Overview

overview

10

Static

static

10

FridayBoycrazyV2.exe

windows10-2004-x64

10

FridayBoycrazyV2.exe

ubuntu-18.04-amd64

FridayBoycrazyV2.exe

debian-9-armhf

FridayBoycrazyV2.exe

debian-9-mips

FridayBoycrazyV2.exe

debian-9-mipsel

Resubmissions

09-08-2024 10:31

240809-mkfahatbrb 10

09-08-2024 01:01

240809-bdhaqsxdqf 10

09-08-2024 00:36

240809-ax6l1axbjf 10

Analysis

  • max time kernel
    105s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2024 00:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FridayBoycrazyV2.exe

  • Size

    280KB

  • MD5

    41e34a8240026b4e9cd8d81a73ee8b2c

  • SHA1

    3876b12e152dd552a7059538242b6f87a23e60f5

  • SHA256

    0ef2768bdfaa0b953a5c498f18bbf2df5dce249eaf2044474c476c4367c535b5

  • SHA512

    a7d610ee4f116121757f47193bf092b639cf2d439dcfa364ea800c28c0f21996fd8baa31c9abe68d2c18cc8f334c57f9d71c4e444a04a27d3b9cab90eecbba73

  • SSDEEP

    6144:1r93iyJ7/+WZT1kRnSeXSX9MNzxiMwP2OswK:iyJ7/+Wd1kRnFX4mNzxyeOswK

Score
10/10
chaosdefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\Warning.txt

Ransom Note
Your files has been encrypted By FridayBoycrazy and you won't be able to decrypt them without our help What can I do to get my files back You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer The price for the software is $100 Dollars can be made in Venmo Or Robux only Please Contact Us At Gmail: [email protected] Discord Username: fridayboycrazy Payment information Venmo Amount: $100 Robux Payment Information: 10,000 Paid Ransom: https://www.roblox.com/game-pass/887175972 Paid Ransom: https://venmo.com/u/gratefulcode
URLs

https://www.roblox.com/game-pass/887175972

https://venmo.com/u/gratefulcode

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\FridayBoycrazyV2.exe
    "C:\Users\Admin\AppData\Local\Temp\FridayBoycrazyV2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Roaming\FridayBoycrazy.exe
      "C:\Users\Admin\AppData\Roaming\FridayBoycrazy.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4060
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:3536
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4036
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:5076
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3492
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1852
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:4304
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Warning.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:4864
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1324
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1460
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:3212
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4184
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault872d1b49h334ch400dh876eh10472a701102
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9d15946f8,0x7ff9d1594708,0x7ff9d1594718
        2⤵
          PID:3816
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,8061071898754405986,9746501078015858838,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
          2⤵
            PID:1876
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,8061071898754405986,9746501078015858838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3780
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,8061071898754405986,9746501078015858838,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
            2⤵
              PID:1332
          • C:\Windows\System32\CompPkgSrv.exe
            C:\Windows\System32\CompPkgSrv.exe -Embedding
            1⤵
              PID:3612
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:4992
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault3ea3b72bh8940h490cha4ach84018b93ea90
                1⤵
                  PID:2940
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d15946f8,0x7ff9d1594708,0x7ff9d1594718
                    2⤵
                      PID:2232
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,17525940462081175634,9685453890417262639,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
                      2⤵
                        PID:4120
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,17525940462081175634,9685453890417262639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3408
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,17525940462081175634,9685453890417262639,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
                        2⤵
                          PID:4880
                      • C:\Windows\SysWOW64\DllHost.exe
                        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                        1⤵
                        • System Location Discovery: System Language Discovery
                        PID:3208
                      • C:\Windows\System32\rundll32.exe
                        "C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Options_RunDLL 0
                        1⤵
                          PID:1300

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                          Filesize

                          152B

                          MD5

                          2783c40400a8912a79cfd383da731086

                          SHA1

                          001a131fe399c30973089e18358818090ca81789

                          SHA256

                          331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

                          SHA512

                          b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                          Filesize

                          152B

                          MD5

                          ff63763eedb406987ced076e36ec9acf

                          SHA1

                          16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

                          SHA256

                          8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

                          SHA512

                          ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                          Filesize

                          6KB

                          MD5

                          57baf3b5fe9445297a419c036d00595d

                          SHA1

                          c5ac0bbf3b036a4a41626a7906a9e0ad27300b61

                          SHA256

                          37656691af81a1a6e1e5a828ac755beb107ee62e900500cc8777a57fbe9f2abc

                          SHA512

                          7ec555f1bdf46f0438bb857680216e4844e33d2a3f0ba46d74762c5d28f54f96891ef96ed95518fdf9f3baef2bc775d0a9e1f499b5580ead5ddb156c7a83d7b1

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
                          Filesize

                          347B

                          MD5

                          869170d667301f3a90acba4be546f0c4

                          SHA1

                          b6598b172df93d5141ac41a6e7bd596ec0c83870

                          SHA256

                          69a478ea26bf5b0ddf0ebd68c6e6f0c03f75e79a336ed7a6df93e9b252570447

                          SHA512

                          41a4908cd715cfa5e239afe488929fedf2f3b66cd19f640a8b84f27a7618c6ab1f62204097b0c6388dacfb7d9cad7490c3bdea0ca4be6495e32897d9941c3945

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
                          Filesize

                          323B

                          MD5

                          601605ebf16029e6e33c1ae922ca2862

                          SHA1

                          6bbd11749f2945a3495096d048e9ef5c63a1957a

                          SHA256

                          a827c43c43daa4da3844006d49084611d0a36ce93ded896b025abc168cdac0e2

                          SHA512

                          5e96aa781ada53668c65496b7d632ce06ee063899a7ef9e5c391b6b07e4e6e4c08535bff7342289e0314c56e75f66294ca7f7ec1b69a1666e39259f2ac6c4137

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
                          Filesize

                          11B

                          MD5

                          838a7b32aefb618130392bc7d006aa2e

                          SHA1

                          5159e0f18c9e68f0e75e2239875aa994847b8290

                          SHA256

                          ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

                          SHA512

                          9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                          Filesize

                          8KB

                          MD5

                          05b1851c76513ba720608940aadbda77

                          SHA1

                          e79c8a5af680984be3914745d7548a74d8aa5c69

                          SHA256

                          998975bbf1482ed6793fbe2720e7441a5314446ba2fceaf2ee5d613ac26ff617

                          SHA512

                          ba7476ae40322be3fcfb08b8b08f9426944a79e91c078fdaad282ae4838e9d1ac2407d0547c0f65aaa42546113efd3cd889d5f16b18846ce6ab4fa02e2e02266

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                          Filesize

                          264KB

                          MD5

                          f50f89a0a91564d0b8a211f8921aa7de

                          SHA1

                          112403a17dd69d5b9018b8cede023cb3b54eab7d

                          SHA256

                          b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                          SHA512

                          bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\FridayBoycrazy.exe
                          Filesize

                          280KB

                          MD5

                          41e34a8240026b4e9cd8d81a73ee8b2c

                          SHA1

                          3876b12e152dd552a7059538242b6f87a23e60f5

                          SHA256

                          0ef2768bdfaa0b953a5c498f18bbf2df5dce249eaf2044474c476c4367c535b5

                          SHA512

                          a7d610ee4f116121757f47193bf092b639cf2d439dcfa364ea800c28c0f21996fd8baa31c9abe68d2c18cc8f334c57f9d71c4e444a04a27d3b9cab90eecbba73

                          Download Submit

                        • C:\Users\Admin\Documents\Warning.txt
                          Filesize

                          642B

                          MD5

                          072e26ca8a9c9502061d1c3d9e3bbeaa

                          SHA1

                          fe55bffddd0d415c293e8e926d302e3586212322

                          SHA256

                          f7b22500b7a82a9446b635353aceecbdc205c9208eeb72c2e2c1b6d0a9a1bd62

                          SHA512

                          2bc83902a56df2a3178c3b59ad8014a08b282e60289123a10d9a4d643a604876e008e782a6c861bfd211580a5fdbb1bcf748c3197210d71dc18d8949c62d4610

                          Download Submit

                        • memory/1584-0-0x00007FF9D8953000-0x00007FF9D8955000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/1584-1-0x00000000004B0000-0x00000000004FC000-memory.dmp

                          Filesize

                          304KB

                          Download

                        • memory/3280-503-0x00007FF9D8950000-0x00007FF9D9411000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3280-502-0x00007FF9D8950000-0x00007FF9D9411000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3280-22-0x00007FF9D8950000-0x00007FF9D9411000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3280-14-0x00007FF9D8950000-0x00007FF9D9411000-memory.dmp

                          Filesize

                          10.8MB

                          Download