Overview
overview
10Static
static
100811cf7c27...de.exe
windows7-x64
90dd0b31f05...24.exe
windows7-x64
71ad888606f...e0.exe
windows7-x64
31c77a07e45...95.exe
windows7-x64
1023f1c183af...bc.exe
windows7-x64
1038e891599d...90.exe
windows7-x64
103a13e092e9...db.exe
windows7-x64
43b9dabd99d...82.exe
windows7-x64
358fe9776f3...06.exe
windows7-x64
105ab93bd422...11.exe
windows7-x64
36b06c25fc6...43.exe
windows7-x64
106cc8001c9b...07.exe
windows7-x64
173ca5dd6d4...3f.exe
windows7-x64
107b931d48ea...f0.exe
windows7-x64
107d6892645b...0f.exe
windows7-x64
109036aeb570...7e.exe
windows7-x64
39b6289a8bf...2b.exe
windows7-x64
8acf2b76704...a7.exe
windows7-x64
3af2f191f8d...53.exe
windows7-x64
10cc7045d9fe...ab.dll
windows7-x64
10d1a6bd542d...a8.exe
windows7-x64
10efe947e0a8...69.exe
windows7-x64
10f13edd0b86...9f.exe
windows7-x64
10Analysis
-
max time kernel
718s -
max time network
725s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 09:27
Behavioral task
behavioral1
Sample
0811cf7c2702af79720305f03bb4945d63bd4052d4d6df4aa4cf8e6418e5d9de.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
0dd0b31f05bd8036791494372275f393714ac18bae0f8d26a808387a0fcfe224.exe
Resource
win7-20240729-en
Behavioral task
behavioral3
Sample
1ad888606f448d0d04c37ba11348b4c7d06f22b1cb3e8c217a21a5674bf29ce0.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
1c77a07e45b4f3e7f2b756c76df58a9d0f78785aa0f9e154074503398203c695.exe
Resource
win7-20240708-en
Behavioral task
behavioral5
Sample
23f1c183af6a0322746465beeb83e79c30ba8f497cd52d60e2ed544bb7b39ebc.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
3a13e092e9c857702ad930dbd32ff7e4819151b0eab88be26d0229d95a74b6db.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
3b9dabd99dc58a5242616cb6d1d876bca3046119a9b150c7d7868bf02202ea82.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806.exe
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
5ab93bd4225586706037be1870f84d4bd124b38df01f78de5648e3e0f30b8911.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
6b06c25fc6181adf110e8109550698897836b5c429fe9b013b2e51a3abc05343.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
6cc8001c9b61f55dc390743a9a6adfe2de01efd983f68599b288d39d3bfb7207.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
7d6892645bc5ba581b2fff986b3e9371dd7298bab6aac890c99f80c8b1d78f0f.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
9036aeb570b22497c0f937e7edcef624800426011f0193a2b78c7f124e3a4c7e.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
9b6289a8bf3eab91297cc6d01215b06f4d979a81656eb80bc0ae6d3b7e8b112b.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
acf2b767040e546b689b4f1724569fd9992189ba2035654cfbf866b933e5b1a7.exe
Resource
win7-20240708-en
Behavioral task
behavioral19
Sample
af2f191f8d2199d74867e9b1b9071e677c91b24d529d17b83ff04d0f03098a53.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
cc7045d9fe77c4aa4cb646d01fb4700008a34f58f49358d0b0b0997d21016aab.dll
Resource
win7-20241023-en
Behavioral task
behavioral21
Sample
d1a6bd542d3570297f37ef478a638a2c7e04645cfb66fef1abe8210aa41c48a8.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
efe947e0a8842997d152af946ef0293a972cc11662f3c62a8461bc4a07427669.exe
Resource
win7-20240729-en
Behavioral task
behavioral23
Sample
f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe
Resource
win7-20241010-en
General
-
Target
f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe
-
Size
188KB
-
MD5
d158894d0bb726520cdd6a7fce485502
-
SHA1
2f96ff31e88d76e28892f5e7289d7dab12355a57
-
SHA256
f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f
-
SHA512
31c1c755e0506fccf08c07479e79fbb4b081b84684449e63d53eeaa3036edba741ce6d10f484ff82ec0dcd8a50b121b998211f3c661bc8747512a88688638350
-
SSDEEP
3072:sgMAkr98bY+GC+4cGRJfnAi+dZMLwjezS0OtEoifN5l:mr98MQ+4cGRJonZgwGUM
Malware Config
Extracted
C:\Users\Admin\Documents\read_it.txt
3JMn7im6xZeLodtqqEBgTsUUvBQeUwszdb
https://www.coinmama.com
https://www.bitpanda.com
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
resource yara_rule behavioral23/memory/2240-1-0x00000000009A0000-0x00000000009D4000-memory.dmp family_chaos behavioral23/files/0x0027000000016d2c-5.dat family_chaos behavioral23/memory/2276-7-0x00000000001E0000-0x0000000000214000-memory.dmp family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1144 bcdedit.exe 2324 bcdedit.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2208 wbadmin.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2276 svchost.exe -
Drops desktop.ini file(s) 14 IoCs
description ioc Process File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 584 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2984 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2276 svchost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2240 f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe 2240 f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe 2240 f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2240 f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe Token: SeDebugPrivilege 2276 svchost.exe Token: SeBackupPrivilege 2228 vssvc.exe Token: SeRestorePrivilege 2228 vssvc.exe Token: SeAuditPrivilege 2228 vssvc.exe Token: SeIncreaseQuotaPrivilege 952 WMIC.exe Token: SeSecurityPrivilege 952 WMIC.exe Token: SeTakeOwnershipPrivilege 952 WMIC.exe Token: SeLoadDriverPrivilege 952 WMIC.exe Token: SeSystemProfilePrivilege 952 WMIC.exe Token: SeSystemtimePrivilege 952 WMIC.exe Token: SeProfSingleProcessPrivilege 952 WMIC.exe Token: SeIncBasePriorityPrivilege 952 WMIC.exe Token: SeCreatePagefilePrivilege 952 WMIC.exe Token: SeBackupPrivilege 952 WMIC.exe Token: SeRestorePrivilege 952 WMIC.exe Token: SeShutdownPrivilege 952 WMIC.exe Token: SeDebugPrivilege 952 WMIC.exe Token: SeSystemEnvironmentPrivilege 952 WMIC.exe Token: SeRemoteShutdownPrivilege 952 WMIC.exe Token: SeUndockPrivilege 952 WMIC.exe Token: SeManageVolumePrivilege 952 WMIC.exe Token: 33 952 WMIC.exe Token: 34 952 WMIC.exe Token: 35 952 WMIC.exe Token: SeIncreaseQuotaPrivilege 952 WMIC.exe Token: SeSecurityPrivilege 952 WMIC.exe Token: SeTakeOwnershipPrivilege 952 WMIC.exe Token: SeLoadDriverPrivilege 952 WMIC.exe Token: SeSystemProfilePrivilege 952 WMIC.exe Token: SeSystemtimePrivilege 952 WMIC.exe Token: SeProfSingleProcessPrivilege 952 WMIC.exe Token: SeIncBasePriorityPrivilege 952 WMIC.exe Token: SeCreatePagefilePrivilege 952 WMIC.exe Token: SeBackupPrivilege 952 WMIC.exe Token: SeRestorePrivilege 952 WMIC.exe Token: SeShutdownPrivilege 952 WMIC.exe Token: SeDebugPrivilege 952 WMIC.exe Token: SeSystemEnvironmentPrivilege 952 WMIC.exe Token: SeRemoteShutdownPrivilege 952 WMIC.exe Token: SeUndockPrivilege 952 WMIC.exe Token: SeManageVolumePrivilege 952 WMIC.exe Token: 33 952 WMIC.exe Token: 34 952 WMIC.exe Token: 35 952 WMIC.exe Token: SeBackupPrivilege 2572 wbengine.exe Token: SeRestorePrivilege 2572 wbengine.exe Token: SeSecurityPrivilege 2572 wbengine.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2276 2240 f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe 30 PID 2240 wrote to memory of 2276 2240 f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe 30 PID 2240 wrote to memory of 2276 2240 f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe 30 PID 2276 wrote to memory of 1064 2276 svchost.exe 32 PID 2276 wrote to memory of 1064 2276 svchost.exe 32 PID 2276 wrote to memory of 1064 2276 svchost.exe 32 PID 1064 wrote to memory of 584 1064 cmd.exe 34 PID 1064 wrote to memory of 584 1064 cmd.exe 34 PID 1064 wrote to memory of 584 1064 cmd.exe 34 PID 1064 wrote to memory of 952 1064 cmd.exe 37 PID 1064 wrote to memory of 952 1064 cmd.exe 37 PID 1064 wrote to memory of 952 1064 cmd.exe 37 PID 2276 wrote to memory of 2824 2276 svchost.exe 39 PID 2276 wrote to memory of 2824 2276 svchost.exe 39 PID 2276 wrote to memory of 2824 2276 svchost.exe 39 PID 2824 wrote to memory of 1144 2824 cmd.exe 41 PID 2824 wrote to memory of 1144 2824 cmd.exe 41 PID 2824 wrote to memory of 1144 2824 cmd.exe 41 PID 2824 wrote to memory of 2324 2824 cmd.exe 42 PID 2824 wrote to memory of 2324 2824 cmd.exe 42 PID 2824 wrote to memory of 2324 2824 cmd.exe 42 PID 2276 wrote to memory of 2128 2276 svchost.exe 43 PID 2276 wrote to memory of 2128 2276 svchost.exe 43 PID 2276 wrote to memory of 2128 2276 svchost.exe 43 PID 2128 wrote to memory of 2208 2128 cmd.exe 45 PID 2128 wrote to memory of 2208 2128 cmd.exe 45 PID 2128 wrote to memory of 2208 2128 cmd.exe 45 PID 2276 wrote to memory of 2984 2276 svchost.exe 49 PID 2276 wrote to memory of 2984 2276 svchost.exe 49 PID 2276 wrote to memory of 2984 2276 svchost.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe"C:\Users\Admin\AppData\Local\Temp\f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:584
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1144
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2208
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2984
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1588
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
MD5d158894d0bb726520cdd6a7fce485502
SHA12f96ff31e88d76e28892f5e7289d7dab12355a57
SHA256f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f
SHA51231c1c755e0506fccf08c07479e79fbb4b081b84684449e63d53eeaa3036edba741ce6d10f484ff82ec0dcd8a50b121b998211f3c661bc8747512a88688638350
-
Filesize
1KB
MD5e72be71a04b94f7cf6504b3f6dcf3b10
SHA120f24d937ef5cddeb57e0abd2f2cab095840fe98
SHA25638ec1adcdf0fc695fa3f120f179cb07b9da982f376bd3474f9c012cfd3d4776c
SHA512a9da2b56ca283f5cadf13d23d643234e56dfb2d58cdf4324cbd0f56ab822e2c130448c9489bbc2d31b26c3fd3b44c6fec88cfc9f97723b817df55e9b43387aed