chaos | 863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345c

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
Size

777KB
MD5

d570b2529c442ad6b2c51a727a580800
SHA1

b95185702eb795a6f1e36c1ef6e6fb55ea4b2a17
SHA256

863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345c
SHA512

954d0b529441c4654237da996a69a9e609f66a56f35bb831e356bcf1119401061d287c6e88f658668c6d7fb78db19bb7f4b267ec07231a7020d66c5dff3a5eb3
SSDEEP

12288:SMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9tnIj:SnsJ39LyjbJkQFMhmC+6GD99o

Score

10^/10

chaos defense_evasion discovery evasion execution impact macro persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Links\READ_THIS.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted and stolen Your computer was infected with a ransomware virus. Your files have been encrypted and stolen and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $150. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.00240923 BTC Bitcoin Address: bc1q5dct32xckc9352ze647cf8lsv0vjaldp9vpvk6

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 9 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001226d-4.dat	family_chaos
behavioral1/files/0x000700000001945c-12.dat	family_chaos
behavioral1/memory/2104-25-0x0000000000400000-0x00000000004C8000-memory.dmp	family_chaos
behavioral1/memory/2392-26-0x0000000000C40000-0x0000000000C4C000-memory.dmp	family_chaos
behavioral1/memory/2756-36-0x0000000000AD0000-0x0000000000ADC000-memory.dmp	family_chaos
behavioral1/memory/2068-79-0x00000000012B0000-0x00000000012BC000-memory.dmp	family_chaos
behavioral1/memory/2752-919-0x0000000000400000-0x00000000004C8000-memory.dmp	family_chaos
behavioral1/memory/2752-920-0x0000000000400000-0x00000000004C8000-memory.dmp	family_chaos
behavioral1/memory/2752-954-0x0000000000400000-0x00000000004C8000-memory.dmp	family_chaos

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
320	bcdedit.exe
2884	bcdedit.exe
2572	bcdedit.exe
1080	bcdedit.exe

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2172	wbadmin.exe
1672	wbadmin.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000500000001a4e4-310.dat

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ_THIS.txt	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.url	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
2752	Synaptics.exe
2756	._cache_Synaptics.exe
2068	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2104	863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
2104	863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
2104	863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
2752	Synaptics.exe
2752	Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File created	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File created	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File created	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File created	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File created	C:\Users\Admin\Links\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
File created	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2820	vssadmin.exe
2704	vssadmin.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1652	NOTEPAD.EXE
1736	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2728	EXCEL.EXE
2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
2068	svchost.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
2756	._cache_Synaptics.exe
2756	._cache_Synaptics.exe
2756	._cache_Synaptics.exe
2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
Token: SeDebugPrivilege	2756	._cache_Synaptics.exe
Token: SeDebugPrivilege	2068	svchost.exe
Token: SeBackupPrivilege	2824	vssvc.exe
Token: SeRestorePrivilege	2824	vssvc.exe
Token: SeAuditPrivilege	2824	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2676	WMIC.exe
Token: SeSecurityPrivilege	2676	WMIC.exe
Token: SeTakeOwnershipPrivilege	2676	WMIC.exe
Token: SeLoadDriverPrivilege	2676	WMIC.exe
Token: SeSystemProfilePrivilege	2676	WMIC.exe
Token: SeSystemtimePrivilege	2676	WMIC.exe
Token: SeProfSingleProcessPrivilege	2676	WMIC.exe
Token: SeIncBasePriorityPrivilege	2676	WMIC.exe
Token: SeCreatePagefilePrivilege	2676	WMIC.exe
Token: SeBackupPrivilege	2676	WMIC.exe
Token: SeRestorePrivilege	2676	WMIC.exe
Token: SeShutdownPrivilege	2676	WMIC.exe
Token: SeDebugPrivilege	2676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2676	WMIC.exe
Token: SeRemoteShutdownPrivilege	2676	WMIC.exe
Token: SeUndockPrivilege	2676	WMIC.exe
Token: SeManageVolumePrivilege	2676	WMIC.exe
Token: 33	2676	WMIC.exe
Token: 34	2676	WMIC.exe
Token: 35	2676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2676	WMIC.exe
Token: SeSecurityPrivilege	2676	WMIC.exe
Token: SeTakeOwnershipPrivilege	2676	WMIC.exe
Token: SeLoadDriverPrivilege	2676	WMIC.exe
Token: SeSystemProfilePrivilege	2676	WMIC.exe
Token: SeSystemtimePrivilege	2676	WMIC.exe
Token: SeProfSingleProcessPrivilege	2676	WMIC.exe
Token: SeIncBasePriorityPrivilege	2676	WMIC.exe
Token: SeCreatePagefilePrivilege	2676	WMIC.exe
Token: SeBackupPrivilege	2676	WMIC.exe
Token: SeRestorePrivilege	2676	WMIC.exe
Token: SeShutdownPrivilege	2676	WMIC.exe
Token: SeDebugPrivilege	2676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2676	WMIC.exe
Token: SeRemoteShutdownPrivilege	2676	WMIC.exe
Token: SeUndockPrivilege	2676	WMIC.exe
Token: SeManageVolumePrivilege	2676	WMIC.exe
Token: 33	2676	WMIC.exe
Token: 34	2676	WMIC.exe
Token: 35	2676	WMIC.exe
Token: SeBackupPrivilege	1812	wbengine.exe
Token: SeRestorePrivilege	1812	wbengine.exe
Token: SeSecurityPrivilege	1812	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1112	WMIC.exe
Token: SeSecurityPrivilege	1112	WMIC.exe
Token: SeTakeOwnershipPrivilege	1112	WMIC.exe
Token: SeLoadDriverPrivilege	1112	WMIC.exe
Token: SeSystemProfilePrivilege	1112	WMIC.exe
Token: SeSystemtimePrivilege	1112	WMIC.exe
Token: SeProfSingleProcessPrivilege	1112	WMIC.exe
Token: SeIncBasePriorityPrivilege	1112	WMIC.exe
Token: SeCreatePagefilePrivilege	1112	WMIC.exe
Token: SeBackupPrivilege	1112	WMIC.exe
Token: SeRestorePrivilege	1112	WMIC.exe
Token: SeShutdownPrivilege	1112	WMIC.exe
Token: SeDebugPrivilege	1112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1112	WMIC.exe
Token: SeRemoteShutdownPrivilege	1112	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2728	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2392	2104	863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	30
PID 2104 wrote to memory of 2392	2104	863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	30
PID 2104 wrote to memory of 2392	2104	863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	30
PID 2104 wrote to memory of 2392	2104	863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	30
PID 2104 wrote to memory of 2752	2104	863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	31
PID 2104 wrote to memory of 2752	2104	863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	31
PID 2104 wrote to memory of 2752	2104	863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	31
PID 2104 wrote to memory of 2752	2104	863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	31
PID 2752 wrote to memory of 2756	2752	Synaptics.exe	32
PID 2752 wrote to memory of 2756	2752	Synaptics.exe	32
PID 2752 wrote to memory of 2756	2752	Synaptics.exe	32
PID 2752 wrote to memory of 2756	2752	Synaptics.exe	32
PID 2756 wrote to memory of 2068	2756	._cache_Synaptics.exe	34
PID 2756 wrote to memory of 2068	2756	._cache_Synaptics.exe	34
PID 2756 wrote to memory of 2068	2756	._cache_Synaptics.exe	34
PID 2392 wrote to memory of 2692	2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	36
PID 2392 wrote to memory of 2692	2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	36
PID 2392 wrote to memory of 2692	2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	36
PID 2068 wrote to memory of 2156	2068	svchost.exe	38
PID 2068 wrote to memory of 2156	2068	svchost.exe	38
PID 2068 wrote to memory of 2156	2068	svchost.exe	38
PID 2692 wrote to memory of 2820	2692	cmd.exe	40
PID 2692 wrote to memory of 2820	2692	cmd.exe	40
PID 2692 wrote to memory of 2820	2692	cmd.exe	40
PID 2156 wrote to memory of 2704	2156	cmd.exe	41
PID 2156 wrote to memory of 2704	2156	cmd.exe	41
PID 2156 wrote to memory of 2704	2156	cmd.exe	41
PID 2692 wrote to memory of 2676	2692	cmd.exe	44
PID 2692 wrote to memory of 2676	2692	cmd.exe	44
PID 2692 wrote to memory of 2676	2692	cmd.exe	44
PID 2392 wrote to memory of 484	2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	46
PID 2392 wrote to memory of 484	2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	46
PID 2392 wrote to memory of 484	2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	46
PID 484 wrote to memory of 320	484	cmd.exe	48
PID 484 wrote to memory of 320	484	cmd.exe	48
PID 484 wrote to memory of 320	484	cmd.exe	48
PID 484 wrote to memory of 2884	484	cmd.exe	49
PID 484 wrote to memory of 2884	484	cmd.exe	49
PID 484 wrote to memory of 2884	484	cmd.exe	49
PID 2392 wrote to memory of 2996	2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	50
PID 2392 wrote to memory of 2996	2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	50
PID 2392 wrote to memory of 2996	2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	50
PID 2996 wrote to memory of 2172	2996	cmd.exe	52
PID 2996 wrote to memory of 2172	2996	cmd.exe	52
PID 2996 wrote to memory of 2172	2996	cmd.exe	52
PID 2392 wrote to memory of 1736	2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	56
PID 2392 wrote to memory of 1736	2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	56
PID 2392 wrote to memory of 1736	2392	._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe	56
PID 2156 wrote to memory of 1112	2156	cmd.exe	57
PID 2156 wrote to memory of 1112	2156	cmd.exe	57
PID 2156 wrote to memory of 1112	2156	cmd.exe	57
PID 2068 wrote to memory of 1320	2068	svchost.exe	58
PID 2068 wrote to memory of 1320	2068	svchost.exe	58
PID 2068 wrote to memory of 1320	2068	svchost.exe	58
PID 1320 wrote to memory of 2572	1320	cmd.exe	60
PID 1320 wrote to memory of 2572	1320	cmd.exe	60
PID 1320 wrote to memory of 2572	1320	cmd.exe	60
PID 1320 wrote to memory of 1080	1320	cmd.exe	61
PID 1320 wrote to memory of 1080	1320	cmd.exe	61
PID 1320 wrote to memory of 1080	1320	cmd.exe	61
PID 2068 wrote to memory of 1344	2068	svchost.exe	62
PID 2068 wrote to memory of 1344	2068	svchost.exe	62
PID 2068 wrote to memory of 1344	2068	svchost.exe	62
PID 1344 wrote to memory of 1672	1344	cmd.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
"C:\Users\Admin\AppData\Local\Temp\863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2820
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:484
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:320
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2884
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:2172
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\READ_THIS.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1736
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops desktop.ini file(s)
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2156
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:2704
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2572
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1080
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1344
      - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        6⤵
        Deletes backup catalog
        
        PID:1672
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\READ_THIS.txt
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1652

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2900

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
777KB

MD5
d570b2529c442ad6b2c51a727a580800

SHA1
b95185702eb795a6f1e36c1ef6e6fb55ea4b2a17

SHA256
863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345c

SHA512
954d0b529441c4654237da996a69a9e609f66a56f35bb831e356bcf1119401061d287c6e88f658668c6d7fb78db19bb7f4b267ec07231a7020d66c5dff3a5eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUI2xqER.xlsm

Filesize
21KB

MD5
4acf75738e07e7d2a6cbd45d61d7b3c1

SHA1
6902a2c3d8388870c3094d7b3c9ebcd7beaf853a

SHA256
67588d51ac6f3bc9c4feccf87c6482f418638a814e0db26eac8f78aba936d433

SHA512
b1f78171e77ffdbe6ca4d90c4359257103b73440077d540434c652ef783bd1fa9d0949e3f11c4af5425ae449d2aac366f883ca2266a8dadc11f2d89544eee4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUI2xqER.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Roaming\MeasureCopy.mht

Filesize
307KB

MD5
0c6bb715151ae8933789c2de5618a283

SHA1
d13d5096009939ead70016ecccc85481694f126e

SHA256
6a7d9b63e618da01b047854f3285db6d66f1ff8078b1e4f1a663be4363dc9eff

SHA512
f136da8e75020ae0469fcabe72d7fdbcb8d60fe62cb108cddc5d09164f0b2a57e7115814ac811d064d001e39813cfc0c2cfc421feac3cfb18678c74e0d778e65

Download Submit
C:\Users\Admin\Contacts\desktop.ini

Filesize
756B

MD5
39e5c2da75ee2700a0cfd1129e8a3cd7

SHA1
c03a64fa18e77896376d9d4dab8750bb1f2cff97

SHA256
79ad3e44ff63d37a678e7c5d87ec2101ad37708a3b0a94694c185845ffa1d233

SHA512
93da9eabb31cf09acd3006df4aed03a39d6d453f4afb9d6526374969d003893a9f09d8ed58349974a5dd6a7ec8e1d90392cb9ca3b34ad6bad75746268048712a

Download Submit
C:\Users\Admin\Downloads\ResolveInitialize.txt

Filesize
538KB

MD5
475a14f90fe9f2fde2cfd2486d872977

SHA1
530bbc7f3e90f3dfcf98dedfd9445252acf5510a

SHA256
2a7d481690c2ecf70adaf9f48f55c52ea7537fe7af49268893f82d894a40eea0

SHA512
011af1614f98f55253f6534446eb00cbe50e4ad2edd2a74f2b3c4eb05edf0ddd3dd1a8748bc696ae27f91aab3b6db7fe96e4a65fcaa43ecdda1cdf1916e8e734

Download Submit
C:\Users\Admin\Links\READ_THIS.txt

Filesize
985B

MD5
46839c94712706c9b4bea9c0b5f89693

SHA1
af8af5265aa72bd8c30c63d7999f7f52c738b9ff

SHA256
4afb727589a35a9ee9422855723f7e8a6b95a09e72d1683c57f92b3e3e0e9ca6

SHA512
afd0bae86ab302883f83f1ab0534fb6a49d45a155e7320958387dc5a2721f854c6cd34f546931ea3b8da932b8f8bb13e0869d42b41684671cd606fb4023db382

Download Submit
C:\Users\Admin\Music\RestoreLock.xltx

Filesize
532KB

MD5
ffb4acfea06df7de582fa9d3eb053d3a

SHA1
e93d01d4f567490e09a5571b75d18f59a74f0f3f

SHA256
40a965e21d95d38e302a742e6ca4a18f1b6355b8ab69f437f780d93cece45b58

SHA512
891607e05271964b5337ac364988ece3e546ffd665940bc737d24f662cbdfdf9def57a89da6927cf102b5f35e1843881e41e2701578b11b026c252ef507ca50e

Download Submit
C:\Users\Admin\Music\RestoreLock.xltx

Filesize
595KB

MD5
55ea9df5cbac11b999d988c1f0eecf6d

SHA1
db1405b22dc85639cd276c7c0183b59bccf33e6f

SHA256
3d74a13214ca5f6e644c54058b327c6d137aa8f0e6d4756104b172f4b895dc1f

SHA512
48911a52c8818ea5c2839e04a80e6902f8d9ac443baabc0de5d3bb5abb9ee115ecd5bb3c4c89e34d9a118fd5a952635bcfe3b6ee9e341f7bdc93fa109c0905c4

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1KB

MD5
0f6383d31b846445061bc7a63b189f02

SHA1
5f06b37bdbc69fd6e0620228bfaf216468984edc

SHA256
954773b81ffd098c93eb389e55051bc22339ef86afae088790c6c8ef08a6f37b

SHA512
b54b1091a96d0e866dda95ca5a1593370df9da46886e6085f143ed1690b7c1051df207709fda9da79e31109edfb0501c3eab651d018d10547d6618aee5b3ed2e

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg

Filesize
1016KB

MD5
74a59e8337933266b59c87a4e55ca5b8

SHA1
6f0bc0ff42dd794c1d1db2fa23a836e07dbfa1ad

SHA256
717b43443c050d7d588990b22d8b0a3d9a941194f27c2bfe5ad7ac4671ea1153

SHA512
becce7fa40af3a6a5fa985629aead7254b97292c9f0aa5d9ceed633c0d8c246e686f8d4487699bc2521074a814367dc7b600e2e478e6cdf844f19a55c08fb05c

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN.exe

Filesize
23KB

MD5
a264ca73aaced0a81a0b7fa14bc201f4

SHA1
77a1624cbc6d2d5066f7e23b42f05fd2703fb394

SHA256
5404595684deb101a7d8d6a11c104dc1401151149f69cb9a60ebb223b6f7e5b2

SHA512
d141ce0021b3352a79eb1401401f072e25fa06773ed567b9922d99967740e07a88e5d5b1daa77a61d9f8a53b51a36441c8e3c1a00a25de203ad05d82b1929ed4

Download Submit
memory/2068-79-0x00000000012B0000-0x00000000012BC000-memory.dmp

Filesize
48KB

Download
memory/2104-25-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2104-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2392-26-0x0000000000C40000-0x0000000000C4C000-memory.dmp

Filesize
48KB

Download
memory/2728-378-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2728-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2752-919-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2752-920-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2752-954-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2756-36-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

Filesize
48KB

Download