Overview

overview

10

Static

static

10

cfd5d9a4e6...f0.exe

windows10-ltsc_2021-x64

cfd5d9a4e6...f0.exe

windows7-x64

cfd5d9a4e6...f0.exe

windows10-2004-x64

cfd5d9a4e6...f0.exe

windows10-ltsc_2021-x64

cfd5d9a4e6...f0.exe

windows11-21h2-x64

da6f543313...2e.exe

windows11-21h2-x64

6

da6f543313...2e.exe

windows7-x64

6

da6f543313...2e.exe

windows10-2004-x64

6

da6f543313...2e.exe

windows10-ltsc_2021-x64

6

da6f543313...2e.exe

windows11-21h2-x64

6

e05323d9ca...62.exe

windows11-21h2-x64

3

e05323d9ca...62.exe

windows7-x64

1

e05323d9ca...62.exe

windows10-2004-x64

3

e05323d9ca...62.exe

windows10-ltsc_2021-x64

3

e05323d9ca...62.exe

windows11-21h2-x64

3

e48bd2f16b...14.exe

windows11-21h2-x64

10

e48bd2f16b...14.exe

windows7-x64

10

e48bd2f16b...14.exe

windows10-2004-x64

10

e48bd2f16b...14.exe

windows10-ltsc_2021-x64

10

e48bd2f16b...14.exe

windows11-21h2-x64

10

ecfb5c95d0...9d.exe

windows11-21h2-x64

10

ecfb5c95d0...9d.exe

windows7-x64

10

ecfb5c95d0...9d.exe

windows10-2004-x64

10

ecfb5c95d0...9d.exe

windows10-ltsc_2021-x64

10

ecfb5c95d0...9d.exe

windows11-21h2-x64

10

f08c1c26d3...3f.exe

windows11-21h2-x64

6

f08c1c26d3...3f.exe

windows7-x64

6

f08c1c26d3...3f.exe

windows10-2004-x64

6

f08c1c26d3...3f.exe

windows10-ltsc_2021-x64

6

f08c1c26d3...3f.exe

windows11-21h2-x64

6

Resubmissions

25/03/2025, 13:12 UTC

250325-qfl42aznw9 10

25/03/2025, 13:09 UTC

250325-qdtq4aznv6 10

25/03/2025, 13:05 UTC

250325-qbtcjszns3 10

25/03/2025, 13:01 UTC

250325-p9k86awxat 10

25/03/2025, 12:55 UTC

250325-p58tnawwe1 10

25/03/2025, 12:51 UTC

250325-p3txqazmt6 10

05/02/2025, 11:16 UTC

250205-ndjvsavrdm 10

16/07/2024, 08:54 UTC

240716-kt64gavakp 10

Analysis

  • max time kernel
    103s
  • max time network
    116s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    25/03/2025, 13:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe

  • Size

    137KB

  • MD5

    9b02b542834573f9502ca83719a73a01

  • SHA1

    f3bc7cf16eec977772455f3fce87fed505fb18e3

  • SHA256

    e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14

  • SHA512

    290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031

  • SSDEEP

    3072:Eoy7AHYqr9ACDYVbu4sijUtSWnFA22WnVaxs2gzx+IjBz2:0mr9AHVycjUgWnFAGms2gzoch

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\andrianov.txt

Ransom Note
Your Personal Files has been Encrypted and Locked Your documents, photos, databases and other important files have been encrypted with strongest encryption and locked with unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. Caution: Removing of Blackhat will not restore access to your encrypted files. Frequently Asked Questions What happened to my files ? understanding the issue How can i get my files back ? the only way to restore your files What should i do next ? Buy decryption key Now you have the last chance to decrypt your files. 1. Buy Bitcoin (https://blockchain.info) 2. Send amount of 200 dollar to address: to 3QpLGGaeFwxtV61p1bBUpTBzPcKdtPQpNA 3. Transaction will take about 15-30 minutes to confirm. 4. When transaction is confirmed, send email to us at leonid.andrianoviaa@mail.ru Click here to restore and recovery your files
Emails

leonid.andrianoviaa@mail.ru

Wallets

3QpLGGaeFwxtV61p1bBUpTBzPcKdtPQpNA

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Chaos family
    chaos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (182) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 31 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe
    "C:\Users\Admin\AppData\Local\Temp\e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4080
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4272
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:5508
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1560
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:412
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2752
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:456
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\andrianov.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:4948
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5544
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2168
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:4060
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3960

    Network

    • flag-us
      DNS
      fd.api.iris.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      fd.api.iris.microsoft.com
      IN A
      Response
      fd.api.iris.microsoft.com
      IN CNAME
      fd-api-iris.trafficmanager.net
      fd-api-iris.trafficmanager.net
      IN CNAME
      iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com
      iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com
      IN A
      20.223.36.55
    • flag-ie
      GET
      https://fd.api.iris.microsoft.com/v4/api/selection?&asid=4E33BC6F107041A19A194C0F1D0CA75F&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1741943549&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A92DA3E17-5F5C-828C-260F-CE10A0D75AB1&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=922891&frdsk=20480&lo=16077&tsu=16077
      Remote address:
      20.223.36.55:443
      Request
      GET /v4/api/selection?&asid=4E33BC6F107041A19A194C0F1D0CA75F&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1741943549&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A92DA3E17-5F5C-828C-260F-CE10A0D75AB1&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=922891&frdsk=20480&lo=16077&tsu=16077 HTTP/2.0
      host: fd.api.iris.microsoft.com
      accept-encoding: gzip, deflate
      x-sdk-hw-token: t=EwC4A5peBAAUGoFunEzxzyai/T0i5tnZAAR1eX0AAZfvGwYIeHWRF9sPu8jVbnnL3tAkwbE0TBRkKmk/T5G/xjWaTp1TBdj4W1RUwbbi1PFpEu61QtbahHL5ngFIiJPDd4HK0rCLZdC1c2/Idx4o1sGPmsVYfTwAETmnJfZYbkR3JZKiARJEMEOwbnY2KwiPSF2R7cdbQuJ0Z35sjhRiFTUZC1b9xnCD0AylERqVTXqqjPR8QiWKBQ4fZ0JK9KoDzbXTjJVjQmvj1v5yJE3meLOe9STQzX++41XDWdUvFfXy6cjLlW5xtYlk80NWLJWqo6/AiQWQFpYI0HHFS3L//Z0AP/oAh6oM0T/B3G/v67tzqswpnhU4sZy+iZsnWbUQZgAAEMLmNeQPzItBqtZwS26m112AAtQlapZS89EdmsEKJaRqWhpwedLNrMk1AwsBMmlYqHxQFava0utVPOmxpVe9ZodzqkJxYdyhd69idgYeDWvKEEFCu57Ocdp8RQjYXg3xOqlT9pvHQTB3mySoKnB0LQf75dSM7gsS1gin6MYfOaXzJYAxbfdsWW5cznp9OdIktUWKdANGl4mdHCQ2v7VPn5en5J1Hh8sZaG4F1eFpffGPG3ApIauPivEMt63l69dLkLMsoUUUDPmOMLWMhaWy9cnxnwriEh0Lk21Yx2aAWGGkk7HQuDwL7AbNJzx5uLuiKTGV9IlGN8ph5fE6HSNcPOCvNMfrQDcSOK0ZgMmPDNgjkj4T+esOPs3tU5r6O1qR7NOYcuTzsdtcNcDSjdMSXeR6AvJve+mXvOeMGW6Epi1swKR+RqsOfsr3W/d5pLJQOi5V4d2gE2fMHkje9A1qQ+nzb40uO1Ql3v8uNeFmIBVxWPH5XUX0yGVWp9MZmfwYDJ+HfmzXsCZXOg/GJ8ZcHOvOIntzajpkf2SOpCsEH7oOpZmk4QeW6LVnePShS09igrU87I65A+fAFAg9AIRL1k+//NuNwC2Z5/hO25gSkED2NXvPNSaxWwUD2UqBdHtzPihp9wSqRJblO+l06MqMRwWpXsugQvLVEgUH5OO8KikUMvvjhV+JnlTUv6gNB0t7dlZOnRm8YBS2WzZcE5VQuxT9V4wgGM3zDcXjKgMmqVmf+m1VpylMfDRGzZSF7YR9kzHTMJR87SI5mxM4Ngxrgs9rzLQwkfzLkrzF2tHyG1o4h99OlsKflm93x4XXA6WW1IF6JoxdgpUsXizWFfSZYw+e6z2kPSzal4MxPW+/WYP3P1a0Ag==&p=
      Response
      HTTP/2.0 200
      cache-control: no-store, no-cache
      pragma: no-cache
      content-length: 131
      content-type: application/json; charset=utf-8
      expires: Mon, 01 Jan 0001 00:00:00 GMT
      server: Microsoft-IIS/10.0
      arc-rsp-dbg: [{"DcoPlusDebug":"Status: Ok"},{"OPTOUTSTATE":"256"},{"REGIONALPOLICY":"0"}]
      accept-ch: UA, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform, UA-Platform-Version
      x-aspnet-version: 4.0.30319
      x-powered-by: ASP.NET
      strict-transport-security: max-age=31536000; includeSubDomains
      date: Tue, 25 Mar 2025 13:10:11 GMT
    • flag-us
      DNS
      c.pki.goog
      Remote address:
      8.8.8.8:53
      Request
      c.pki.goog
      IN A
      Response
      c.pki.goog
      IN CNAME
      pki-goog.l.google.com
      pki-goog.l.google.com
      IN A
      142.250.179.227
    • flag-gb
      GET
      http://c.pki.goog/r/r1.crl
      Remote address:
      142.250.179.227:80
      Request
      GET /r/r1.crl HTTP/1.1
      Cache-Control: max-age = 3000
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: c.pki.goog
      Response
      HTTP/1.1 304 Not Modified
      Date: Tue, 25 Mar 2025 12:21:32 GMT
      Expires: Tue, 25 Mar 2025 13:11:32 GMT
      Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
      Cache-Control: public, max-age=3000
      Vary: Accept-Encoding
      Age: 2949
    • 20.223.36.55:443
      https://fd.api.iris.microsoft.com/v4/api/selection?&asid=4E33BC6F107041A19A194C0F1D0CA75F&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1741943549&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A92DA3E17-5F5C-828C-260F-CE10A0D75AB1&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=922891&frdsk=20480&lo=16077&tsu=16077
      tls, http2
      2.9kB
       7.5kB
       18
      13

      HTTP Request

      GET https://fd.api.iris.microsoft.com/v4/api/selection?&asid=4E33BC6F107041A19A194C0F1D0CA75F&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1741943549&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A92DA3E17-5F5C-828C-260F-CE10A0D75AB1&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=922891&frdsk=20480&lo=16077&tsu=16077

      HTTP Response

      200
    • 142.250.179.227:80
      http://c.pki.goog/r/r1.crl
      http
      384 B
       355 B
       4
      3

      HTTP Request

      GET http://c.pki.goog/r/r1.crl

      HTTP Response

      304
    • 8.8.8.8:53
      fd.api.iris.microsoft.com
      dns
      71 B
       199 B
       1
      1

      DNS Request

      fd.api.iris.microsoft.com

      DNS Response

      20.223.36.55

    • 8.8.8.8:53
      c.pki.goog
      dns
      56 B
       107 B
       1
      1

      DNS Request

      c.pki.goog

      DNS Response

      142.250.179.227

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      137KB

      MD5

      9b02b542834573f9502ca83719a73a01

      SHA1

      f3bc7cf16eec977772455f3fce87fed505fb18e3

      SHA256

      e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14

      SHA512

      290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031

      Download Submit

    • C:\Users\Admin\Documents\andrianov.txt
      Filesize

      987B

      MD5

      8d31c8f9e4bb13c044a9825aee0cdfa3

      SHA1

      6ff267b0179f7ddebe46e8ba855b5e4d176a9bbb

      SHA256

      5aca5bd47a3fd4a211121870f0124245a87528da86b07cb1a0934566ba0349bf

      SHA512

      878a8b06a392000fba503bcd16766c75c53ea033746fd74da02a5bb3a91bf3b9701fb9c89a5eafc179909727c5e16ac21b293fb5de134770bf30db8ed3ae216a

      Download Submit

    • memory/4080-0-0x00007FF9A31D3000-0x00007FF9A31D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4080-1-0x0000000000F10000-0x0000000000F38000-memory.dmp

      Filesize

      160KB

      Download

    • memory/4700-4-0x00007FF9A31D0000-0x00007FF9A3C92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4700-423-0x00007FF9A31D0000-0x00007FF9A3C92000-memory.dmp

      Filesize

      10.8MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.