Analysis

  • max time kernel
    130s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 03:26

General

  • Target

    994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe

  • Size

    190KB

  • MD5

    50c8525d4becd3e68424f68eae6e6983

  • SHA1

    db8835032d0dcce4b9899671bfa4d8e3ddfc825c

  • SHA256

    994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea

  • SHA512

    db51b7735eebb57126eb5640195bf9ebe00acc8914bfd2ef31e7e18bac890da63f46a3773e449766faabb31c865ebfb3cb9473e3800b8079a8204b397ee6ba79

  • SSDEEP

    768:/KHkATXfZLdQeIOi1H88pup5n5uwESIL+aOppppOFb0xRbNqmM9dCgKcpdYRHM/W:j4Xfx+H8hpPuw2qieK9dC3cTKtswB

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Chaos family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe
    "C:\Users\Admin\AppData\Local\Temp\994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:704
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3468
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    190KB

    MD5

    50c8525d4becd3e68424f68eae6e6983

    SHA1

    db8835032d0dcce4b9899671bfa4d8e3ddfc825c

    SHA256

    994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea

    SHA512

    db51b7735eebb57126eb5640195bf9ebe00acc8914bfd2ef31e7e18bac890da63f46a3773e449766faabb31c865ebfb3cb9473e3800b8079a8204b397ee6ba79

  • C:\Users\Admin\Pictures\read_it.txt

    Filesize

    75B

    MD5

    c4c96e7d10aae1da43f42944209827cf

    SHA1

    40ce5138fd5ee79c0ffeec8eed6f8596a31625e9

    SHA256

    ce4eac3c91c6c4948e92dc1590d483db3a39ae1db1943d2fab69c1068623fd9b

    SHA512

    7ab3600a1b286ef9dee986093bf10580f789ee8f6c72d09b03d6d8eea247ea762ffe4b5445a99c052e586c7e811e72892b01db3de46d9f45a8bbd3df3f992555

  • memory/704-0-0x00007FFB39E23000-0x00007FFB39E25000-memory.dmp

    Filesize

    8KB

  • memory/704-1-0x0000000000580000-0x00000000005B6000-memory.dmp

    Filesize

    216KB

  • memory/3468-14-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

    Filesize

    10.8MB

  • memory/3468-120-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

    Filesize

    10.8MB