Analysis
-
max time kernel
116s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 02:24
Behavioral task
behavioral1
Sample
wt.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
wt.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
wt.exe
-
Size
23KB
-
MD5
9cbcaed1a71dca5fa2fcb5fe41e0d083
-
SHA1
699923b980e8b8677ab29137dec889cb4c7a87da
-
SHA256
4a99edc4912bb72864cf424c67b500187079ffb5bee14d6851800ebff9a56808
-
SHA512
bab13f8992a4c692412e0e15567693df36d02e6bf986bbadf9c4ff5b285b57853c6a9eafc3250cd1bdf33977428ddfa6c783080d1430e5593a181add28f19f2f
-
SSDEEP
384:I3Mg/bqo2f+B3kXSP1/pYVvobPJ/r91C9zBq92BewD9:2qo2gtxpjh/r9uzs9WewD9
Malware Config
Extracted
C:\Users\Admin\Documents\read_it.txt
chaos
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral2/memory/2304-1-0x00000000004A0000-0x00000000004AC000-memory.dmp family_chaos behavioral2/files/0x000400000001e0c9-6.dat family_chaos -
Chaos family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wt.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\read_it.txt taskmgr.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\svchost.url taskmgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.zjcu taskmgr.exe -
Executes dropped EXE 1 IoCs
pid Process 5076 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "206" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1968 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5076 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 2304 wt.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 5076 svchost.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2304 wt.exe Token: SeDebugPrivilege 5076 svchost.exe Token: SeDebugPrivilege 3408 taskmgr.exe Token: SeSystemProfilePrivilege 3408 taskmgr.exe Token: SeCreateGlobalPrivilege 3408 taskmgr.exe Token: SeSecurityPrivilege 3408 taskmgr.exe Token: SeTakeOwnershipPrivilege 3408 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2932 LogonUI.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2304 wrote to memory of 5076 2304 wt.exe 89 PID 2304 wrote to memory of 5076 2304 wt.exe 89 PID 5076 wrote to memory of 1968 5076 svchost.exe 95 PID 5076 wrote to memory of 1968 5076 svchost.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\wt.exe"C:\Users\Admin\AppData\Local\Temp\wt.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1968
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3408
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3897855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
436B
MD5484ef3bdcae52b5ab0327bd0f57dbab7
SHA16147ea7a42b06c3b8ee7f238becc1f9fdfef6b5d
SHA256fd1db4015947d805a65c4451328dda0dd910b74ecc58e66725bbbd2c08e82daa
SHA512ab1c49488f1219e88b4f4eb306e152778cadce3867bd732fc11a0271082fb4ed7d0594de35b7d913a9fe1197c4887754e4543043fba0553c3fe448c0894911b5
-
Filesize
142B
MD51a09a38485cbf1d59c29d8e3213e1ab9
SHA19cbe6ebd07b13a0d4b2565dc15a273629aa97251
SHA2560a3bdc40dc0d243784bc5fa887b79110350b3d3200684f3ba99880fcea40e3b8
SHA512a33c228196a4b3f14e40ac6ccb6c43002de28063594c472db852bedac20a6725f4e7601b9f32516e2c6bea35f83746973b3f1d200d9e5d668bda7553b62ac616
-
Filesize
23KB
MD59cbcaed1a71dca5fa2fcb5fe41e0d083
SHA1699923b980e8b8677ab29137dec889cb4c7a87da
SHA2564a99edc4912bb72864cf424c67b500187079ffb5bee14d6851800ebff9a56808
SHA512bab13f8992a4c692412e0e15567693df36d02e6bf986bbadf9c4ff5b285b57853c6a9eafc3250cd1bdf33977428ddfa6c783080d1430e5593a181add28f19f2f
-
Filesize
1KB
MD5691dabf88ce8bf585b6554d8f0ff880e
SHA1543414f88078a7a5520593e24119253f2b7fc95c
SHA256c58ae5db59068e59c319fd721a3d0d9174fdca70ad1e37859970dfabc0de49b2
SHA5120017de1d0780f6f33d8ea630ef2ca1bdc6b8836cea78647cd640f0e0dbc84108cae2e2b46ea03c14fe0bec48010fc1b437c1019f99d63ad60dc99108dfe58f8f