chaos | ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe
Size

18.5MB
MD5

59e4c8cd9cd8b169a7f7a1dfc6c5bffc
SHA1

a6465ab1188bbcfe23c3c81ed4c023235855f05a
SHA256

ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c
SHA512

67851f5d64a23291a2b158b589dfc4901da5b7b657a6c381293b3b16d0f65b30f3795e1493d898c924b136b9906a2952887908f1d9c1daf17cded640dffde8ba
SSDEEP

393216:xLzGo9tdxASne3v0i6E9+3rE0PmtF0CwJcYHJPDl+XFJ1a3MObmrrCq21t1:MFSe/eE9+40PjN6Ypx+Xs3MOQ

Score

10^/10

chaos defense_evasion discovery evasion execution impact persistence pyinstaller ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015d9a-14.dat	family_chaos
behavioral1/memory/2284-62-0x0000000000C90000-0x0000000000DF0000-memory.dmp	family_chaos
behavioral1/memory/796-168-0x0000000000D60000-0x0000000000EC0000-memory.dmp	family_chaos

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1528	bcdedit.exe
1888	bcdedit.exe

Renames multiple (176) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
684	wbadmin.exe

Disables Task Manager via registry modification
evasion

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Console Window Host.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	Console Window Host.exe

Executes dropped EXE 4 IoCs

pid	Process
1724	Mai.exe
2284	Main.exe
1796	Mai.exe
796	Console Window Host.exe

Loads dropped DLL 11 IoCs

pid	Process
2896	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe
2896	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe
1724	Mai.exe
1796	Mai.exe
1796	Mai.exe
1796	Mai.exe
1796	Mai.exe
1796	Mai.exe
1796	Mai.exe
1796	Mai.exe
1196	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\Console Window Host.exe"	Console Window Host.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8O71085\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Public\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3W44XPEP\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GFIGH6G\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L7XNHY48\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Console Window Host.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GY8QW6M2\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GKATPXW1\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75GKCLJR\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GUJ7UW2N\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	Console Window Host.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Console Window Host.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\st90dkpk9.jpg"	Console Window Host.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000700000001211a-5.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
576	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1692	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2284	Main.exe
796	Console Window Host.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3012	powershell.exe
2284	Main.exe
2284	Main.exe
2284	Main.exe
796	Console Window Host.exe
796	Console Window Host.exe
796	Console Window Host.exe
796	Console Window Host.exe
796	Console Window Host.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2284	Main.exe
Token: SeDebugPrivilege	796	Console Window Host.exe
Token: SeBackupPrivilege	1076	vssvc.exe
Token: SeRestorePrivilege	1076	vssvc.exe
Token: SeAuditPrivilege	1076	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2140	WMIC.exe
Token: SeSecurityPrivilege	2140	WMIC.exe
Token: SeTakeOwnershipPrivilege	2140	WMIC.exe
Token: SeLoadDriverPrivilege	2140	WMIC.exe
Token: SeSystemProfilePrivilege	2140	WMIC.exe
Token: SeSystemtimePrivilege	2140	WMIC.exe
Token: SeProfSingleProcessPrivilege	2140	WMIC.exe
Token: SeIncBasePriorityPrivilege	2140	WMIC.exe
Token: SeCreatePagefilePrivilege	2140	WMIC.exe
Token: SeBackupPrivilege	2140	WMIC.exe
Token: SeRestorePrivilege	2140	WMIC.exe
Token: SeShutdownPrivilege	2140	WMIC.exe
Token: SeDebugPrivilege	2140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2140	WMIC.exe
Token: SeRemoteShutdownPrivilege	2140	WMIC.exe
Token: SeUndockPrivilege	2140	WMIC.exe
Token: SeManageVolumePrivilege	2140	WMIC.exe
Token: 33	2140	WMIC.exe
Token: 34	2140	WMIC.exe
Token: 35	2140	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2140	WMIC.exe
Token: SeSecurityPrivilege	2140	WMIC.exe
Token: SeTakeOwnershipPrivilege	2140	WMIC.exe
Token: SeLoadDriverPrivilege	2140	WMIC.exe
Token: SeSystemProfilePrivilege	2140	WMIC.exe
Token: SeSystemtimePrivilege	2140	WMIC.exe
Token: SeProfSingleProcessPrivilege	2140	WMIC.exe
Token: SeIncBasePriorityPrivilege	2140	WMIC.exe
Token: SeCreatePagefilePrivilege	2140	WMIC.exe
Token: SeBackupPrivilege	2140	WMIC.exe
Token: SeRestorePrivilege	2140	WMIC.exe
Token: SeShutdownPrivilege	2140	WMIC.exe
Token: SeDebugPrivilege	2140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2140	WMIC.exe
Token: SeRemoteShutdownPrivilege	2140	WMIC.exe
Token: SeUndockPrivilege	2140	WMIC.exe
Token: SeManageVolumePrivilege	2140	WMIC.exe
Token: 33	2140	WMIC.exe
Token: 34	2140	WMIC.exe
Token: 35	2140	WMIC.exe
Token: SeBackupPrivilege	1380	wbengine.exe
Token: SeRestorePrivilege	1380	wbengine.exe
Token: SeSecurityPrivilege	1380	wbengine.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3012	2896	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe	28
PID 2896 wrote to memory of 3012	2896	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe	28
PID 2896 wrote to memory of 3012	2896	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe	28
PID 2896 wrote to memory of 3012	2896	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe	28
PID 2896 wrote to memory of 1724	2896	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe	30
PID 2896 wrote to memory of 1724	2896	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe	30
PID 2896 wrote to memory of 1724	2896	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe	30
PID 2896 wrote to memory of 1724	2896	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe	30
PID 2896 wrote to memory of 2284	2896	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe	31
PID 2896 wrote to memory of 2284	2896	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe	31
PID 2896 wrote to memory of 2284	2896	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe	31
PID 2896 wrote to memory of 2284	2896	ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe	31
PID 1724 wrote to memory of 1796	1724	Mai.exe	32
PID 1724 wrote to memory of 1796	1724	Mai.exe	32
PID 1724 wrote to memory of 1796	1724	Mai.exe	32
PID 2284 wrote to memory of 796	2284	Main.exe	33
PID 2284 wrote to memory of 796	2284	Main.exe	33
PID 2284 wrote to memory of 796	2284	Main.exe	33
PID 796 wrote to memory of 1316	796	Console Window Host.exe	34
PID 796 wrote to memory of 1316	796	Console Window Host.exe	34
PID 796 wrote to memory of 1316	796	Console Window Host.exe	34
PID 1316 wrote to memory of 576	1316	cmd.exe	36
PID 1316 wrote to memory of 576	1316	cmd.exe	36
PID 1316 wrote to memory of 576	1316	cmd.exe	36
PID 1316 wrote to memory of 2140	1316	cmd.exe	39
PID 1316 wrote to memory of 2140	1316	cmd.exe	39
PID 1316 wrote to memory of 2140	1316	cmd.exe	39
PID 796 wrote to memory of 1476	796	Console Window Host.exe	41
PID 796 wrote to memory of 1476	796	Console Window Host.exe	41
PID 796 wrote to memory of 1476	796	Console Window Host.exe	41
PID 1476 wrote to memory of 1528	1476	cmd.exe	43
PID 1476 wrote to memory of 1528	1476	cmd.exe	43
PID 1476 wrote to memory of 1528	1476	cmd.exe	43
PID 1476 wrote to memory of 1888	1476	cmd.exe	44
PID 1476 wrote to memory of 1888	1476	cmd.exe	44
PID 1476 wrote to memory of 1888	1476	cmd.exe	44
PID 796 wrote to memory of 2340	796	Console Window Host.exe	45
PID 796 wrote to memory of 2340	796	Console Window Host.exe	45
PID 796 wrote to memory of 2340	796	Console Window Host.exe	45
PID 2340 wrote to memory of 684	2340	cmd.exe	47
PID 2340 wrote to memory of 684	2340	cmd.exe	47
PID 2340 wrote to memory of 684	2340	cmd.exe	47
PID 796 wrote to memory of 1692	796	Console Window Host.exe	54
PID 796 wrote to memory of 1692	796	Console Window Host.exe	54
PID 796 wrote to memory of 1692	796	Console Window Host.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe
"C:\Users\Admin\AppData\Local\Temp\ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAcgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAZQBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAdQBqACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Users\Admin\AppData\Local\Temp\Mai.exe
  "C:\Users\Admin\AppData\Local\Temp\Mai.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\Mai.exe
    "C:\Users\Admin\AppData\Local\Temp\Mai.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1796
- C:\Users\Admin\AppData\Local\Temp\Main.exe
  "C:\Users\Admin\AppData\Local\Temp\Main.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Roaming\Console Window Host.exe
    "C:\Users\Admin\AppData\Roaming\Console Window Host.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:576
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1528
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:684
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:1692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2204

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Updater6\read_it.txt

Filesize
468B

MD5
b121e0a004dfdb88f8a4510c80b7f83f

SHA1
18093168d152dcaa106e6f530b823775ff387a07

SHA256
d4c7ad2283dfdbbebc7facff67c9d562088798349c47e0f6b768cc3a60e13155

SHA512
fb64344240974918cfc7c78f4d228616b2c338982d474b6d6da43daf04d616ce3b936e5b444d7ec1d0f1e790cc299a3da93cb8077f37481289de2f17ba638456

Download Submit
C:\Users\Admin\AppData\Local\Temp\Main.exe

Filesize
1.3MB

MD5
f55de5b6c0d9f50f0c60f756f7fe95d8

SHA1
560065e8fbc3eb7743c74d3300d73db16141fd1f

SHA256
8ae1d9e815abc504d01b48ecf21e4133b34b4b3e4a0e93804f44f8a9b328bd5d

SHA512
33c156038453ebd119236141236fd91e826871cd9c683d8de1b632dd78fee2e429bb922925540d387393aebbb24724d56ce37d62c0688a85d442f088fc288d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\api-ms-win-core-file-l1-2-0.dll

Filesize
12KB

MD5
49e3260ae3f973608f4d4701eb97eb95

SHA1
097e7d56c3514a3c7dc17a9c54a8782c6d6c0a27

SHA256
476fbad616e20312efc943927ade1a830438a6bebb1dd1f83d2370e5343ea7af

SHA512
df22cf16490faa0dc809129ca32eaf1a16ec665f9c5411503ce0153270de038e5d3be1e0e49879a67043a688f6c42bdb5a9a6b3cea43bf533eba087e999be653

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\api-ms-win-core-file-l2-1-0.dll

Filesize
12KB

MD5
7f14fd0436c066a8b40e66386ceb55d0

SHA1
288c020fb12a4d8c65ed22a364b5eb8f4126a958

SHA256
c78eab8e057bddd55f998e72d8fdf5b53d9e9c8f67c8b404258e198eb2cdcf24

SHA512
d04adc52ee0ceed4131eb1d133bfe9a66cbc0f88900270b596116064480afe6ae6ca42feb0eaed54cb141987f2d7716bb2dae947a025014d05d7aa0b0821dc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\api-ms-win-core-localization-l1-2-0.dll

Filesize
15KB

MD5
71457fd15de9e0b3ad83b4656cad2870

SHA1
c9c2caf4f9e87d32a93a52508561b4595617f09f

SHA256
db970725b36cc78ef2e756ff4b42db7b5b771bfd9d106486322cf037115bd911

SHA512
a10fcf1d7637effff0ae3e3b4291d54cc7444d985491e82b3f4e559fbb0dbb3b6231a8c689ff240a5036a7acae47421cda58aaa6938374d4b84893cce0077bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
13KB

MD5
e93816c04327730d41224e7a1ba6dc51

SHA1
3f83b9fc6291146e58afce5b5447cd6d2f32f749

SHA256
ca06ccf12927ca52d8827b3a36b23b6389c4c6d4706345e2d70b895b79ff2ec8

SHA512
beaab5a12bfc4498cdf67d8b560ef0b0e2451c5f4634b6c5780a857666fd14f8a379f42e38be1beefa1c3578b2df913d901b271719ac6794bfaab0731bb77bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\api-ms-win-core-timezone-l1-1-0.dll

Filesize
13KB

MD5
acf40d5e6799231cf7e4026bad0c50a0

SHA1
8f0395b7e7d2aac02130f47b23b50d1eab87466b

SHA256
64b5b95fe56b6df4c2d47d771bec32bd89267605df736e08c1249b802d6d48d1

SHA512
f66a61e89231b6dc95b26d97f5647da42400bc809f70789b9afc00a42b94ea3487913860b69a1b0ee59ed5eb62c3a0cade9e21f95da35fdd42d8ce51c5507632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\base_library.zip

Filesize
1.4MB

MD5
611f3f285525f3c3354fd199140283a2

SHA1
8a0cf2dd234b0551e193c43f085115d5f0139620

SHA256
fe8ddb060df80f828b35d3ecae62a73d3105b493818385485f9428d7c6aad8e9

SHA512
bcb0d0c9816a266ac77e65476c18d3334f81114f1716c102a31d66a0098c483c6ecb712eb0967b920f15254ef6954e936a9d6d0ad33e7810fab6d06790ffba76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\cryptography-42.0.0.dist-info\top_level.txt

Filesize
13B

MD5
e7274bd06ff93210298e7117d11ea631

SHA1
7132c9ec1fd99924d658cc672f3afe98afefab8a

SHA256
28d693f929f62b8bb135a11b7ba9987439f7a960cc969e32f8cb567c1ef79c97

SHA512
aa6021c4e60a6382630bebc1e16944f9b312359d645fc61219e9a3f19d876fd600e07dca6932dcd7a1e15bfdeac7dbdceb9fffcd5ca0e5377b82268ed19de225

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\importlib_metadata-7.0.1.dist-info\top_level.txt

Filesize
19B

MD5
a24465f7850ba59507bf86d89165525c

SHA1
4e61f9264de74783b5924249bcfe1b06f178b9ad

SHA256
08eddf0fdcb29403625e4acca38a872d5fe6a972f6b02e4914a82dd725804fe0

SHA512
ecf1f6b777970f5257bddd353305447083008cebd8e5a27c3d1da9c7bdc3f9bf3abd6881265906d6d5e11992653185c04a522f4db5655ff75eedb766f93d5d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\ucrtbase.dll

Filesize
994KB

MD5
8e7680a8d07c3c4159241d31caaf369c

SHA1
62fe2d4ae788ee3d19e041d81696555a6262f575

SHA256
36cc22d92a60e57dee394f56a9d1ed1655ee9db89d2244a959005116a4184d80

SHA512
9509f5b07588a08a490f4c3cb859bbfe670052c1c83f92b9c3356afa664cb500364e09f9dafac7d387332cc52d9bb7bb84ceb1493f72d4d17ef08b9ee3cb4174

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\wheel-0.42.0.dist-info\LICENSE.txt

Filesize
1KB

MD5
7ffb0db04527cfe380e4f2726bd05ebf

SHA1
5b39c45a91a556e5f1599604f1799e4027fa0e60

SHA256
30c23618679108f3e8ea1d2a658c7ca417bdfc891c98ef1a89fa4ff0c9828654

SHA512
205f284f3a7e8e696c70ed7b856ee98c1671c68893f0952eec40915a383bc452b99899bdc401f9fe161a1bf9b6e2cea3bcd90615eee9173301657a2ce4bafe14

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\wheel-0.42.0.dist-info\entry_points.txt

Filesize
104B

MD5
6180e17c30bae5b30db371793fce0085

SHA1
e3a12c421562a77d90a13d8539a3a0f4d3228359

SHA256
ad363505b90f1e1906326e10dc5d29233241cd6da4331a06d68ae27dfbc6740d

SHA512
69eae7b1e181d7ba1d3e2864d31e1320625a375e76d3b2fbf8856b3b6515936ace3138d4d442cabde7576fcfbcbb0deed054d90b95cfa1c99829db12a9031e26

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk

Filesize
1B

MD5
d1457b72c3fb323a2671125aef3eab5d

SHA1
5bab61eb53176449e25c2c82f172b82cb13ffb9d

SHA256
8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

SHA512
ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

Download Submit
\Users\Admin\AppData\Local\Temp\Mai.exe

Filesize
17.1MB

MD5
14f564392eec0b9eda9530411159057c

SHA1
ab49b66dff54e32df235b11b8d84934c2b455523

SHA256
50c043f374e51b8220fc411e24cc2c40c1aa59e1f19ebdc1170883c74c7ddf83

SHA512
7d27ca263069f92b4b8bd38545eee7fb260338ab246dff94a606ba301f1fb7588a649926b1082b290d2d642cd8e94fc3491ac2abff6aafc5173a9a025daca65b

Download Submit
memory/796-168-0x0000000000D60000-0x0000000000EC0000-memory.dmp

Filesize
1.4MB

Download
memory/2284-62-0x0000000000C90000-0x0000000000DF0000-memory.dmp

Filesize
1.4MB

Download
memory/3012-4-0x0000000002630000-0x0000000002670000-memory.dmp

Filesize
256KB

Download