Resubmissions

27-11-2024 13:29

241127-qrb37svpcv 10

27-11-2024 09:27

241127-le54astrfj 10

Analysis

  • max time kernel
    718s
  • max time network
    725s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 09:27

General

  • Target

    f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe

  • Size

    188KB

  • MD5

    d158894d0bb726520cdd6a7fce485502

  • SHA1

    2f96ff31e88d76e28892f5e7289d7dab12355a57

  • SHA256

    f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f

  • SHA512

    31c1c755e0506fccf08c07479e79fbb4b081b84684449e63d53eeaa3036edba741ce6d10f484ff82ec0dcd8a50b121b998211f3c661bc8747512a88688638350

  • SSDEEP

    3072:sgMAkr98bY+GC+4cGRJfnAi+dZMLwjezS0OtEoifN5l:mr98MQ+4cGRJonZgwGUM

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
Warlocks Dark Army Hacker Group Ransomware All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted by AES-256 Military Algorithm and you won't be able to decrypt them without our help. What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer. The price for the software is $200. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - https://www.coinmama.com Bitpanda - https://www.bitpanda.com Payment information. Amount: $200 worth Bitcoin Bitcoin Address: 3JMn7im6xZeLodtqqEBgTsUUvBQeUwszdb Once payment is done, Please contact @CattyLola or @WARLOCK_MAK to get your decryption software, private key and instrutions to decrypt your computer.
Wallets

3JMn7im6xZeLodtqqEBgTsUUvBQeUwszdb

URLs

https://www.coinmama.com

https://www.bitpanda.com

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 3 IoCs
  • Chaos family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe
    "C:\Users\Admin\AppData\Local\Temp\f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1064
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:584
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:952
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1144
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2324
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2208
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2984
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2228
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2572
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1588
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:2212

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\svchost.exe

        Filesize

        188KB

        MD5

        d158894d0bb726520cdd6a7fce485502

        SHA1

        2f96ff31e88d76e28892f5e7289d7dab12355a57

        SHA256

        f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f

        SHA512

        31c1c755e0506fccf08c07479e79fbb4b081b84684449e63d53eeaa3036edba741ce6d10f484ff82ec0dcd8a50b121b998211f3c661bc8747512a88688638350

      • C:\Users\Admin\Documents\read_it.txt

        Filesize

        1KB

        MD5

        e72be71a04b94f7cf6504b3f6dcf3b10

        SHA1

        20f24d937ef5cddeb57e0abd2f2cab095840fe98

        SHA256

        38ec1adcdf0fc695fa3f120f179cb07b9da982f376bd3474f9c012cfd3d4776c

        SHA512

        a9da2b56ca283f5cadf13d23d643234e56dfb2d58cdf4324cbd0f56ab822e2c130448c9489bbc2d31b26c3fd3b44c6fec88cfc9f97723b817df55e9b43387aed

      • memory/2240-0-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

        Filesize

        4KB

      • memory/2240-1-0x00000000009A0000-0x00000000009D4000-memory.dmp

        Filesize

        208KB

      • memory/2276-7-0x00000000001E0000-0x0000000000214000-memory.dmp

        Filesize

        208KB

      • memory/2276-9-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

        Filesize

        9.9MB

      • memory/2276-13-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

        Filesize

        9.9MB

      • memory/2276-207-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

        Filesize

        9.9MB