Overview

overview

10

Static

static

10

438764714b...6d.exe

windows7-x64

10

438764714b...6d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-08-2024 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    438764714bb650393cdeba7bfa9e0ba039cd566fc35e4565dc2855d1e086f16d.exe

  • Size

    32KB

  • MD5

    aec65cd697c52926d76f888c0f1958b2

  • SHA1

    603b2537703cfc6c4addf8ef1480ce33601f6117

  • SHA256

    438764714bb650393cdeba7bfa9e0ba039cd566fc35e4565dc2855d1e086f16d

  • SHA512

    c1a5d23b5cd9b378a6031c6ca1bfe65da424bb60c9e404401ca139eee1a3e6f78fc1bae1f38e493ccd3fcaa7b905b6caab2a36d19648acf76e63874df48278a4

  • SSDEEP

    384:h3MLWHn3kI9a0JI8ITMpypoGroX3Jxr91CppZkM5hEM5eF:hn3kItJInTMpxMs5xr9OpZkM5hE2eF

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\438764714bb650393cdeba7bfa9e0ba039cd566fc35e4565dc2855d1e086f16d.exe
    "C:\Users\Admin\AppData\Local\Temp\438764714bb650393cdeba7bfa9e0ba039cd566fc35e4565dc2855d1e086f16d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3360
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5076
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2992
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2148
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2072
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2940
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3696
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2232
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:4880
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2644
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4464
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:4176
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3892

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      32KB

      MD5

      aec65cd697c52926d76f888c0f1958b2

      SHA1

      603b2537703cfc6c4addf8ef1480ce33601f6117

      SHA256

      438764714bb650393cdeba7bfa9e0ba039cd566fc35e4565dc2855d1e086f16d

      SHA512

      c1a5d23b5cd9b378a6031c6ca1bfe65da424bb60c9e404401ca139eee1a3e6f78fc1bae1f38e493ccd3fcaa7b905b6caab2a36d19648acf76e63874df48278a4

      Download Submit

    • C:\Users\Admin\Desktop\read_it.txt
      Filesize

      6KB

      MD5

      fd2a0bdc9a576617d725d35784a6a824

      SHA1

      d08aed0fe2d1ace2a1bb466fb90826fc1e8d8e3b

      SHA256

      22ae9851e674f1b329ce25601e242406886c9000f51823ecddea9ec1b9276918

      SHA512

      20ebf1c2e225644b6a9577c9a07bb8e06edaf93729f8bc472b004b79a6b19f5c5d45b6f4f3a36d86a9354bf360b27ed118cba76596dcbe915c8ba28897ac6e77

      Download Submit

    • memory/2976-0-0x0000000000D80000-0x0000000000D8E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2976-1-0x00007FF973F33000-0x00007FF973F35000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3360-14-0x00007FF973F30000-0x00007FF9749F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3360-69-0x00007FF973F30000-0x00007FF9749F1000-memory.dmp

      Filesize

      10.8MB

      Download