Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 17:26

General

  • Target

    Yashma ransomware builder v1.2.exe

  • Size

    826KB

  • MD5

    20a7eea3f65edd41df1e3bbce7d2b674

  • SHA1

    44a9d957a24ab0e9f2066e9dfc4da8f9d46f0025

  • SHA256

    e505fe2a77857ac94c657999533631289dc76a1c62c73169232dfcd7a25990a9

  • SHA512

    bf3189616f1ed3ca3059fdbb9ea72c38a2e32804b0c5919f058d0798b928c4fd1ce3d015a4366c3f689bcfaa10d2f1fcd3a169c9e3ec6a68f4abdc47ef386fb0

  • SSDEEP

    6144:pMPUfXnG2omFLhFLuFL6FL6aGMVFLQYFWD/:pL3GcQZ

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 4 IoCs
  • Chaos family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 56 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Yashma ransomware builder v1.2.exe
    "C:\Users\Admin\AppData\Local\Temp\Yashma ransomware builder v1.2.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zcpujf1v\zcpujf1v.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3516
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8548.tmp" "c:\Users\Admin\Desktop\CSCFDE3BED6BA94E9FA16A5728E92787B1.TMP"
        3⤵
          PID:2056
    • C:\Users\Admin\Desktop\ddd.exe
      "C:\Users\Admin\Desktop\ddd.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        2⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1356
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:3692
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2320
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2328
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1684
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:2036
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1748
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:4976
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
          3⤵
          • Opens file in notepad (likely ransom note)
          PID:2088
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2088
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4332
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:5112
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:1484

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Yashma ransomware builder v1.2.exe.log

        Filesize

        1KB

        MD5

        baf55b95da4a601229647f25dad12878

        SHA1

        abc16954ebfd213733c4493fc1910164d825cac8

        SHA256

        ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

        SHA512

        24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ddd.exe.log

        Filesize

        660B

        MD5

        1c5e1d0ff3381486370760b0f2eb656b

        SHA1

        f9df6be8804ef611063f1ff277e323b1215372de

        SHA256

        f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a

        SHA512

        78f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743

      • C:\Users\Admin\AppData\Local\Temp\RES8548.tmp

        Filesize

        1KB

        MD5

        5bc35e963d62b79d818a5f84d7d2929b

        SHA1

        0b00e3fff8633a09f4a8b9812cb210d03b5ea2c3

        SHA256

        bce73432fb99c7bd88438bb76d6de86808994d517a7041828bc4d6607b58e0d3

        SHA512

        7ee161816abb4d68d3e01b2cafa633941d9ec07a0993292958cc368c3bece5d4feaa1a6249460883497ef121ad2e6f0d5bdedb0094c707d74ee449a8046fb35a

      • C:\Users\Admin\AppData\Local\read_it.txt

        Filesize

        545B

        MD5

        4e1993884856220831094e32752cc523

        SHA1

        b69a2d07fab91e6f0ec1215579aa94bd6c0b82e8

        SHA256

        e0c71e46f0573d3cce826cbbf67dc2552db72e8b4cd56636645ad0c5c54923f7

        SHA512

        2f5403bdd9b2fab06109cfddcc77df4be45c30f30d24879a303858eddcdb86b9de5b1f46907cdf04db577c4f35380d7003de42b93e349dfc6cd53f66a3dc4959

      • C:\Users\Admin\Desktop\EditConnect.m4v

        Filesize

        1B

        MD5

        d1457b72c3fb323a2671125aef3eab5d

        SHA1

        5bab61eb53176449e25c2c82f172b82cb13ffb9d

        SHA256

        8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

        SHA512

        ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

      • C:\Users\Admin\Desktop\ddd.exe

        Filesize

        27KB

        MD5

        1b589e227a5c30d6f9e6ce803aba84ac

        SHA1

        7db9ab3d8ae5ff0a19f5cca3490439e3f449ec64

        SHA256

        5b23d04726a81ccd751177df072f61083199a3bf17d15cfd36bb006721d13597

        SHA512

        0e1c5ab7e16f2a279dbc8da326fb63812fc22344d079172e8ba7c8b35f020eef4229c98ab70136869810901c6121d07089ce90fecf32b3bb51d9438238164fd1

      • \??\c:\Users\Admin\AppData\Local\Temp\zcpujf1v\zcpujf1v.0.cs

        Filesize

        38KB

        MD5

        700a5c3e0cb6ebb60c5914369471e8af

        SHA1

        086857866ce56529c2754704ca854377d39e26b5

        SHA256

        3b4e8b7ba9eea9495b32dd7fe2caaab1a4de794dda3df31d077ae2ac464bc65f

        SHA512

        c5215e2dd3f0784161c53a3204bbcab0695a5c85a6cbfcef9d586c3a54e986dc6d22c098638dd7ef2c24c84ef62a41d0f695af9afbd049bc1cb6ef1fc77b31d8

      • \??\c:\Users\Admin\AppData\Local\Temp\zcpujf1v\zcpujf1v.cmdline

        Filesize

        385B

        MD5

        a360340438ffaa526235014e60dd2935

        SHA1

        cf1e0f2d1f04dba0e9654be225cd27f2abf4b51c

        SHA256

        21a6947352d7c66f8e8a5f7e65b523584deac2370f60b77e8e8c09dbf6febf0f

        SHA512

        f04b1cfdfe2879b69f0c446533640819453901e4d9b7310ced0bcd1d9efa42105354e682fa270b71c5e68583284df05f4130245114cca2a8325a5205f39983c5

      • \??\c:\Users\Admin\Desktop\CSCFDE3BED6BA94E9FA16A5728E92787B1.TMP

        Filesize

        1KB

        MD5

        27ac791da1bcec6d71d0eb9c6c15e7eb

        SHA1

        a7e904c52743a9d3b8ec3b121f22832dd575fae6

        SHA256

        0b7b7fbc9541991f041d4d665ef4ae9051be1ede697fc9801ba82a425f2b7d57

        SHA512

        6ae48a7a602bc82474216e1b51c93cb868f71a7ff5c369aa154b4019935e13a87449390a0e68c9b308db32e8a6dcba1c0310889e8e4d1fe52a08c4c4f076b6cf

      • memory/2140-5-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-8-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-7-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-6-0x00007FFA81103000-0x00007FFA81105000-memory.dmp

        Filesize

        8KB

      • memory/2140-27-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-0-0x00007FFA81103000-0x00007FFA81105000-memory.dmp

        Filesize

        8KB

      • memory/2140-4-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-3-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-2-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-1-0x000001BA20A80000-0x000001BA20B54000-memory.dmp

        Filesize

        848KB

      • memory/4476-30-0x0000000000660000-0x000000000066E000-memory.dmp

        Filesize

        56KB