Analysis
-
max time kernel
130s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 03:26
Behavioral task
behavioral1
Sample
994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe
Resource
win10v2004-20241007-en
General
-
Target
994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe
-
Size
190KB
-
MD5
50c8525d4becd3e68424f68eae6e6983
-
SHA1
db8835032d0dcce4b9899671bfa4d8e3ddfc825c
-
SHA256
994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea
-
SHA512
db51b7735eebb57126eb5640195bf9ebe00acc8914bfd2ef31e7e18bac890da63f46a3773e449766faabb31c865ebfb3cb9473e3800b8079a8204b397ee6ba79
-
SSDEEP
768:/KHkATXfZLdQeIOi1H88pup5n5uwESIL+aOppppOFb0xRbNqmM9dCgKcpdYRHM/W:j4Xfx+H8hpPuw2qieK9dC3cTKtswB
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/memory/704-1-0x0000000000580000-0x00000000005B6000-memory.dmp family_chaos behavioral2/files/0x0003000000022af2-6.dat family_chaos -
Chaos family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exesvchost.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 1 IoCs
Processes:
svchost.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid Process 3468 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Drops desktop.ini file(s) 16 IoCs
Processes:
svchost.exedescription ioc Process File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File created C:\Users\Admin\Saved Games\desktop.ini svchost.exe File created C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File created C:\Users\Admin\Searches\desktop.ini svchost.exe File created C:\Users\Admin\Downloads\desktop.ini svchost.exe File created C:\Users\Admin\Desktop\desktop.ini svchost.exe File created C:\Users\Admin\Contacts\desktop.ini svchost.exe File created C:\Users\Admin\Pictures\desktop.ini svchost.exe File created C:\Users\Admin\Music\desktop.ini svchost.exe File created C:\Users\Admin\OneDrive\desktop.ini svchost.exe File created F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini svchost.exe File created C:\Users\Admin\Documents\desktop.ini svchost.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File created C:\Users\Admin\Favorites\desktop.ini svchost.exe File created C:\Users\Admin\Videos\desktop.ini svchost.exe File created C:\Users\Admin\Links\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid Process 316 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid Process 3468 svchost.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exesvchost.exepid Process 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exesvchost.exedescription pid Process Token: SeDebugPrivilege 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe Token: SeDebugPrivilege 3468 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exesvchost.exedescription pid Process procid_target PID 704 wrote to memory of 3468 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 87 PID 704 wrote to memory of 3468 704 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe 87 PID 3468 wrote to memory of 316 3468 svchost.exe 92 PID 3468 wrote to memory of 316 3468 svchost.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe"C:\Users\Admin\AppData\Local\Temp\994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:316
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190KB
MD550c8525d4becd3e68424f68eae6e6983
SHA1db8835032d0dcce4b9899671bfa4d8e3ddfc825c
SHA256994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea
SHA512db51b7735eebb57126eb5640195bf9ebe00acc8914bfd2ef31e7e18bac890da63f46a3773e449766faabb31c865ebfb3cb9473e3800b8079a8204b397ee6ba79
-
Filesize
75B
MD5c4c96e7d10aae1da43f42944209827cf
SHA140ce5138fd5ee79c0ffeec8eed6f8596a31625e9
SHA256ce4eac3c91c6c4948e92dc1590d483db3a39ae1db1943d2fab69c1068623fd9b
SHA5127ab3600a1b286ef9dee986093bf10580f789ee8f6c72d09b03d6d8eea247ea762ffe4b5445a99c052e586c7e811e72892b01db3de46d9f45a8bbd3df3f992555