Overview
overview
10Static
static
1038f792a175...c0.exe
windows7-x64
1038f792a175...c0.exe
windows10-1703-x64
1038f792a175...c0.exe
windows10-2004-x64
1038f792a175...c0.exe
windows11-21h2-x64
103dfaf477d5...a7.exe
windows7-x64
93dfaf477d5...a7.exe
windows10-1703-x64
93dfaf477d5...a7.exe
windows10-2004-x64
93dfaf477d5...a7.exe
windows11-21h2-x64
9801505b222...4e.exe
windows7-x64
9801505b222...4e.exe
windows10-1703-x64
9801505b222...4e.exe
windows10-2004-x64
9801505b222...4e.exe
windows11-21h2-x64
9be7c6e308b...8e.exe
windows7-x64
10be7c6e308b...8e.exe
windows10-1703-x64
10be7c6e308b...8e.exe
windows10-2004-x64
10be7c6e308b...8e.exe
windows11-21h2-x64
10ecfb5c95d0...9d.exe
windows7-x64
10ecfb5c95d0...9d.exe
windows10-1703-x64
10ecfb5c95d0...9d.exe
windows10-2004-x64
10ecfb5c95d0...9d.exe
windows11-21h2-x64
10Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 17:30
Behavioral task
behavioral1
Sample
38f792a175c366b53407143da8c13ea2f1d3600b00ef8e8f6ec7e0ef79dcb6c0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
38f792a175c366b53407143da8c13ea2f1d3600b00ef8e8f6ec7e0ef79dcb6c0.exe
Resource
win10-20240611-en
Behavioral task
behavioral3
Sample
38f792a175c366b53407143da8c13ea2f1d3600b00ef8e8f6ec7e0ef79dcb6c0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
38f792a175c366b53407143da8c13ea2f1d3600b00ef8e8f6ec7e0ef79dcb6c0.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe
Resource
win10-20240611-en
Behavioral task
behavioral15
Sample
be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe
Resource
win11-20241007-en
Behavioral task
behavioral17
Sample
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Resource
win10-20240404-en
Behavioral task
behavioral19
Sample
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Resource
win11-20241007-en
General
-
Target
be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe
-
Size
244KB
-
MD5
751df604e41a7e473fd3817b4c16d5f6
-
SHA1
30d6eacf97d1a5e6ec191f75a8eb16d9da54f218
-
SHA256
be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e
-
SHA512
6c546d46e6b7c0adffee2bdcf2b85b786b57fbf73c4213e39bf54e4ceaceaa5f143e0e9d57d0398464074e46c0242bd649fa80615d1dc3db32f08b061a7629d7
-
SSDEEP
6144:8+jn7PfWDycKPudCuS74kvw6Mr9zmduLb+70pKXQl29ur4cm:8+gycSzre2q+70pKXQl29ur4c
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 1 IoCs
Processes:
resource yara_rule behavioral13/memory/2092-1-0x0000000000B80000-0x0000000000BC4000-memory.dmp family_chaos -
Executes dropped EXE 1 IoCs
Processes:
PerfWaston2.exepid process 2560 PerfWaston2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PerfWaston2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rnts.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Rnts.exe" PerfWaston2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
PerfWaston2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PerfWaston2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PerfWaston2.exedescription pid process Token: SeDebugPrivilege 2560 PerfWaston2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exedescription pid process target process PID 2092 wrote to memory of 2560 2092 be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe PerfWaston2.exe PID 2092 wrote to memory of 2560 2092 be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe PerfWaston2.exe PID 2092 wrote to memory of 2560 2092 be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe PerfWaston2.exe PID 2092 wrote to memory of 2560 2092 be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe PerfWaston2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe"C:\Users\Admin\AppData\Local\Temp\be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\PerfWaston2.exe"C:\Users\Admin\AppData\Local\Temp\PerfWaston2.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD57f0b75bd98b323f54ed6b283a49b69b5
SHA19b09f703a968c5001665657557ce402c60b95e54
SHA256725ff72b2dccc79b7d2b3dc0ef346d992ec46bd022eeb628318a954cc4309241
SHA512e2397905fa9ed4a94fa573ce1bb4b4da830b9e8461b8231a9e3d5042d41c032eb6760ea31d68bc9cb7f197d1acdf72b16e8f0338f3a504777f6a264c214ed961