chaos | 474d33e3c9e05aed2bc5f15207134bc72fc4aed18bd89eadbd9712b57d4f9f59

Analysis

max time kernel
224s
max time network
227s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-10-2024 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

7.2MB
MD5

8f1eaaf77aa07ceb4af188ab50db4ed3
SHA1

15148c0a2044805762d8494600386f49aec07b55
SHA256

4c595e8e612d7663804656ecfb65d3a833e585652ba8f15f486611873420e9a1
SHA512

d8ffa382cb99d3d7a1659a66fe6d586fea42aec9c21243e3d9b03928faf139809a435cb51dd0ec8ca5902b60a3effe8847637751a4075297ca189b4515e1ffcc
SSDEEP

49152:MiZLYKiEYSkVodi19NPftSFwkrJxWxhlMOkj7EqTUOgA37MJ+WftYs:

Score

10^/10

chaos defense_evasion discovery evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.0145 BTC Bitcoin Address: 1Fv8VepbEL9tVmBAzu5zvH8JcLDopUVfoS

Wallets

1Fv8VepbEL9tVmBAzu5zvH8JcLDopUVfoS

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/2860-1-0x00000000005F0000-0x0000000000D26000-memory.dmp	family_chaos
behavioral2/files/0x000400000002aa8d-7.dat	family_chaos

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3612	bcdedit.exe
1468	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1440	wbadmin.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1160	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-131918955-2378418313-883382443-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\huga73fbv.jpg"	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1392	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725804181722694"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
480	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1160	svchost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1160	svchost.exe
1776	chrome.exe
1776	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	AnyDesk.exe
Token: SeDebugPrivilege	1160	svchost.exe
Token: SeBackupPrivilege	4624	vssvc.exe
Token: SeRestorePrivilege	4624	vssvc.exe
Token: SeAuditPrivilege	4624	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2692	WMIC.exe
Token: SeSecurityPrivilege	2692	WMIC.exe
Token: SeTakeOwnershipPrivilege	2692	WMIC.exe
Token: SeLoadDriverPrivilege	2692	WMIC.exe
Token: SeSystemProfilePrivilege	2692	WMIC.exe
Token: SeSystemtimePrivilege	2692	WMIC.exe
Token: SeProfSingleProcessPrivilege	2692	WMIC.exe
Token: SeIncBasePriorityPrivilege	2692	WMIC.exe
Token: SeCreatePagefilePrivilege	2692	WMIC.exe
Token: SeBackupPrivilege	2692	WMIC.exe
Token: SeRestorePrivilege	2692	WMIC.exe
Token: SeShutdownPrivilege	2692	WMIC.exe
Token: SeDebugPrivilege	2692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2692	WMIC.exe
Token: SeRemoteShutdownPrivilege	2692	WMIC.exe
Token: SeUndockPrivilege	2692	WMIC.exe
Token: SeManageVolumePrivilege	2692	WMIC.exe
Token: 33	2692	WMIC.exe
Token: 34	2692	WMIC.exe
Token: 35	2692	WMIC.exe
Token: 36	2692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2692	WMIC.exe
Token: SeSecurityPrivilege	2692	WMIC.exe
Token: SeTakeOwnershipPrivilege	2692	WMIC.exe
Token: SeLoadDriverPrivilege	2692	WMIC.exe
Token: SeSystemProfilePrivilege	2692	WMIC.exe
Token: SeSystemtimePrivilege	2692	WMIC.exe
Token: SeProfSingleProcessPrivilege	2692	WMIC.exe
Token: SeIncBasePriorityPrivilege	2692	WMIC.exe
Token: SeCreatePagefilePrivilege	2692	WMIC.exe
Token: SeBackupPrivilege	2692	WMIC.exe
Token: SeRestorePrivilege	2692	WMIC.exe
Token: SeShutdownPrivilege	2692	WMIC.exe
Token: SeDebugPrivilege	2692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2692	WMIC.exe
Token: SeRemoteShutdownPrivilege	2692	WMIC.exe
Token: SeUndockPrivilege	2692	WMIC.exe
Token: SeManageVolumePrivilege	2692	WMIC.exe
Token: 33	2692	WMIC.exe
Token: 34	2692	WMIC.exe
Token: 35	2692	WMIC.exe
Token: 36	2692	WMIC.exe
Token: SeBackupPrivilege	3716	wbengine.exe
Token: SeRestorePrivilege	3716	wbengine.exe
Token: SeSecurityPrivilege	3716	wbengine.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3304	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 1160	2860	AnyDesk.exe	78
PID 2860 wrote to memory of 1160	2860	AnyDesk.exe	78
PID 1160 wrote to memory of 388	1160	svchost.exe	79
PID 1160 wrote to memory of 388	1160	svchost.exe	79
PID 388 wrote to memory of 1392	388	cmd.exe	81
PID 388 wrote to memory of 1392	388	cmd.exe	81
PID 388 wrote to memory of 2692	388	cmd.exe	84
PID 388 wrote to memory of 2692	388	cmd.exe	84
PID 1160 wrote to memory of 1068	1160	svchost.exe	86
PID 1160 wrote to memory of 1068	1160	svchost.exe	86
PID 1068 wrote to memory of 3612	1068	cmd.exe	88
PID 1068 wrote to memory of 3612	1068	cmd.exe	88
PID 1068 wrote to memory of 1468	1068	cmd.exe	89
PID 1068 wrote to memory of 1468	1068	cmd.exe	89
PID 1160 wrote to memory of 3152	1160	svchost.exe	90
PID 1160 wrote to memory of 3152	1160	svchost.exe	90
PID 3152 wrote to memory of 1440	3152	cmd.exe	92
PID 3152 wrote to memory of 1440	3152	cmd.exe	92
PID 1160 wrote to memory of 480	1160	svchost.exe	96
PID 1160 wrote to memory of 480	1160	svchost.exe	96
PID 1776 wrote to memory of 3040	1776	chrome.exe	105
PID 1776 wrote to memory of 3040	1776	chrome.exe	105
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 2128	1776	chrome.exe	106
PID 1776 wrote to memory of 1396	1776	chrome.exe	107
PID 1776 wrote to memory of 1396	1776	chrome.exe	107
PID 1776 wrote to memory of 2616	1776	chrome.exe	108
PID 1776 wrote to memory of 2616	1776	chrome.exe	108
PID 1776 wrote to memory of 2616	1776	chrome.exe	108
PID 1776 wrote to memory of 2616	1776	chrome.exe	108
PID 1776 wrote to memory of 2616	1776	chrome.exe	108
PID 1776 wrote to memory of 2616	1776	chrome.exe	108
PID 1776 wrote to memory of 2616	1776	chrome.exe	108
PID 1776 wrote to memory of 2616	1776	chrome.exe	108
PID 1776 wrote to memory of 2616	1776	chrome.exe	108
PID 1776 wrote to memory of 2616	1776	chrome.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1392
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2692
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3612
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1468
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1440
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4592

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffedf50cc40,0x7ffedf50cc4c,0x7ffedf50cc58
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,3848948437381448742,17690152026911928480,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1972,i,3848948437381448742,17690152026911928480,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,3848948437381448742,17690152026911928480,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,3848948437381448742,17690152026911928480,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,3848948437381448742,17690152026911928480,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,3848948437381448742,17690152026911928480,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3580,i,3848948437381448742,17690152026911928480,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3108 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3528,i,3848948437381448742,17690152026911928480,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,3848948437381448742,17690152026911928480,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4696 /prefetch:8
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,3848948437381448742,17690152026911928480,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:3628

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2240

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
55426d2d472fe4e892e59cdf5d806731

SHA1
0ac76d077ab5c675d1a7da4c98481e424d8e4af2

SHA256
44f93babd4bb07727cdfab3ff39178c76d511fb02232b91a960a1b159125df9f

SHA512
9810aea561a1a578c1a53902268e5104910ab7869df1b0423371c9ad39c7a191e0c9369e2e5f154e3acb0352b5e7d2c74a58a0c4a532fefe2aa3c1ab30b922aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a1bce0fe403bdd0dd6ab35043a9ca885

SHA1
08341a08e6caf8b61fc17b78f9ef53a959b3ffea

SHA256
2f5b700919a6d4717be7af774e6dd0f68f9950a91191ba43aa085d90fcb69ced

SHA512
526565bca791e60b970ee3844b55e007f9599ea02ac72cc213c6f839b6850be5b36e9e48e74e60de13fcd265253562a15df11fc0a7d661c405999a34743d7e22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7ee307e42d919beb33ae6dffe2da2468

SHA1
c977826853d505fd7434e0b1a4152988e71ca9fd

SHA256
2112134d42ed0aa3be9682cfe6b3c8affd22900b1dadbde1ba019390a1ba2ca5

SHA512
ce3e54cd115b744c82f672b0155637e86c304be3a48e3ad0112129ca0854f91e98e5ec8dbcd79a5347662086fcfd28db0d042f1ea258199151357f46595032f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9a301e40cb4199565f8100a705e1367a

SHA1
112825d8fe7ce020f3bc7726b6a541579cd5c63a

SHA256
514494d72da92a8e1b78cad7f15210d53224d38bcb359f261b256c2b3e648c47

SHA512
eb1f183e5a488e7c78e0f4d4b1ef5fa682e31315b621723b5c8e92d26f276e53be11ac1531668d46aa3f1b1a79612bd4960fbc3c02ea05cf8d9c2603a3552e90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1e02f8be8980b59530bff45bdb15c1f1

SHA1
0b85fed0369823bbb04f4c34bd1bfd6dbdae850d

SHA256
043a1bf9c9dcccde71eab3614b5653e0c22394cdf7943cca6981ea4213aca8ba

SHA512
52dd48adaf3b8b50b97601b46e50c83639f849b0e2d3b57918e3b8f348292512d693ba6b6b588bf70ad83fc31a30ef96af40235cc6c01fd4c3f5026f6883bbf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
ed57f45fe484d8a5c68978d6719e922a

SHA1
0f08e0434666b14439acfbe4b269de9d6cca7232

SHA256
a5a625dd781d9fad81bb524ddb32ae73898d0f76411787629f6b98fc02742990

SHA512
06456f815269639497896de9cd9cedc4c6b474efc3b18420a48f4273350690e7109b43b4e24343ad3fabd8e92b7f602da3da5752cc686f12983ec32cc0f8a02d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
fa8ad4ad5f261525740a0359b88d9104

SHA1
2c57b1dd42490380306acf7ba565a9d648d2232d

SHA256
890804111f4e2cf0f75f8c4ef7b03a0ad623156846292a202ff77241ef139a62

SHA512
d5b2e21a0a20a96ff4e0e041a7d956e1edcddbf0651fd5d4ac231b17a85055cdc0e88f9b0f81b31e0583cbfd985fc1e5644ccf51bb21194cbcf4d4be1ec618f7

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
27152171537c47796aa7194ac41383bc

SHA1
430c380ea885fce765a771cc40cbfe6358b4d04c

SHA256
28276ad4adb3f540918a28a722f10a63406037b96a14e05565e31ec90c605c22

SHA512
044ded8d45d2249f69ae617768398a33cf060618f1cb583aa9d9a34171de10bf3e23f6e49b3c0b8ca872f5ecbe98e841168fb3e94fdef2efbb299a3cbc01f616

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
7.2MB

MD5
8f1eaaf77aa07ceb4af188ab50db4ed3

SHA1
15148c0a2044805762d8494600386f49aec07b55

SHA256
4c595e8e612d7663804656ecfb65d3a833e585652ba8f15f486611873420e9a1

SHA512
d8ffa382cb99d3d7a1659a66fe6d586fea42aec9c21243e3d9b03928faf139809a435cb51dd0ec8ca5902b60a3effe8847637751a4075297ca189b4515e1ffcc

Download Submit
C:\Users\Admin\Desktop\read_it.txt

Filesize
953B

MD5
6e12ca86b9124f0bd0bde3bc0dcdd939

SHA1
b6de4262019d53990ef8159a5c191684456fa3c7

SHA256
1e701be7f8ddd4812524a5b89edd0a2e4d6c74ca9407b638d1ad8d7d5ce50b41

SHA512
2132552940f1d6b8c347eadcd92f90a5095156c7be705e454410de69743fa4f717ad58d05b689ed3ed48d5f30e4927c6305be4027bf88b42bc513ac286a836c8

Download Submit
memory/1160-69-0x00007FFEE4120000-0x00007FFEE4BE2000-memory.dmp

Filesize
10.8MB

Download
memory/1160-15-0x00007FFEE4120000-0x00007FFEE4BE2000-memory.dmp

Filesize
10.8MB

Download
memory/2860-0-0x00007FFEE4123000-0x00007FFEE4125000-memory.dmp

Filesize
8KB

Download
memory/2860-2-0x00007FFEE4123000-0x00007FFEE4125000-memory.dmp

Filesize
8KB

Download
memory/2860-1-0x00000000005F0000-0x0000000000D26000-memory.dmp

Filesize
7.2MB

Download