Overview

overview

10

Static

static

10

cartel.exe

windows7-x64

10

cartel.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27-10-2024 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cartel.exe

  • Size

    854KB

  • MD5

    9e7f8bbc8b012b6a9125d72d8872c1b9

  • SHA1

    71ffa7a408554eed422aa044613f100eafc78c57

  • SHA256

    c277a8fe3f35b51cb210db9bd9d4215fb05e694cd15b46d2a0aa1f094738c163

  • SHA512

    9fff0dbbe1492adf2b1b6c3d707861ed629f1e24490abc6893559903fb019ac620142bd60de33a39f41a9d735064e1fae421defc0dc6bc7973ee28987709ba80

  • SSDEEP

    12288:b0zVvgDNMoWjTmFzAzBocaKjyWtiR1pptHxQ0z2GjShqL:o5vgHWjTwAlocaKjyyItHDzH

Score
10/10
chaosdiscoveryransomware

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Chaos family
    chaos
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cartel.exe
    "C:\Users\Admin\AppData\Local\Temp\cartel.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\AppData\Roaming\Virus1.exe
      "C:\Users\Admin\AppData\Roaming\Virus1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2604 -s 564
        3⤵
          PID:2212
      • C:\Users\Admin\AppData\Roaming\Bootstrapper.exe
        "C:\Users\Admin\AppData\Roaming\Bootstrapper.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\system32\cmd.exe
          "cmd" /c ipconfig /all
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Windows\system32\ipconfig.exe
            ipconfig /all
            4⤵
            • Gathers network information
            PID:3012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Bootstrapper.exe
      Filesize

      800KB

      MD5

      2a4dcf20b82896be94eb538260c5fb93

      SHA1

      21f232c2fd8132f8677e53258562ad98b455e679

      SHA256

      ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

      SHA512

      4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Virus1.exe
      Filesize

      42KB

      MD5

      9fd5152a920afc01a494f84d97af7b8c

      SHA1

      058646770a0ca82417f240a068464e712c11a1b9

      SHA256

      6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05

      SHA512

      3bc11f2d30877590f108866186a0dbc4d36a773b036382df7b5129637e81c70f18469526ef2129a02e36179075a58f93e7e0040fd35c8c0d88511b77998d53b6

      Download Submit

    • memory/1712-0-0x00000000747C1000-0x00000000747C2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1712-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1712-3-0x00000000747C0000-0x0000000074D6B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1712-15-0x00000000747C0000-0x0000000074D6B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2536-17-0x0000000000D30000-0x0000000000DFE000-memory.dmp

      Filesize

      824KB

      Download

    • memory/2604-16-0x0000000000F20000-0x0000000000F30000-memory.dmp

      Filesize

      64KB

      Download