chaos | fa3f7a4c1502f499a481b56f5e7c185876626e3d00110d84e09652f98b776aff

Resubmissions

27-11-2024 13:29

241127-qrb37svpcv 10

27-11-2024 09:27

241127-le54astrfj 10

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe
Size

188KB
MD5

d158894d0bb726520cdd6a7fce485502
SHA1

2f96ff31e88d76e28892f5e7289d7dab12355a57
SHA256

f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f
SHA512

31c1c755e0506fccf08c07479e79fbb4b081b84684449e63d53eeaa3036edba741ce6d10f484ff82ec0dcd8a50b121b998211f3c661bc8747512a88688638350
SSDEEP

3072:sgMAkr98bY+GC+4cGRJfnAi+dZMLwjezS0OtEoifN5l:mr98MQ+4cGRJonZgwGUM

Score

10^/10

chaos defense_evasion evasion execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note

Warlocks Dark Army Hacker Group Ransomware All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted by AES-256 Military Algorithm and you won't be able to decrypt them without our help. What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer. The price for the software is $200. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - https://www.coinmama.com Bitpanda - https://www.bitpanda.com Payment information. Amount: $200 worth Bitcoin Bitcoin Address: 3JMn7im6xZeLodtqqEBgTsUUvBQeUwszdb Once payment is done, Please contact @CattyLola or @WARLOCK_MAK to get your decryption software, private key and instrutions to decrypt your computer.

Wallets

3JMn7im6xZeLodtqqEBgTsUUvBQeUwszdb

URLs

https://www.coinmama.com

https://www.bitpanda.com

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral23/memory/2196-1-0x0000000000F50000-0x0000000000F84000-memory.dmp	family_chaos
behavioral23/files/0x000c000000012268-5.dat	family_chaos
behavioral23/memory/2800-7-0x00000000011A0000-0x00000000011D4000-memory.dmp	family_chaos

Chaos family
chaos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exe

pid	Process
2424	bcdedit.exe
844	bcdedit.exe

Renames multiple (113) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

wbadmin.exe

pid	Process
1576	wbadmin.exe

Drops startup file 1 IoCs

Processes:

svchost.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid	Process
2800	svchost.exe

Drops desktop.ini file(s) 14 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exe

pid	Process
1388	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
2544	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid	Process
2800	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exesvchost.exe

pid	Process
2196	f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe
2196	f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe
2196	f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exesvchost.exevssvc.exeWMIC.exewbengine.exe

description	pid	Process
Token: SeDebugPrivilege	2196	f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe
Token: SeDebugPrivilege	2800	svchost.exe
Token: SeBackupPrivilege	2432	vssvc.exe
Token: SeRestorePrivilege	2432	vssvc.exe
Token: SeAuditPrivilege	2432	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: SeBackupPrivilege	2656	wbengine.exe
Token: SeRestorePrivilege	2656	wbengine.exe
Token: SeSecurityPrivilege	2656	wbengine.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exesvchost.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2196 wrote to memory of 2800	2196	f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe	30
PID 2196 wrote to memory of 2800	2196	f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe	30
PID 2196 wrote to memory of 2800	2196	f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe	30
PID 2800 wrote to memory of 2864	2800	svchost.exe	32
PID 2800 wrote to memory of 2864	2800	svchost.exe	32
PID 2800 wrote to memory of 2864	2800	svchost.exe	32
PID 2864 wrote to memory of 1388	2864	cmd.exe	34
PID 2864 wrote to memory of 1388	2864	cmd.exe	34
PID 2864 wrote to memory of 1388	2864	cmd.exe	34
PID 2864 wrote to memory of 1684	2864	cmd.exe	37
PID 2864 wrote to memory of 1684	2864	cmd.exe	37
PID 2864 wrote to memory of 1684	2864	cmd.exe	37
PID 2800 wrote to memory of 1756	2800	svchost.exe	39
PID 2800 wrote to memory of 1756	2800	svchost.exe	39
PID 2800 wrote to memory of 1756	2800	svchost.exe	39
PID 1756 wrote to memory of 2424	1756	cmd.exe	41
PID 1756 wrote to memory of 2424	1756	cmd.exe	41
PID 1756 wrote to memory of 2424	1756	cmd.exe	41
PID 1756 wrote to memory of 844	1756	cmd.exe	42
PID 1756 wrote to memory of 844	1756	cmd.exe	42
PID 1756 wrote to memory of 844	1756	cmd.exe	42
PID 2800 wrote to memory of 2676	2800	svchost.exe	43
PID 2800 wrote to memory of 2676	2800	svchost.exe	43
PID 2800 wrote to memory of 2676	2800	svchost.exe	43
PID 2676 wrote to memory of 1576	2676	cmd.exe	45
PID 2676 wrote to memory of 1576	2676	cmd.exe	45
PID 2676 wrote to memory of 1576	2676	cmd.exe	45
PID 2800 wrote to memory of 2544	2800	svchost.exe	49
PID 2800 wrote to memory of 2544	2800	svchost.exe	49
PID 2800 wrote to memory of 2544	2800	svchost.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe
"C:\Users\Admin\AppData\Local\Temp\f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1388
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1684
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2424
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:844
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1576
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2680

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
188KB

MD5
d158894d0bb726520cdd6a7fce485502

SHA1
2f96ff31e88d76e28892f5e7289d7dab12355a57

SHA256
f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f

SHA512
31c1c755e0506fccf08c07479e79fbb4b081b84684449e63d53eeaa3036edba741ce6d10f484ff82ec0dcd8a50b121b998211f3c661bc8747512a88688638350

Download Submit
C:\Users\Admin\Documents\read_it.txt

Filesize
1KB

MD5
e72be71a04b94f7cf6504b3f6dcf3b10

SHA1
20f24d937ef5cddeb57e0abd2f2cab095840fe98

SHA256
38ec1adcdf0fc695fa3f120f179cb07b9da982f376bd3474f9c012cfd3d4776c

SHA512
a9da2b56ca283f5cadf13d23d643234e56dfb2d58cdf4324cbd0f56ab822e2c130448c9489bbc2d31b26c3fd3b44c6fec88cfc9f97723b817df55e9b43387aed

Download Submit
memory/2196-0-0x000007FEF6123000-0x000007FEF6124000-memory.dmp

Filesize
4KB

Download
memory/2196-1-0x0000000000F50000-0x0000000000F84000-memory.dmp

Filesize
208KB

Download
memory/2800-7-0x00000000011A0000-0x00000000011D4000-memory.dmp

Filesize
208KB

Download
memory/2800-8-0x000007FEF6120000-0x000007FEF6B0C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-10-0x000007FEF6120000-0x000007FEF6B0C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-254-0x000007FEF6120000-0x000007FEF6B0C000-memory.dmp

Filesize
9.9MB

Download