Resubmissions

07-11-2024 02:24

241107-cvwp5atepk 10

06-11-2024 12:51

241106-p3t8gszhkf 10

Analysis

  • max time kernel
    116s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 02:24

Errors

Reason
Machine shutdown

General

  • Target

    wt.exe

  • Size

    23KB

  • MD5

    9cbcaed1a71dca5fa2fcb5fe41e0d083

  • SHA1

    699923b980e8b8677ab29137dec889cb4c7a87da

  • SHA256

    4a99edc4912bb72864cf424c67b500187079ffb5bee14d6851800ebff9a56808

  • SHA512

    bab13f8992a4c692412e0e15567693df36d02e6bf986bbadf9c4ff5b285b57853c6a9eafc3250cd1bdf33977428ddfa6c783080d1430e5593a181add28f19f2f

  • SSDEEP

    384:I3Mg/bqo2f+B3kXSP1/pYVvobPJ/r91C9zBq92BewD9:2qo2gtxpjh/r9uzs9WewD9

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- 당신의 모든 파일이 암호화되었습니다 당신의 컴퓨터가 랜섬웨어 바이러스에 감염되었습니다. 당신이 원하지 않든 파일이 암호화 되었습니다. 당신은 당신의 파일들을 저희의 도움 없이도 해독할 수 있습니다. 파일을 되찾으려면 어떻게 해야 하나요?: 복호화 프로그램을 구매할 수 있습니다 복호화 프로그램을 사용하면 모든 데이터를 복구할 수 있습니다. 파일 복호화 소프트웨어의 가격은 $1,500입니다. 결제는 비트코인으로만 가능합니다. 결제는 어떻게 하나요, 비트코인은 어디서 보내나요? 비트코인 구매는 국가마다 다르므로 빨리 구글 검색을 하는 것이 가장 좋습니다 비트코인 구매 방법을 알아보세요. 많은 고객이 이러한 사이트가 빠르고 안정적이라고 보고했습니다: 코인마마 - hxxps://www.coinmama.com 비트판다 - hxxps://www.bitpanda.com 보낼 비트코인: 0.1473766 BTC 비트코인 주소: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Chaos family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wt.exe
    "C:\Users\Admin\AppData\Local\Temp\wt.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5076
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1968
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops startup file
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3408
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3897855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.zjcu

    Filesize

    436B

    MD5

    484ef3bdcae52b5ab0327bd0f57dbab7

    SHA1

    6147ea7a42b06c3b8ee7f238becc1f9fdfef6b5d

    SHA256

    fd1db4015947d805a65c4451328dda0dd910b74ecc58e66725bbbd2c08e82daa

    SHA512

    ab1c49488f1219e88b4f4eb306e152778cadce3867bd732fc11a0271082fb4ed7d0594de35b7d913a9fe1197c4887754e4543043fba0553c3fe448c0894911b5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url

    Filesize

    142B

    MD5

    1a09a38485cbf1d59c29d8e3213e1ab9

    SHA1

    9cbe6ebd07b13a0d4b2565dc15a273629aa97251

    SHA256

    0a3bdc40dc0d243784bc5fa887b79110350b3d3200684f3ba99880fcea40e3b8

    SHA512

    a33c228196a4b3f14e40ac6ccb6c43002de28063594c472db852bedac20a6725f4e7601b9f32516e2c6bea35f83746973b3f1d200d9e5d668bda7553b62ac616

  • C:\Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    23KB

    MD5

    9cbcaed1a71dca5fa2fcb5fe41e0d083

    SHA1

    699923b980e8b8677ab29137dec889cb4c7a87da

    SHA256

    4a99edc4912bb72864cf424c67b500187079ffb5bee14d6851800ebff9a56808

    SHA512

    bab13f8992a4c692412e0e15567693df36d02e6bf986bbadf9c4ff5b285b57853c6a9eafc3250cd1bdf33977428ddfa6c783080d1430e5593a181add28f19f2f

  • C:\Users\Admin\Documents\read_it.txt

    Filesize

    1KB

    MD5

    691dabf88ce8bf585b6554d8f0ff880e

    SHA1

    543414f88078a7a5520593e24119253f2b7fc95c

    SHA256

    c58ae5db59068e59c319fd721a3d0d9174fdca70ad1e37859970dfabc0de49b2

    SHA512

    0017de1d0780f6f33d8ea630ef2ca1bdc6b8836cea78647cd640f0e0dbc84108cae2e2b46ea03c14fe0bec48010fc1b437c1019f99d63ad60dc99108dfe58f8f

  • memory/2304-0-0x00007FF98BBA3000-0x00007FF98BBA5000-memory.dmp

    Filesize

    8KB

  • memory/2304-1-0x00000000004A0000-0x00000000004AC000-memory.dmp

    Filesize

    48KB

  • memory/3408-481-0x0000029E49610000-0x0000029E49611000-memory.dmp

    Filesize

    4KB

  • memory/3408-480-0x0000029E49610000-0x0000029E49611000-memory.dmp

    Filesize

    4KB

  • memory/3408-479-0x0000029E49610000-0x0000029E49611000-memory.dmp

    Filesize

    4KB

  • memory/3408-491-0x0000029E49610000-0x0000029E49611000-memory.dmp

    Filesize

    4KB

  • memory/3408-490-0x0000029E49610000-0x0000029E49611000-memory.dmp

    Filesize

    4KB

  • memory/3408-489-0x0000029E49610000-0x0000029E49611000-memory.dmp

    Filesize

    4KB

  • memory/3408-488-0x0000029E49610000-0x0000029E49611000-memory.dmp

    Filesize

    4KB

  • memory/3408-487-0x0000029E49610000-0x0000029E49611000-memory.dmp

    Filesize

    4KB

  • memory/3408-486-0x0000029E49610000-0x0000029E49611000-memory.dmp

    Filesize

    4KB

  • memory/3408-485-0x0000029E49610000-0x0000029E49611000-memory.dmp

    Filesize

    4KB

  • memory/5076-478-0x00007FF98BBA0000-0x00007FF98C661000-memory.dmp

    Filesize

    10.8MB

  • memory/5076-14-0x00007FF98BBA0000-0x00007FF98C661000-memory.dmp

    Filesize

    10.8MB

  • memory/5076-495-0x00007FF98BBA0000-0x00007FF98C661000-memory.dmp

    Filesize

    10.8MB