can be made in Venmo Or Robux only Please Contact Us At Gmail: [email protected] Discord Username: fridayboycrazy Payment information Venmo Amount: $100 Robux Payment Information: 10,000 Paid Ransom: https://www.roblox.com/game-pass/887175972 Paid Ransom: https://venmo.com/u/gratefulcode

Emails

[email protected]

URLs

https://www.roblox.com/game-pass/887175972

https://venmo.com/u/gratefulcode

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/3264-1-0x00000000005A0000-0x00000000005EC000-memory.dmp	family_chaos
behavioral1/files/0x000300000002aa63-6.dat	family_chaos

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4136	bcdedit.exe
2064	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4052	wbadmin.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Warning.txt	FridayBoycrazy.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FridayBoycrazy.url	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	FridayBoycrazy.exe

Executes dropped EXE 1 IoCs

pid	Process
3788	FridayBoycrazy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	FridayBoycrazy.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1287768749-810021449-2672985988-1000\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	FridayBoycrazy.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dkhnbvw4e.jpg"	FridayBoycrazy.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3332	vssadmin.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133675734551494707"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "253"	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	FridayBoycrazy.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1204	NOTEPAD.EXE
5568	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3788	FridayBoycrazy.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3264	FridayBoycrazy123.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
3788	FridayBoycrazy.exe
1772	chrome.exe
1772	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5432	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3264	FridayBoycrazy123.exe
Token: SeDebugPrivilege	3788	FridayBoycrazy.exe
Token: SeBackupPrivilege	1492	vssvc.exe
Token: SeRestorePrivilege	1492	vssvc.exe
Token: SeAuditPrivilege	1492	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3540	WMIC.exe
Token: SeSecurityPrivilege	3540	WMIC.exe
Token: SeTakeOwnershipPrivilege	3540	WMIC.exe
Token: SeLoadDriverPrivilege	3540	WMIC.exe
Token: SeSystemProfilePrivilege	3540	WMIC.exe
Token: SeSystemtimePrivilege	3540	WMIC.exe
Token: SeProfSingleProcessPrivilege	3540	WMIC.exe
Token: SeIncBasePriorityPrivilege	3540	WMIC.exe
Token: SeCreatePagefilePrivilege	3540	WMIC.exe
Token: SeBackupPrivilege	3540	WMIC.exe
Token: SeRestorePrivilege	3540	WMIC.exe
Token: SeShutdownPrivilege	3540	WMIC.exe
Token: SeDebugPrivilege	3540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3540	WMIC.exe
Token: SeRemoteShutdownPrivilege	3540	WMIC.exe
Token: SeUndockPrivilege	3540	WMIC.exe
Token: SeManageVolumePrivilege	3540	WMIC.exe
Token: 33	3540	WMIC.exe
Token: 34	3540	WMIC.exe
Token: 35	3540	WMIC.exe
Token: 36	3540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3540	WMIC.exe
Token: SeSecurityPrivilege	3540	WMIC.exe
Token: SeTakeOwnershipPrivilege	3540	WMIC.exe
Token: SeLoadDriverPrivilege	3540	WMIC.exe
Token: SeSystemProfilePrivilege	3540	WMIC.exe
Token: SeSystemtimePrivilege	3540	WMIC.exe
Token: SeProfSingleProcessPrivilege	3540	WMIC.exe
Token: SeIncBasePriorityPrivilege	3540	WMIC.exe
Token: SeCreatePagefilePrivilege	3540	WMIC.exe
Token: SeBackupPrivilege	3540	WMIC.exe
Token: SeRestorePrivilege	3540	WMIC.exe
Token: SeShutdownPrivilege	3540	WMIC.exe
Token: SeDebugPrivilege	3540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3540	WMIC.exe
Token: SeRemoteShutdownPrivilege	3540	WMIC.exe
Token: SeUndockPrivilege	3540	WMIC.exe
Token: SeManageVolumePrivilege	3540	WMIC.exe
Token: 33	3540	WMIC.exe
Token: 34	3540	WMIC.exe
Token: 35	3540	WMIC.exe
Token: 36	3540	WMIC.exe
Token: SeBackupPrivilege	4860	wbengine.exe
Token: SeRestorePrivilege	4860	wbengine.exe
Token: SeSecurityPrivilege	4860	wbengine.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
832	MiniSearchHost.exe
5432	OpenWith.exe
5432	OpenWith.exe
5432	OpenWith.exe
5432	OpenWith.exe
5432	OpenWith.exe
5432	OpenWith.exe
5432	OpenWith.exe
2432	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 3788	3264	FridayBoycrazy123.exe	88
PID 3264 wrote to memory of 3788	3264	FridayBoycrazy123.exe	88
PID 3788 wrote to memory of 3168	3788	FridayBoycrazy.exe	89
PID 3788 wrote to memory of 3168	3788	FridayBoycrazy.exe	89
PID 3168 wrote to memory of 3332	3168	cmd.exe	91
PID 3168 wrote to memory of 3332	3168	cmd.exe	91
PID 3168 wrote to memory of 3540	3168	cmd.exe	94
PID 3168 wrote to memory of 3540	3168	cmd.exe	94
PID 3788 wrote to memory of 4788	3788	FridayBoycrazy.exe	96
PID 3788 wrote to memory of 4788	3788	FridayBoycrazy.exe	96
PID 4788 wrote to memory of 4136	4788	cmd.exe	98
PID 4788 wrote to memory of 4136	4788	cmd.exe	98
PID 4788 wrote to memory of 2064	4788	cmd.exe	99
PID 4788 wrote to memory of 2064	4788	cmd.exe	99
PID 3788 wrote to memory of 1584	3788	FridayBoycrazy.exe	100
PID 3788 wrote to memory of 1584	3788	FridayBoycrazy.exe	100
PID 1584 wrote to memory of 4052	1584	cmd.exe	102
PID 1584 wrote to memory of 4052	1584	cmd.exe	102
PID 3788 wrote to memory of 1204	3788	FridayBoycrazy.exe	107
PID 3788 wrote to memory of 1204	3788	FridayBoycrazy.exe	107
PID 1772 wrote to memory of 1044	1772	chrome.exe	112
PID 1772 wrote to memory of 1044	1772	chrome.exe	112
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 1112	1772	chrome.exe	113
PID 1772 wrote to memory of 4928	1772	chrome.exe	114
PID 1772 wrote to memory of 4928	1772	chrome.exe	114
PID 1772 wrote to memory of 4988	1772	chrome.exe	115
PID 1772 wrote to memory of 4988	1772	chrome.exe	115
PID 1772 wrote to memory of 4988	1772	chrome.exe	115
PID 1772 wrote to memory of 4988	1772	chrome.exe	115
PID 1772 wrote to memory of 4988	1772	chrome.exe	115
PID 1772 wrote to memory of 4988	1772	chrome.exe	115
PID 1772 wrote to memory of 4988	1772	chrome.exe	115
PID 1772 wrote to memory of 4988	1772	chrome.exe	115
PID 1772 wrote to memory of 4988	1772	chrome.exe	115
PID 1772 wrote to memory of 4988	1772	chrome.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FridayBoycrazy123.exe
"C:\Users\Admin\AppData\Local\Temp\FridayBoycrazy123.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Roaming\FridayBoycrazy.exe
  "C:\Users\Admin\AppData\Roaming\FridayBoycrazy.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3332
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3540
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4136
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2064
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:4052
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Warning.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4840

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd8c8cc40,0x7ffcd8c8cc4c,0x7ffcd8c8cc58
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,2351804468392713987,1811780068859991501,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1792,i,2351804468392713987,1811780068859991501,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2072 /prefetch:3
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,2351804468392713987,1811780068859991501,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,2351804468392713987,1811780068859991501,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,2351804468392713987,1811780068859991501,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3528,i,2351804468392713987,1811780068859991501,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4368 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,2351804468392713987,1811780068859991501,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,2351804468392713987,1811780068859991501,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:3040

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1868

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5432

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Warning.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3943055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1dbcd09f4ed19537221da2315221aa20

SHA1
f0b5e0bdae2f6c16defee0149d642de7a106aa6f

SHA256
5e156e37504a0946cf0d3eaddb17c6f6af9a0c5dbee6cf062b56dd029c3c2262

SHA512
17d855fe156ddcb9b175079932e1315b57faa33f4b1fbb3de278d3ac06ce2ce24c8ffe0da5a343077325528b2f2456f6cee3ea826aca0c968d5f43b9994ace06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
57b635704ac2ceb014b22a25c817eebc

SHA1
1726acb8ba1bc5e817d6af80dd73a68a2fd04fb3

SHA256
7d185f55200a61968c437ba5c6503f124eb9f6ba552a130405f9c8de3b33ac36

SHA512
ec5bde5bd0a8f43e100a327742efc0017e0615a5bcf5090254eb6bcf0c09bb937511133c39166d34ebf7d7e23299da5b8e90fced977c2a26f023d12c35d51a59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5710f09478ccd44ce7b6e0c610e86783

SHA1
5a37f6095d4827c37be057cd178284596e637695

SHA256
e4a1e0655b72c4307b27d7ae88f9dc3069bcb0bfe10490a7b4ae4f822f7798f9

SHA512
f8df20be6a748913eb285d02693542f0427c79ac166d50d989f913a3b2fa1299658b5eb5c0ac6290d2e16081c391a9717f61b7ff71b1e97f0802f530f272fc3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
eaaf31fa1ee6cf0bf2b6baaf07460c54

SHA1
b6a9b613b80ba533c5199be7868cc7c6f2b02c45

SHA256
732d83164962e3b8013ecd0200084009c6f2c193dd55269f83ded0e3bd58b93b

SHA512
1b4b31babbf4d96b2762c2be0de1b6d98bd48da583bfb13970f39c43db0c90f082db49cb6b7ad7b0db080f9b3aa6031a1b5b950bd93c8a66a6865b3aa9839f92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
b469ea3f1c511e57853411eb444a2261

SHA1
508e062159f4df7be96ebc708bdb1e24eb1295e5

SHA256
8788020721d0ce33526ee8632b4129eb52361fb8350e1b2bce78ac117fb753e0

SHA512
a9defb16c552167731532cef9b8e73defa133ac5480ba6f2888f3e9b55a43da32da69e90912da7e544ca10844e7740df088b54a8716a437d06d025a30adc7fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
4233c0e5267538ce75a0d13b274e0a3f

SHA1
e5a07533c16607724ae80e66963a1376e4035fbe

SHA256
bd04cdc53763f20182002eaf88f4506b0e6c96f79c7e6c46ae42e7fdac68076e

SHA512
221e731b1f94d84c318b5680347f72449e0f754abe124d3dd16243ff048f5f6736802e0627e022ecb6c3c17a57a5a81ecfe5b8217331293be664053d1fe658e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
a73ea6e1db27acedbe4055c448f82ef7

SHA1
01769a266d26c4b4b374099606e86b8874ddd55f

SHA256
c3059c62596021e555ec7901361fcde75078ad931bcac6027539930bef8b77d9

SHA512
f9cfe99077e40ac3ff11ab39020d6e159ec06cf50f9b1d156858198d48851d29de8882a18609a17dd30ddea421c6c415683b8d7b14fa30a51ddd1cd76032deb4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
c08cda8b30daf0f971ed3fca378d480d

SHA1
8c0a3593ff62ec10f1c6e88d448eb8e23aaf7662

SHA256
1af0cf8b1e5f3299794832e511471afa6fcd4a10987464a7c043285cd49f0c58

SHA512
3cae2439b79bc45a0e233e9178224eba4164e535f7b94dbc02d703db37513c73c4ea6cb94cd2f37b2c5e3c37f807555c51bb7902679db2538c3f16a9db1114a2

Download Submit
C:\Users\Admin\AppData\Roaming\FridayBoycrazy.exe

Filesize
279KB

MD5
8f34508c833a7f2d6bd306fbe5e90086

SHA1
d04dd0fca1c332112fa8261f55638e268ba941a9

SHA256
f3bfcddc0c2f5a2842ee4cf114783a3ab3c44cde03892ed71b31ec2564cd2041

SHA512
056b1ee68c9f9de9f5ec92d8a20fb01ba66d2cf2a61523ff492f6489c142dbcb81828f8b938a3f6dfb2dd2cc9b1ad245c495070b3a2250f410b81ca4381fb372

Download Submit
C:\Users\Admin\Desktop\Warning.txt

Filesize
642B

MD5
072e26ca8a9c9502061d1c3d9e3bbeaa

SHA1
fe55bffddd0d415c293e8e926d302e3586212322

SHA256
f7b22500b7a82a9446b635353aceecbdc205c9208eeb72c2e2c1b6d0a9a1bd62

SHA512
2bc83902a56df2a3178c3b59ad8014a08b282e60289123a10d9a4d643a604876e008e782a6c861bfd211580a5fdbb1bcf748c3197210d71dc18d8949c62d4610

Download Submit
memory/3264-0-0x00007FFCDE753000-0x00007FFCDE755000-memory.dmp

Filesize
8KB

Download
memory/3264-1-0x00000000005A0000-0x00000000005EC000-memory.dmp

Filesize
304KB

Download
memory/3788-122-0x00007FFCDE750000-0x00007FFCDF212000-memory.dmp

Filesize
10.8MB

Download
memory/3788-14-0x00007FFCDE750000-0x00007FFCDF212000-memory.dmp

Filesize
10.8MB

Download
memory/3788-71-0x00007FFCDE750000-0x00007FFCDF212000-memory.dmp

Filesize
10.8MB

Download
memory/3788-216-0x00007FFCDE750000-0x00007FFCDF212000-memory.dmp

Filesize
10.8MB

Download
memory/3788-231-0x00007FFCDE750000-0x00007FFCDF212000-memory.dmp

Filesize
10.8MB

Download