Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2024 16:21
Behavioral task
behavioral1
Sample
e8af6b996ef72510ec7af7342f3a046c4e6ef20fc717af3091ba03a72ffd89ee.msi
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
e8af6b996ef72510ec7af7342f3a046c4e6ef20fc717af3091ba03a72ffd89ee.msi
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
e8af6b996ef72510ec7af7342f3a046c4e6ef20fc717af3091ba03a72ffd89ee.msi
-
Size
664KB
-
MD5
94d2ef7db81197413140692de0985b00
-
SHA1
e52458822912fbd89249b9dae5b24692b8e67cca
-
SHA256
e8af6b996ef72510ec7af7342f3a046c4e6ef20fc717af3091ba03a72ffd89ee
-
SHA512
a9ba867949545339e56fd5355681df5dda69b3007d3b6660aa75dc6014a7425d3f000661c6e6a82c899a718eb51cf280616cc718c72d30f5bbb39313f9e9419f
-
SSDEEP
12288:qtVRQ+gjpjegDro8EdWd10DTCW1uF+Sf2ppmvrfOgR7a+9Rd:qt9cpVDhE81ckhmIvrfnUA
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
resource yara_rule behavioral2/files/0x0007000000023cbf-59.dat family_chaos behavioral2/files/0x0007000000023cc2-66.dat family_chaos behavioral2/memory/4780-68-0x0000000000AF0000-0x0000000000B56000-memory.dmp family_chaos -
Chaos family
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4408 ICACLS.EXE 2092 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI1170.tmp msiexec.exe File opened for modification C:\Windows\Installer\e581037.msi msiexec.exe File created C:\Windows\Installer\SourceHash{A6E76D20-F7B5-44A1-8148-B4E2790F028C} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File created C:\Windows\Installer\e581037.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE -
Executes dropped EXE 1 IoCs
pid Process 4780 keygenran.exe -
Loads dropped DLL 1 IoCs
pid Process 3884 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2508 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXPAND.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 3872 msiexec.exe 3872 msiexec.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe 4780 keygenran.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 2508 msiexec.exe Token: SeIncreaseQuotaPrivilege 2508 msiexec.exe Token: SeSecurityPrivilege 3872 msiexec.exe Token: SeCreateTokenPrivilege 2508 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2508 msiexec.exe Token: SeLockMemoryPrivilege 2508 msiexec.exe Token: SeIncreaseQuotaPrivilege 2508 msiexec.exe Token: SeMachineAccountPrivilege 2508 msiexec.exe Token: SeTcbPrivilege 2508 msiexec.exe Token: SeSecurityPrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeLoadDriverPrivilege 2508 msiexec.exe Token: SeSystemProfilePrivilege 2508 msiexec.exe Token: SeSystemtimePrivilege 2508 msiexec.exe Token: SeProfSingleProcessPrivilege 2508 msiexec.exe Token: SeIncBasePriorityPrivilege 2508 msiexec.exe Token: SeCreatePagefilePrivilege 2508 msiexec.exe Token: SeCreatePermanentPrivilege 2508 msiexec.exe Token: SeBackupPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeShutdownPrivilege 2508 msiexec.exe Token: SeDebugPrivilege 2508 msiexec.exe Token: SeAuditPrivilege 2508 msiexec.exe Token: SeSystemEnvironmentPrivilege 2508 msiexec.exe Token: SeChangeNotifyPrivilege 2508 msiexec.exe Token: SeRemoteShutdownPrivilege 2508 msiexec.exe Token: SeUndockPrivilege 2508 msiexec.exe Token: SeSyncAgentPrivilege 2508 msiexec.exe Token: SeEnableDelegationPrivilege 2508 msiexec.exe Token: SeManageVolumePrivilege 2508 msiexec.exe Token: SeImpersonatePrivilege 2508 msiexec.exe Token: SeCreateGlobalPrivilege 2508 msiexec.exe Token: SeBackupPrivilege 5020 vssvc.exe Token: SeRestorePrivilege 5020 vssvc.exe Token: SeAuditPrivilege 5020 vssvc.exe Token: SeBackupPrivilege 3872 msiexec.exe Token: SeRestorePrivilege 3872 msiexec.exe Token: SeRestorePrivilege 3872 msiexec.exe Token: SeTakeOwnershipPrivilege 3872 msiexec.exe Token: SeRestorePrivilege 3872 msiexec.exe Token: SeTakeOwnershipPrivilege 3872 msiexec.exe Token: SeDebugPrivilege 4780 keygenran.exe Token: SeBackupPrivilege 4384 srtasks.exe Token: SeRestorePrivilege 4384 srtasks.exe Token: SeSecurityPrivilege 4384 srtasks.exe Token: SeTakeOwnershipPrivilege 4384 srtasks.exe Token: SeBackupPrivilege 4384 srtasks.exe Token: SeRestorePrivilege 4384 srtasks.exe Token: SeSecurityPrivilege 4384 srtasks.exe Token: SeTakeOwnershipPrivilege 4384 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2508 msiexec.exe 2508 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3872 wrote to memory of 4384 3872 msiexec.exe 104 PID 3872 wrote to memory of 4384 3872 msiexec.exe 104 PID 3872 wrote to memory of 3884 3872 msiexec.exe 106 PID 3872 wrote to memory of 3884 3872 msiexec.exe 106 PID 3872 wrote to memory of 3884 3872 msiexec.exe 106 PID 3884 wrote to memory of 4408 3884 MsiExec.exe 107 PID 3884 wrote to memory of 4408 3884 MsiExec.exe 107 PID 3884 wrote to memory of 4408 3884 MsiExec.exe 107 PID 3884 wrote to memory of 1428 3884 MsiExec.exe 109 PID 3884 wrote to memory of 1428 3884 MsiExec.exe 109 PID 3884 wrote to memory of 1428 3884 MsiExec.exe 109 PID 3884 wrote to memory of 4780 3884 MsiExec.exe 112 PID 3884 wrote to memory of 4780 3884 MsiExec.exe 112 PID 3884 wrote to memory of 1464 3884 MsiExec.exe 120 PID 3884 wrote to memory of 1464 3884 MsiExec.exe 120 PID 3884 wrote to memory of 1464 3884 MsiExec.exe 120 PID 3884 wrote to memory of 2092 3884 MsiExec.exe 122 PID 3884 wrote to memory of 2092 3884 MsiExec.exe 122 PID 3884 wrote to memory of 2092 3884 MsiExec.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e8af6b996ef72510ec7af7342f3a046c4e6ef20fc717af3091ba03a72ffd89ee.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2508
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C9A9230BC22B7E59CC63DD473A6DD7A62⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-db9a054e-3edd-4a51-b845-94cce726106f\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4408
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1428
-
-
C:\Users\Admin\AppData\Local\Temp\MW-db9a054e-3edd-4a51-b845-94cce726106f\files\keygenran.exe"C:\Users\Admin\AppData\Local\Temp\MW-db9a054e-3edd-4a51-b845-94cce726106f\files\keygenran.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-db9a054e-3edd-4a51-b845-94cce726106f\files"3⤵
- System Location Discovery: System Language Discovery
PID:1464
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-db9a054e-3edd-4a51-b845-94cce726106f\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2092
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD503fe272172afe473673575357d0e8cc8
SHA1c65ecd5f16f526782921ecb71643d51ef7304b81
SHA25680f11d6eb95e168459f46201e3aca4fee23bdeb2f7bb5ee710a7d4003f4517e1
SHA512b75b2f82454e3efd106616afa72eefddf00eb85aa3cb209774c1482432d92b65ce19a8bce403b2c5692df6a5fdf48e11cadb693656fc8012551caa2e4df3473a
-
Filesize
388KB
MD5d313cf4e6bf5e9dcb2ed3e722984bc8e
SHA121a28a94e0de60603ad1664a843717a8aeba30c9
SHA256739e1ab9e63ec4da436b2861c3c23111a823676896b6f2f40cf0051bf5c0e951
SHA5122a0d479f8b299370bb67ce34f4dfb58b52c70e7edcfa1f9cb6c40a6162455b77aad70bfd1f619dda327d969852eb1c20c7768f1c4247450740c203521f37ff34
-
Filesize
414B
MD52b786c05406c6666854192e0b5fccde3
SHA1f5eb06e20ab3c67c99b44d25072bbc6b4cc008e5
SHA256cf93fb7190f4e2d0351c25a837ef6131516f2d9d00d559b179ad2053bb5537b2
SHA5121f7f6dd498126864bab11f9256b421ad5dd0d68acc6ed5e9e8b1857cbc2e9ba162545754121951ed9540a77a8d265034dde2752136eea8e0260bfab84438969f
-
Filesize
1KB
MD5cf48442f88bb7f44304ae81f6c598332
SHA135d334f596443ae8df51ea221742bfc2dca468e7
SHA25641e9b948b98b19eedca4e27e3b6642eceea3425bed3270dd6d8f84c0fb958ce3
SHA512e35cd2ed7274bbd4f903ec97aafa80ec446c5a997ca8958cf08abba71d0fba0febb7b44ca686cb11fc3e92381970e387ed53923c2fc12e1285c0cfd8e026ef26
-
Filesize
1KB
MD57e8682d425a07c808e966da766885edc
SHA1b542c3d5264ab0d3cddc95eb379a1a373dbb921c
SHA256ffdea22c9f7cb0e76eacbd40218910323a7b024f6030f7fd0983bb7470cac1ed
SHA51233af73529c18e5a94d9ca3e2743dc54d18d37bdbb3012d1a726fa0c8e66abf0b5e86cc6a515511c9b7c7b622c32515306c7c3fbb44378d2bef117c97982d6d93
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
Filesize
24.1MB
MD5bbf229034abf22e07026870552466359
SHA101cf6ee60994ceaa6aeaf62f1a6e4d9da87d1fcc
SHA2569e7790d211ef9dde6ced439ab5e8f0d0fe8d194b29ef0c70540da9889fe49459
SHA5127e06e34a88368769588d0a3b1d40e9c9659fafe5fdf83976ccf41845c922a3bbf4fab7a275a5f6387b2413a43cd34bab1fe7a0226907ce18b135819818063a07
-
\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3a011337-1d22-48cd-bb44-c937eaf03167}_OnDiskSnapshotProp
Filesize6KB
MD5adeba699dc96b3c5b12d33bff7cf9874
SHA18b8811cc69924a951fdd3e4fde3d78fbe1165e09
SHA256d90f8e9bc06e82b6e0d7007c3a1d0e4bcf36d4311d03e4ec4897374bbdbdb251
SHA51230b022adf1e143254980e5988082d0d81761af099a3ff50b73f02b94343592fb8b3dad160100b26334030f752406284d64b75174b193dbfaa545e7e6c48e43e3