Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2024 19:52
Behavioral task
behavioral1
Sample
e8af6b996ef72510ec7af7342f3a046c4e6ef20fc717af3091ba03a72ffd89eeN.msi
Resource
win7-20240903-en
windows7-x64
16 signatures
120 seconds
Behavioral task
behavioral2
Sample
e8af6b996ef72510ec7af7342f3a046c4e6ef20fc717af3091ba03a72ffd89eeN.msi
Resource
win10v2004-20241007-en
windows10-2004-x64
16 signatures
120 seconds
General
-
Target
e8af6b996ef72510ec7af7342f3a046c4e6ef20fc717af3091ba03a72ffd89eeN.msi
-
Size
664KB
-
MD5
94d2ef7db81197413140692de0985b00
-
SHA1
e52458822912fbd89249b9dae5b24692b8e67cca
-
SHA256
e8af6b996ef72510ec7af7342f3a046c4e6ef20fc717af3091ba03a72ffd89ee
-
SHA512
a9ba867949545339e56fd5355681df5dda69b3007d3b6660aa75dc6014a7425d3f000661c6e6a82c899a718eb51cf280616cc718c72d30f5bbb39313f9e9419f
-
SSDEEP
12288:qtVRQ+gjpjegDro8EdWd10DTCW1uF+Sf2ppmvrfOgR7a+9Rd:qt9cpVDhE81ckhmIvrfnUA
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
resource yara_rule behavioral2/files/0x0007000000023c9e-59.dat family_chaos behavioral2/files/0x0007000000023ca1-66.dat family_chaos behavioral2/memory/4636-68-0x00000000008E0000-0x0000000000946000-memory.dmp family_chaos -
Chaos family
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4320 ICACLS.EXE 4868 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e57b98c.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{A6E76D20-F7B5-44A1-8148-B4E2790F028C} msiexec.exe File opened for modification C:\Windows\Installer\MSIBA38.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File created C:\Windows\Installer\e57b98c.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 4636 keygenran.exe -
Loads dropped DLL 1 IoCs
pid Process 2544 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2572 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXPAND.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 780 msiexec.exe 780 msiexec.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe 4636 keygenran.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 2572 msiexec.exe Token: SeIncreaseQuotaPrivilege 2572 msiexec.exe Token: SeSecurityPrivilege 780 msiexec.exe Token: SeCreateTokenPrivilege 2572 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2572 msiexec.exe Token: SeLockMemoryPrivilege 2572 msiexec.exe Token: SeIncreaseQuotaPrivilege 2572 msiexec.exe Token: SeMachineAccountPrivilege 2572 msiexec.exe Token: SeTcbPrivilege 2572 msiexec.exe Token: SeSecurityPrivilege 2572 msiexec.exe Token: SeTakeOwnershipPrivilege 2572 msiexec.exe Token: SeLoadDriverPrivilege 2572 msiexec.exe Token: SeSystemProfilePrivilege 2572 msiexec.exe Token: SeSystemtimePrivilege 2572 msiexec.exe Token: SeProfSingleProcessPrivilege 2572 msiexec.exe Token: SeIncBasePriorityPrivilege 2572 msiexec.exe Token: SeCreatePagefilePrivilege 2572 msiexec.exe Token: SeCreatePermanentPrivilege 2572 msiexec.exe Token: SeBackupPrivilege 2572 msiexec.exe Token: SeRestorePrivilege 2572 msiexec.exe Token: SeShutdownPrivilege 2572 msiexec.exe Token: SeDebugPrivilege 2572 msiexec.exe Token: SeAuditPrivilege 2572 msiexec.exe Token: SeSystemEnvironmentPrivilege 2572 msiexec.exe Token: SeChangeNotifyPrivilege 2572 msiexec.exe Token: SeRemoteShutdownPrivilege 2572 msiexec.exe Token: SeUndockPrivilege 2572 msiexec.exe Token: SeSyncAgentPrivilege 2572 msiexec.exe Token: SeEnableDelegationPrivilege 2572 msiexec.exe Token: SeManageVolumePrivilege 2572 msiexec.exe Token: SeImpersonatePrivilege 2572 msiexec.exe Token: SeCreateGlobalPrivilege 2572 msiexec.exe Token: SeBackupPrivilege 4632 vssvc.exe Token: SeRestorePrivilege 4632 vssvc.exe Token: SeAuditPrivilege 4632 vssvc.exe Token: SeBackupPrivilege 780 msiexec.exe Token: SeRestorePrivilege 780 msiexec.exe Token: SeRestorePrivilege 780 msiexec.exe Token: SeTakeOwnershipPrivilege 780 msiexec.exe Token: SeRestorePrivilege 780 msiexec.exe Token: SeTakeOwnershipPrivilege 780 msiexec.exe Token: SeDebugPrivilege 4636 keygenran.exe Token: SeBackupPrivilege 2460 srtasks.exe Token: SeRestorePrivilege 2460 srtasks.exe Token: SeSecurityPrivilege 2460 srtasks.exe Token: SeTakeOwnershipPrivilege 2460 srtasks.exe Token: SeBackupPrivilege 2460 srtasks.exe Token: SeRestorePrivilege 2460 srtasks.exe Token: SeSecurityPrivilege 2460 srtasks.exe Token: SeTakeOwnershipPrivilege 2460 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2572 msiexec.exe 2572 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 780 wrote to memory of 2460 780 msiexec.exe 102 PID 780 wrote to memory of 2460 780 msiexec.exe 102 PID 780 wrote to memory of 2544 780 msiexec.exe 104 PID 780 wrote to memory of 2544 780 msiexec.exe 104 PID 780 wrote to memory of 2544 780 msiexec.exe 104 PID 2544 wrote to memory of 4320 2544 MsiExec.exe 105 PID 2544 wrote to memory of 4320 2544 MsiExec.exe 105 PID 2544 wrote to memory of 4320 2544 MsiExec.exe 105 PID 2544 wrote to memory of 4596 2544 MsiExec.exe 107 PID 2544 wrote to memory of 4596 2544 MsiExec.exe 107 PID 2544 wrote to memory of 4596 2544 MsiExec.exe 107 PID 2544 wrote to memory of 4636 2544 MsiExec.exe 110 PID 2544 wrote to memory of 4636 2544 MsiExec.exe 110 PID 2544 wrote to memory of 400 2544 MsiExec.exe 115 PID 2544 wrote to memory of 400 2544 MsiExec.exe 115 PID 2544 wrote to memory of 400 2544 MsiExec.exe 115 PID 2544 wrote to memory of 4868 2544 MsiExec.exe 117 PID 2544 wrote to memory of 4868 2544 MsiExec.exe 117 PID 2544 wrote to memory of 4868 2544 MsiExec.exe 117 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e8af6b996ef72510ec7af7342f3a046c4e6ef20fc717af3091ba03a72ffd89eeN.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2572
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5F38653C06F4E14CB23056C806CF894A2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-769347d8-0712-4164-94e2-2c6716a89106\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4320
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\MW-769347d8-0712-4164-94e2-2c6716a89106\files\keygenran.exe"C:\Users\Admin\AppData\Local\Temp\MW-769347d8-0712-4164-94e2-2c6716a89106\files\keygenran.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-769347d8-0712-4164-94e2-2c6716a89106\files"3⤵
- System Location Discovery: System Language Discovery
PID:400
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-769347d8-0712-4164-94e2-2c6716a89106\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4868
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD503fe272172afe473673575357d0e8cc8
SHA1c65ecd5f16f526782921ecb71643d51ef7304b81
SHA25680f11d6eb95e168459f46201e3aca4fee23bdeb2f7bb5ee710a7d4003f4517e1
SHA512b75b2f82454e3efd106616afa72eefddf00eb85aa3cb209774c1482432d92b65ce19a8bce403b2c5692df6a5fdf48e11cadb693656fc8012551caa2e4df3473a
-
Filesize
388KB
MD5d313cf4e6bf5e9dcb2ed3e722984bc8e
SHA121a28a94e0de60603ad1664a843717a8aeba30c9
SHA256739e1ab9e63ec4da436b2861c3c23111a823676896b6f2f40cf0051bf5c0e951
SHA5122a0d479f8b299370bb67ce34f4dfb58b52c70e7edcfa1f9cb6c40a6162455b77aad70bfd1f619dda327d969852eb1c20c7768f1c4247450740c203521f37ff34
-
Filesize
1KB
MD5acef2cbd72bc707595b05e0a6ae802a7
SHA190e5c09045551f6bfe3f008046c8a5e594c906d4
SHA2563b633b8c4699ffc1056524c2fc409c6018ee1b0f10723e980268e08e5e897d65
SHA512c5af52de7390c6cfd8e36aea678498ec275a39bdc453dbb2aeb696f01fe76cce3c6d3b0844ac5f101d020b3e5a6039a8bd48711fe13de787289e5e918718afe3
-
Filesize
1KB
MD5f8aa8a71f3db163e09c26b01bda44ccc
SHA1950ddae325ea656ced43c07ddeaa4cf4425858ec
SHA25692fc4e62d5e759325afeb8c66c1baeff151e6d9ffc8d82230caf671d307bea43
SHA51262b550293f8a0e3e7c8a3776c7cdda1f8d72f5a7c23c2008468b729701f8b08ea006e9e92afd663dada24caecd1d9e569dd835ff2670808efcca5e20d97f2abe
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
Filesize
24.1MB
MD5c6235d9067f052db586f2a91f14e6f6d
SHA124411448c68e7029c77f549ce24b362a7a15364d
SHA25604ef3aae0c89beee49096cfc8ecac0335ad05bb5d0e57f3c1e17b82000b5305d
SHA512e03878d14c718a105b3b65dd19a2d0847c0bec7e71610a459c4e6793b0a0d0cab4e54f39675f7765ea0b4d8d59179d468e856fd7a439745ecf640b8d2a18df3c
-
\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2c84b3fe-5519-42e9-aa12-062a04110819}_OnDiskSnapshotProp
Filesize6KB
MD516c752f0454873ebc27afa3ce24470da
SHA10c9b06387b0fd851888b27823af8c0ba2d7145c5
SHA2560502cd24394d3e9cadcd71ff115c5cd1e3ccdb9d60bdb573762cc7a5a3e39cc2
SHA512a3f65b23fc506a1ad6738658d1eb732d6745717f8577148c1154b17cdd148015341762a06e3c9bf27a179471a0f731a164d353cc189ba49cfe4ec85a9a99a9c1