Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2024 16:25
Behavioral task
behavioral1
Sample
994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe
Resource
win10v2004-20241007-en
General
-
Target
994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe
-
Size
190KB
-
MD5
50c8525d4becd3e68424f68eae6e6983
-
SHA1
db8835032d0dcce4b9899671bfa4d8e3ddfc825c
-
SHA256
994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea
-
SHA512
db51b7735eebb57126eb5640195bf9ebe00acc8914bfd2ef31e7e18bac890da63f46a3773e449766faabb31c865ebfb3cb9473e3800b8079a8204b397ee6ba79
-
SSDEEP
768:/KHkATXfZLdQeIOi1H88pup5n5uwESIL+aOppppOFb0xRbNqmM9dCgKcpdYRHM/W:j4Xfx+H8hpPuw2qieK9dC3cTKtswB
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral2/memory/2356-1-0x0000000000590000-0x00000000005C6000-memory.dmp family_chaos behavioral2/files/0x000d000000023b48-6.dat family_chaos -
Chaos family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2172 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Drops desktop.ini file(s) 16 IoCs
description ioc Process File created F:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini svchost.exe File created C:\Users\Admin\Desktop\desktop.ini svchost.exe File created C:\Users\Admin\Links\desktop.ini svchost.exe File created C:\Users\Admin\Music\desktop.ini svchost.exe File created C:\Users\Admin\Saved Games\desktop.ini svchost.exe File created C:\Users\Admin\Favorites\desktop.ini svchost.exe File created C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File created C:\Users\Admin\Contacts\desktop.ini svchost.exe File created C:\Users\Admin\Downloads\desktop.ini svchost.exe File created C:\Users\Admin\Documents\desktop.ini svchost.exe File created C:\Users\Admin\Pictures\desktop.ini svchost.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File created C:\Users\Admin\OneDrive\desktop.ini svchost.exe File created C:\Users\Admin\Searches\desktop.ini svchost.exe File created C:\Users\Admin\Videos\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1896 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2172 svchost.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe Token: SeDebugPrivilege 2172 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2172 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 92 PID 2356 wrote to memory of 2172 2356 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 92 PID 2172 wrote to memory of 1896 2172 svchost.exe 95 PID 2172 wrote to memory of 1896 2172 svchost.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe"C:\Users\Admin\AppData\Local\Temp\994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1896
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190KB
MD550c8525d4becd3e68424f68eae6e6983
SHA1db8835032d0dcce4b9899671bfa4d8e3ddfc825c
SHA256994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea
SHA512db51b7735eebb57126eb5640195bf9ebe00acc8914bfd2ef31e7e18bac890da63f46a3773e449766faabb31c865ebfb3cb9473e3800b8079a8204b397ee6ba79
-
Filesize
75B
MD5c4c96e7d10aae1da43f42944209827cf
SHA140ce5138fd5ee79c0ffeec8eed6f8596a31625e9
SHA256ce4eac3c91c6c4948e92dc1590d483db3a39ae1db1943d2fab69c1068623fd9b
SHA5127ab3600a1b286ef9dee986093bf10580f789ee8f6c72d09b03d6d8eea247ea762ffe4b5445a99c052e586c7e811e72892b01db3de46d9f45a8bbd3df3f992555