Resubmissions

07-11-2024 02:24

241107-cvwp5atepk 10

06-11-2024 12:51

241106-p3t8gszhkf 10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2024 02:24

General

  • Target

    wt.exe

  • Size

    23KB

  • MD5

    9cbcaed1a71dca5fa2fcb5fe41e0d083

  • SHA1

    699923b980e8b8677ab29137dec889cb4c7a87da

  • SHA256

    4a99edc4912bb72864cf424c67b500187079ffb5bee14d6851800ebff9a56808

  • SHA512

    bab13f8992a4c692412e0e15567693df36d02e6bf986bbadf9c4ff5b285b57853c6a9eafc3250cd1bdf33977428ddfa6c783080d1430e5593a181add28f19f2f

  • SSDEEP

    384:I3Mg/bqo2f+B3kXSP1/pYVvobPJ/r91C9zBq92BewD9:2qo2gtxpjh/r9uzs9WewD9

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- 당신의 모든 파일이 암호화되었습니다 당신의 컴퓨터가 랜섬웨어 바이러스에 감염되었습니다. 당신이 원하지 않든 파일이 암호화 되었습니다. 당신은 당신의 파일들을 저희의 도움 없이도 해독할 수 있습니다. 파일을 되찾으려면 어떻게 해야 하나요?: 복호화 프로그램을 구매할 수 있습니다 복호화 프로그램을 사용하면 모든 데이터를 복구할 수 있습니다. 파일 복호화 소프트웨어의 가격은 $1,500입니다. 결제는 비트코인으로만 가능합니다. 결제는 어떻게 하나요, 비트코인은 어디서 보내나요? 비트코인 구매는 국가마다 다르므로 빨리 구글 검색을 하는 것이 가장 좋습니다 비트코인 구매 방법을 알아보세요. 많은 고객이 이러한 사이트가 빠르고 안정적이라고 보고했습니다: 코인마마 - hxxps://www.coinmama.com 비트판다 - hxxps://www.bitpanda.com 보낼 비트코인: 0.1473766 BTC 비트코인 주소: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 3 IoCs
  • Chaos family
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wt.exe
    "C:\Users\Admin\AppData\Local\Temp\wt.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2172
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    23KB

    MD5

    9cbcaed1a71dca5fa2fcb5fe41e0d083

    SHA1

    699923b980e8b8677ab29137dec889cb4c7a87da

    SHA256

    4a99edc4912bb72864cf424c67b500187079ffb5bee14d6851800ebff9a56808

    SHA512

    bab13f8992a4c692412e0e15567693df36d02e6bf986bbadf9c4ff5b285b57853c6a9eafc3250cd1bdf33977428ddfa6c783080d1430e5593a181add28f19f2f

  • C:\Users\Admin\Documents\read_it.txt

    Filesize

    1KB

    MD5

    691dabf88ce8bf585b6554d8f0ff880e

    SHA1

    543414f88078a7a5520593e24119253f2b7fc95c

    SHA256

    c58ae5db59068e59c319fd721a3d0d9174fdca70ad1e37859970dfabc0de49b2

    SHA512

    0017de1d0780f6f33d8ea630ef2ca1bdc6b8836cea78647cd640f0e0dbc84108cae2e2b46ea03c14fe0bec48010fc1b437c1019f99d63ad60dc99108dfe58f8f

  • memory/1196-436-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/1196-437-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/1196-438-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/1196-439-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/2820-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

    Filesize

    4KB

  • memory/2820-1-0x0000000000300000-0x000000000030C000-memory.dmp

    Filesize

    48KB

  • memory/2848-7-0x0000000000B60000-0x0000000000B6C000-memory.dmp

    Filesize

    48KB

  • memory/2848-9-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

    Filesize

    9.9MB

  • memory/2848-13-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

    Filesize

    9.9MB

  • memory/2848-435-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

    Filesize

    9.9MB