Overview

overview

10

Static

static

3

ggks8BOYJvu5Z0t.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2025, 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ggks8BOYJvu5Z0t.exe

  • Size

    1.3MB

  • MD5

    411906e2a8126c0d101eb899e68f6bb7

  • SHA1

    d97132652d249a0c2a32ccaf3a5e0e1f8a97df37

  • SHA256

    668fc09af59e50f9df62732d13f4d3e163d92f2589d5d2028d9fbd654544b095

  • SHA512

    b4aa133296ce31e068daa75d0bd2b966bdfd843eea79b7f643203757e5d3aba5130fce5be94e8bb740a42d2638cb068217ed95568aef58f7ed59635502f52a41

  • SSDEEP

    24576:7fM5LqgwlU6N3Og9tMm50m6+KvoaN6Fq63/3yao+DnlijaHto/d1WRKQXCQrQeDf:rM5vwC6RrMm50m6+Kwo3PHk9o

Score
10/10
chaosdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 1 IoCs
  • Chaos family
    chaos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Disables Task Manager via registry modification
    defense_evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 9 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ggks8BOYJvu5Z0t.exe
    "C:\Users\Admin\AppData\Local\Temp\ggks8BOYJvu5Z0t.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Local\Temp\ggks8BOYJvu5Z0t.exe
      "C:\Users\Admin\AppData\Local\Temp\ggks8BOYJvu5Z0t.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:100
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops desktop.ini file(s)
          • Sets desktop wallpaper using registry
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4328
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:6012
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic shadowcopy delete
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:3764
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2252
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4848
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:4164
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\ggks8BOYJvu5Z0t.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3556
    • C:\ProgramData\ggks8BOYJvu5Z0t.exe
      C:\ProgramData\ggks8BOYJvu5Z0t.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:60
      • C:\ProgramData\ggks8BOYJvu5Z0t.exe
        "C:\ProgramData\ggks8BOYJvu5Z0t.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4628
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3176
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: AddClipboardFormatListener
            PID:3520
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5884
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        PID:1916
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\read_it.txt
    Filesize

    181B

    MD5

    efd43c043bb8f5068b27444a6fb6f7a8

    SHA1

    902fc0f412e62dceeef016677895e62689a40534

    SHA256

    6a594fcec979c30b5a9ef3870a005ea4c81eb5559342071ebcdf9e8af9a3c720

    SHA512

    57cfee2b39bc5da85d3d276c9746dd6255fa34aff8e2cf891a90edf95d8122b1fc2b50697378f1ca79b411b69d26ddd0a4af26379b93c7a9b0017f328579db87

    Download Submit

  • C:\Users\Admin\2012_x86_0_vcRuntimeMinimum_x86.log
    Filesize

    1B

    MD5

    d1457b72c3fb323a2671125aef3eab5d

    SHA1

    5bab61eb53176449e25c2c82f172b82cb13ffb9d

    SHA256

    8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

    SHA512

    ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ggks8BOYJvu5Z0t.exe.log
    Filesize

    425B

    MD5

    4eaca4566b22b01cd3bc115b9b0b2196

    SHA1

    e743e0792c19f71740416e7b3c061d9f1336bf94

    SHA256

    34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

    SHA512

    bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ggks8BOYJvu5Z0t.exe
    Filesize

    1.3MB

    MD5

    411906e2a8126c0d101eb899e68f6bb7

    SHA1

    d97132652d249a0c2a32ccaf3a5e0e1f8a97df37

    SHA256

    668fc09af59e50f9df62732d13f4d3e163d92f2589d5d2028d9fbd654544b095

    SHA512

    b4aa133296ce31e068daa75d0bd2b966bdfd843eea79b7f643203757e5d3aba5130fce5be94e8bb740a42d2638cb068217ed95568aef58f7ed59635502f52a41

    Download Submit

  • memory/60-19-0x0000000074790000-0x0000000074F40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/60-34-0x0000000074790000-0x0000000074F40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/100-13-0x0000000074790000-0x0000000074F40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/100-11-0x0000000004C80000-0x0000000004D12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/100-16-0x0000000074790000-0x0000000074F40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/100-10-0x0000000005230000-0x00000000057D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/100-20-0x00000000051E0000-0x00000000051EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/100-31-0x0000000074790000-0x0000000074F40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/100-8-0x0000000000710000-0x0000000000788000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1380-0-0x000000007479E000-0x000000007479F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1380-12-0x0000000074790000-0x0000000074F40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1380-9-0x0000000074790000-0x0000000074F40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1380-2-0x000000007479E000-0x000000007479F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1380-1-0x0000000000A30000-0x0000000000B82000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4328-41-0x0000000007330000-0x0000000007352000-memory.dmp

    Filesize

    136KB

    Download