chaos | b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286

Analysis

max time kernel
141s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
Size

1.2MB
MD5

8728ba233fcb020a6a2eaabb90df630c
SHA1

c6dc576f2e0423e8a0f36bba51fa7c65e1e281e7
SHA256

b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286
SHA512

24e494c64647794fc9aa91da6975117d27984b4bb21859dbf0c60faba5b7f0ec26c26ebbe1ad57f185e1d7ecd4b797d530639d287456ac9bc2930a111fd4613a
SSDEEP

24576:GnsJ39LyjbJkQFMhmC+6GD9gbU4+Il2L1ywD:GnsHyjtk2MYC5GD+P6

Score

10^/10

chaos defense_evasion discovery evasion execution impact macro persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\read_it.txt

Ransom Note

Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our Number :+66 970417453 ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Emails

[email protected]

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 9 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012250-6.dat	family_chaos
behavioral1/files/0x0008000000016d30-12.dat	family_chaos
behavioral1/memory/2756-25-0x0000000000400000-0x0000000000545000-memory.dmp	family_chaos
behavioral1/memory/2680-28-0x0000000000BD0000-0x0000000000C5C000-memory.dmp	family_chaos
behavioral1/memory/2624-36-0x0000000000B70000-0x0000000000BFC000-memory.dmp	family_chaos
behavioral1/memory/1968-79-0x0000000000B60000-0x0000000000BEC000-memory.dmp	family_chaos
behavioral1/memory/2732-1379-0x0000000000400000-0x0000000000545000-memory.dmp	family_chaos
behavioral1/memory/2732-1380-0x0000000000400000-0x0000000000545000-memory.dmp	family_chaos
behavioral1/memory/2732-1415-0x0000000000400000-0x0000000000545000-memory.dmp	family_chaos

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2988	bcdedit.exe
1564	bcdedit.exe
1236	bcdedit.exe
2820	bcdedit.exe

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2644	wbadmin.exe
2020	wbadmin.exe

Disables Task Manager via registry modification
evasion

Suspicious Office macro 4 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0009000000016dc1-80.dat
behavioral1/files/0x00060000000055e4-93.dat
behavioral1/files/0x0005000000005872-126.dat
behavioral1/files/0x0004000000005ac4-139.dat

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
2732	Synaptics.exe
2624	._cache_Synaptics.exe
1968	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2756	2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
2756	2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
2756	2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
2732	Synaptics.exe
2732	Synaptics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe"	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4DY23DRT\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CUMHXU73\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0plh5ibj2.jpg"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kkjxu3n8z.jpg"	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
968	vssadmin.exe
2908	vssadmin.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
908	NOTEPAD.EXE
1464	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
2388	EXCEL.EXE
2624	._cache_Synaptics.exe
2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
1968	svchost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2624	._cache_Synaptics.exe
2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	._cache_Synaptics.exe
Token: SeDebugPrivilege	2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
Token: SeBackupPrivilege	1796	vssvc.exe
Token: SeRestorePrivilege	1796	vssvc.exe
Token: SeAuditPrivilege	1796	vssvc.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeIncreaseQuotaPrivilege	1636	WMIC.exe
Token: SeSecurityPrivilege	1636	WMIC.exe
Token: SeTakeOwnershipPrivilege	1636	WMIC.exe
Token: SeLoadDriverPrivilege	1636	WMIC.exe
Token: SeSystemProfilePrivilege	1636	WMIC.exe
Token: SeSystemtimePrivilege	1636	WMIC.exe
Token: SeProfSingleProcessPrivilege	1636	WMIC.exe
Token: SeIncBasePriorityPrivilege	1636	WMIC.exe
Token: SeCreatePagefilePrivilege	1636	WMIC.exe
Token: SeBackupPrivilege	1636	WMIC.exe
Token: SeRestorePrivilege	1636	WMIC.exe
Token: SeShutdownPrivilege	1636	WMIC.exe
Token: SeDebugPrivilege	1636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1636	WMIC.exe
Token: SeRemoteShutdownPrivilege	1636	WMIC.exe
Token: SeUndockPrivilege	1636	WMIC.exe
Token: SeManageVolumePrivilege	1636	WMIC.exe
Token: 33	1636	WMIC.exe
Token: 34	1636	WMIC.exe
Token: 35	1636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1636	WMIC.exe
Token: SeSecurityPrivilege	1636	WMIC.exe
Token: SeTakeOwnershipPrivilege	1636	WMIC.exe
Token: SeLoadDriverPrivilege	1636	WMIC.exe
Token: SeSystemProfilePrivilege	1636	WMIC.exe
Token: SeSystemtimePrivilege	1636	WMIC.exe
Token: SeProfSingleProcessPrivilege	1636	WMIC.exe
Token: SeIncBasePriorityPrivilege	1636	WMIC.exe
Token: SeCreatePagefilePrivilege	1636	WMIC.exe
Token: SeBackupPrivilege	1636	WMIC.exe
Token: SeRestorePrivilege	1636	WMIC.exe
Token: SeShutdownPrivilege	1636	WMIC.exe
Token: SeDebugPrivilege	1636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1636	WMIC.exe
Token: SeRemoteShutdownPrivilege	1636	WMIC.exe
Token: SeUndockPrivilege	1636	WMIC.exe
Token: SeManageVolumePrivilege	1636	WMIC.exe
Token: 33	1636	WMIC.exe
Token: 34	1636	WMIC.exe
Token: 35	1636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2508	WMIC.exe
Token: SeSecurityPrivilege	2508	WMIC.exe
Token: SeTakeOwnershipPrivilege	2508	WMIC.exe
Token: SeLoadDriverPrivilege	2508	WMIC.exe
Token: SeSystemProfilePrivilege	2508	WMIC.exe
Token: SeSystemtimePrivilege	2508	WMIC.exe
Token: SeProfSingleProcessPrivilege	2508	WMIC.exe
Token: SeIncBasePriorityPrivilege	2508	WMIC.exe
Token: SeCreatePagefilePrivilege	2508	WMIC.exe
Token: SeBackupPrivilege	2508	WMIC.exe
Token: SeRestorePrivilege	2508	WMIC.exe
Token: SeShutdownPrivilege	2508	WMIC.exe
Token: SeDebugPrivilege	2508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2508	WMIC.exe
Token: SeRemoteShutdownPrivilege	2508	WMIC.exe
Token: SeUndockPrivilege	2508	WMIC.exe
Token: SeManageVolumePrivilege	2508	WMIC.exe
Token: 33	2508	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2388	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2680	2756	2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	30
PID 2756 wrote to memory of 2680	2756	2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	30
PID 2756 wrote to memory of 2680	2756	2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	30
PID 2756 wrote to memory of 2680	2756	2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	30
PID 2756 wrote to memory of 2732	2756	2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	31
PID 2756 wrote to memory of 2732	2756	2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	31
PID 2756 wrote to memory of 2732	2756	2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	31
PID 2756 wrote to memory of 2732	2756	2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	31
PID 2732 wrote to memory of 2624	2732	Synaptics.exe	32
PID 2732 wrote to memory of 2624	2732	Synaptics.exe	32
PID 2732 wrote to memory of 2624	2732	Synaptics.exe	32
PID 2732 wrote to memory of 2624	2732	Synaptics.exe	32
PID 2680 wrote to memory of 2800	2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	34
PID 2680 wrote to memory of 2800	2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	34
PID 2680 wrote to memory of 2800	2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	34
PID 2800 wrote to memory of 2908	2800	cmd.exe	36
PID 2800 wrote to memory of 2908	2800	cmd.exe	36
PID 2800 wrote to memory of 2908	2800	cmd.exe	36
PID 2624 wrote to memory of 1968	2624	._cache_Synaptics.exe	39
PID 2624 wrote to memory of 1968	2624	._cache_Synaptics.exe	39
PID 2624 wrote to memory of 1968	2624	._cache_Synaptics.exe	39
PID 1968 wrote to memory of 1940	1968	svchost.exe	40
PID 1968 wrote to memory of 1940	1968	svchost.exe	40
PID 1968 wrote to memory of 1940	1968	svchost.exe	40
PID 1940 wrote to memory of 968	1940	cmd.exe	42
PID 1940 wrote to memory of 968	1940	cmd.exe	42
PID 1940 wrote to memory of 968	1940	cmd.exe	42
PID 2800 wrote to memory of 1636	2800	cmd.exe	43
PID 2800 wrote to memory of 1636	2800	cmd.exe	43
PID 2800 wrote to memory of 1636	2800	cmd.exe	43
PID 2680 wrote to memory of 1512	2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	45
PID 2680 wrote to memory of 1512	2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	45
PID 2680 wrote to memory of 1512	2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	45
PID 1512 wrote to memory of 2988	1512	cmd.exe	47
PID 1512 wrote to memory of 2988	1512	cmd.exe	47
PID 1512 wrote to memory of 2988	1512	cmd.exe	47
PID 1512 wrote to memory of 1564	1512	cmd.exe	48
PID 1512 wrote to memory of 1564	1512	cmd.exe	48
PID 1512 wrote to memory of 1564	1512	cmd.exe	48
PID 2680 wrote to memory of 2456	2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	49
PID 2680 wrote to memory of 2456	2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	49
PID 2680 wrote to memory of 2456	2680	._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe	49
PID 2456 wrote to memory of 2644	2456	cmd.exe	51
PID 2456 wrote to memory of 2644	2456	cmd.exe	51
PID 2456 wrote to memory of 2644	2456	cmd.exe	51
PID 1940 wrote to memory of 2508	1940	cmd.exe	52
PID 1940 wrote to memory of 2508	1940	cmd.exe	52
PID 1940 wrote to memory of 2508	1940	cmd.exe	52
PID 1968 wrote to memory of 2716	1968	svchost.exe	55
PID 1968 wrote to memory of 2716	1968	svchost.exe	55
PID 1968 wrote to memory of 2716	1968	svchost.exe	55
PID 2716 wrote to memory of 1236	2716	cmd.exe	58
PID 2716 wrote to memory of 1236	2716	cmd.exe	58
PID 2716 wrote to memory of 1236	2716	cmd.exe	58
PID 2716 wrote to memory of 2820	2716	cmd.exe	59
PID 2716 wrote to memory of 2820	2716	cmd.exe	59
PID 2716 wrote to memory of 2820	2716	cmd.exe	59
PID 1968 wrote to memory of 2812	1968	svchost.exe	60
PID 1968 wrote to memory of 2812	1968	svchost.exe	60
PID 1968 wrote to memory of 2812	1968	svchost.exe	60
PID 2812 wrote to memory of 2020	2812	cmd.exe	62
PID 2812 wrote to memory of 2020	2812	cmd.exe	62
PID 2812 wrote to memory of 2020	2812	cmd.exe	62
PID 1968 wrote to memory of 1464	1968	svchost.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2908
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1636
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2988
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1564
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:2644
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:908
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:968
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1236
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2820
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        6⤵
        Deletes backup catalog
        
        PID:2020
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1464

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2780

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2744

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.2MB

MD5
8728ba233fcb020a6a2eaabb90df630c

SHA1
c6dc576f2e0423e8a0f36bba51fa7c65e1e281e7

SHA256
b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286

SHA512
24e494c64647794fc9aa91da6975117d27984b4bb21859dbf0c60faba5b7f0ec26c26ebbe1ad57f185e1d7ecd4b797d530639d287456ac9bc2930a111fd4613a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe

Filesize
533KB

MD5
e7d91103647b76f121b854fe806f80e2

SHA1
e6adca5f83dfb2cca099cf18d6960d422b82bb9e

SHA256
04ed744d9643830fc5f0499203a6fde506b5f2c89868695bfe179a8edb3b28c0

SHA512
69dc672bfe3a89ebe71b8041159afab0231701ea59438feb1f000ddddf52627c1f7c6f36bd8c2f77f037dd2659e6ef8f27db283476dae228522051659f2f67b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VuK48T7f.xlsm

Filesize
26KB

MD5
a9532f5d0d062e72684fb9514b9e05c7

SHA1
70966e0b4a4776e42713081c902f9e234a518333

SHA256
d68756198adabae1ae7997538f533e4dfd77b76581bb0e7f890cfd5aaa8b59e8

SHA512
c6aebeb990f31f865acda024384941485fadcd4b7cc6fbffcf6ede90c41e7e6aab868d6ba7310b3be525b7f12a5d01168e88ce14d69e4e467eb74bf04f2a598c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VuK48T7f.xlsm

Filesize
23KB

MD5
a7e9b45377d45b264b48ed341bead67d

SHA1
c18577bf2ef8d17c112730552972ee1bfbfa40b5

SHA256
b62834cc22c6a8a4bfd6494a8713c0c3a1ff4ea5f1827b9b27c043cd1a462fc4

SHA512
a5b00649727d34ec932076742a62931fe50b2f4939ed63f28abd126f9fec1aa5bf0b0ce5dd4d83437f32f59ac1d0b76d8c5ab4340550d754088beafdd9d2247a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VuK48T7f.xlsm

Filesize
22KB

MD5
409cd2af4eabe981a17beec9595fcee2

SHA1
f4f27852322c788aba8a14d856c7256e0dd3ab37

SHA256
21f802148e5065379d37caa3603e0e5cc5e8852110c78a2bd8857a952efa61a6

SHA512
c1da61f896fcfb99e930fb15a7cb00fc3bfc75d07e62d22d1c300a9c92e555a0ce9e1e399b6ef5c455b00165837e3bb10bf0b7e02ab7dc3ccaf46a8388b0bf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VuK48T7f.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\VuK48T7f.xlsm

Filesize
20KB

MD5
a8280db3a4e3639c37acbdf1401214c2

SHA1
f35738d2914b1b3c30238d32782f9461ff0c223f

SHA256
00daff2a509963b8901029f73229e9e3cc6edfc0c70f2c3b178b175ace861728

SHA512
e984c9f560759cca21fc0616f03efcd5688105686dedbdc8eba79740fdceb46fb8beb791b3bcce24f36387aaa7424933c4d9612e119586d0fcfbb40136b296af

Download Submit
C:\Users\Admin\AppData\Local\Temp\VuK48T7f.xlsm

Filesize
25KB

MD5
d9bdefeb3d6882ae88133589c8190e49

SHA1
86ea2b2964bfe4902573d0b2e6d0f7d30978bd6d

SHA256
e47d401b28d64865676c51d875fae12290edeae694667291efdd663d00652e2c

SHA512
deec9be7ec8338e25da444b2bf3e5c9ad85d68e7c9281af7a1b61a28c057a0ebbfe7788dd53a8f7504680c839b78cc59d956b12e2780994eb2db27e68f1d97e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VuK48T7f.xlsm

Filesize
26KB

MD5
c308feaffdbda1f86e01dc6bf3275ae1

SHA1
b2831a1b3e3c9e0bc1deb806b3ea79a1f4fd7b05

SHA256
f2ebd490150d0435fcec2df65db36437d4fe79f55248e41e84e2c63d739f4a4f

SHA512
6aacaf22f5e8b7076ddc4b8d49ade264d4d284d22399c298ce9840f7f874422f3c4085898082fd25fa1a7c2a276196abcb41ea4e0f059ea47bde7735eee19066

Download Submit
C:\Users\Admin\AppData\Roaming\ConvertSplit.mpg.zcso

Filesize
8B

MD5
0ee0646c1c77d8131cc8f4ee65c7673b

SHA1
dd5783bcf1e9002bc00ad5b83a95ed6e4ebb4ad5

SHA256
66840dda154e8a113c31dd0ad32f7f3a366a80e8136979d8f5a101d3d29d6f72

SHA512
1818cc2acd207880a07afc360fd0da87e51ccf17e7c604c4eb16be5788322724c298e1fcc66eb293926993141ef0863c09eda383188cf5df49b910aacac17ec5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.d8ah

Filesize
48KB

MD5
1fdfbf46e7f37b90383e0b92a302a34f

SHA1
fdaf14775437f4aada02c3a09af796e810deb667

SHA256
ad45cb8cfdc8f5d4dc946c381988b37fbd30b3ebe587c8faf7de866d172cc812

SHA512
4283fbcf4b55f3f2dc6a12c37da44cf5d5338a74c886e8a7c8337d091921591691993d9e4855b0c49c4d1fb2bd6d8a72331205cace04d3a634ef2ec14a1f48d1

Download Submit
C:\Users\Admin\Desktop\~$ConvertFromExpand.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\read_it.txt

Filesize
582B

MD5
76e381f78e94c35d358a4fc048d3aa37

SHA1
361d4153f76f32d36c1edd3da27e59f41f7e2d0f

SHA256
db317b799b14715d1b26661dd60570faa3b5c377656d490cd2697f78271c413f

SHA512
ef1d2bd09d8e34eb6260d11a3ac821cdd1b6aa1dba0c8616cbed1d233979d39ceb00c369ccabb6630324ef0027a83b6b61729b2ed66d55bf249387782a1fe4e3

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk

Filesize
1B

MD5
d1457b72c3fb323a2671125aef3eab5d

SHA1
5bab61eb53176449e25c2c82f172b82cb13ffb9d

SHA256
8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

SHA512
ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

Download Submit
memory/1968-79-0x0000000000B60000-0x0000000000BEC000-memory.dmp

Filesize
560KB

Download
memory/2388-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2388-143-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2624-36-0x0000000000B70000-0x0000000000BFC000-memory.dmp

Filesize
560KB

Download
memory/2680-28-0x0000000000BD0000-0x0000000000C5C000-memory.dmp

Filesize
560KB

Download
memory/2732-1379-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2732-1380-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2732-1415-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2756-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2756-25-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download