Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
a8BgfRCsUv.exe

Overview

General Information

Sample Name:a8BgfRCsUv.exe
Original Sample Name:2023-03-15_ae7795f6305ad315589ff4846ad1ef14_wannacry.exe
Analysis ID:827583
MD5:ae7795f6305ad315589ff4846ad1ef14
SHA1:71f4143d89ce0dcb5729e2a8b2cd54bc9b423e65
SHA256:074c7aa722ff77df5ed56b655cc11da0288550a7405dc439be4417c6fccf7d5f
Infos:

Detection

Chaos, Conti, TrojanRansom
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Conti ransomware
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected TrojanRansom
Antivirus / Scanner detection for submitted sample
Sigma detected: Delete shadow copy via WMIC
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Multi AV Scanner detection for dropped file
Yara detected Chaos Ransomware
Deletes the backup plan of Windows
Uses bcdedit to modify the Windows boot settings
Machine Learning detection for sample
Creates files inside the volume driver (system volume information)
Modifies existing user documents (likely ransomware behavior)
May disable shadow drive data (uses vssadmin)
Machine Learning detection for dropped file
Deletes shadow drive data (may be related to ransomware)
Found potential ransomware demand text
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Creates COM task schedule object (often to register a task for autostart)
Creates files inside the system directory
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Enables security privileges
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • a8BgfRCsUv.exe (PID: 6136 cmdline: C:\Users\user\Desktop\a8BgfRCsUv.exe MD5: AE7795F6305AD315589FF4846AD1EF14)
    • svchost.exe (PID: 5472 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: AE7795F6305AD315589FF4846AD1EF14)
      • cmd.exe (PID: 2588 cmdline: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • vssadmin.exe (PID: 1792 cmdline: vssadmin delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
        • WMIC.exe (PID: 5432 cmdline: wmic shadowcopy delete MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
      • cmd.exe (PID: 5424 cmdline: "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 3016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • bcdedit.exe (PID: 6132 cmdline: bcdedit /set {default} bootstatuspolicy ignoreallfailures MD5: 6E05CD5195FDB8B6C68FC90074817293)
        • bcdedit.exe (PID: 5296 cmdline: bcdedit /set {default} recoveryenabled no MD5: 6E05CD5195FDB8B6C68FC90074817293)
      • cmd.exe (PID: 4064 cmdline: "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 3068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • wbadmin.exe (PID: 5268 cmdline: wbadmin delete catalog -quiet MD5: EE1E2C4D42579B19D765420E07589148)
  • wbuser.exe (PID: 4908 cmdline: C:\Windows\system32\wbuser.exe MD5: 6E235F75DF84C387388D23D697D6540B)
  • vdsldr.exe (PID: 1332 cmdline: C:\Windows\System32\vdsldr.exe -Embedding MD5: CD0D2028997ABCA78774E062CEC4E701)
  • vds.exe (PID: 1964 cmdline: C:\Windows\System32\vds.exe MD5: 4940B49502323905B66039D0D1AB4613)
  • OpenWith.exe (PID: 404 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)
  • svchost.exe (PID: 5236 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: AE7795F6305AD315589FF4846AD1EF14)
    • cmd.exe (PID: 5592 cmdline: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 5584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vssadmin.exe (PID: 5152 cmdline: vssadmin delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
      • WMIC.exe (PID: 5952 cmdline: wmic shadowcopy delete MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
    • cmd.exe (PID: 5276 cmdline: "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 2508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • bcdedit.exe (PID: 3128 cmdline: bcdedit /set {default} bootstatuspolicy ignoreallfailures MD5: 6E05CD5195FDB8B6C68FC90074817293)
      • bcdedit.exe (PID: 3424 cmdline: bcdedit /set {default} recoveryenabled no MD5: 6E05CD5195FDB8B6C68FC90074817293)
    • cmd.exe (PID: 2852 cmdline: "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • wbadmin.exe (PID: 2044 cmdline: wbadmin delete catalog -quiet MD5: EE1E2C4D42579B19D765420E07589148)
  • OpenWith.exe (PID: 3396 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
ChaosIn-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a "Ryuk .Net Ransomware Builder" even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.chaos
NameDescriptionAttributionBlogpost URLsLink
Conti, Conti LockConti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti
{"Ransom Note": "----> Chaos is multi language ransomware. Translate your note to any language <----\r\nAll of your files have been encrypted\r\nYour computer was infected with a ransomware virus. Your files have been encrypted and you won't \r\nbe able to decrypt them without our help.What can I do to get my files back?You can buy our special \r\ndecryption software, this software will allow you to recover all of your data and remove the\r\nransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.\r\nHow do I pay, where do I get Bitcoin?\r\nPurchasing Bitcoin varies from country to country, you are best advised to do a quick google search\r\nyourself  to find out how to buy Bitcoin. \r\nMany of our customers have reported these sites to be fast and reliable:\r\nCoinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com\r\n\r\nPayment informationAmount: 0.1473766 BTC\r\nBitcoin Address:  bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0\r\n\r\n", "Bitcoin Wallet": "bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0"}
SourceRuleDescriptionAuthorStrings
a8BgfRCsUv.exeJoeSecurity_Chaos_1Yara detected Chaos RansomwareJoe Security
    a8BgfRCsUv.exeJoeSecurity_Conti_ransomwareYara detected Conti ransomwareJoe Security
      a8BgfRCsUv.exeMALWARE_Win_ChaosDetects Chaos ransomwareditekSHen
      • 0x352a:$s1: <EncyptedKey>
      • 0x3546:$s1: <EncyptedKey>
      • 0x390f:$s2: <EncryptedKey>
      • 0x3cbc:$s3: C:\Users\
      • 0x3d86:$s6: (?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})
      • 0x2802:$s7: checkSpread
      • 0x2849:$s7: checkSleep
      • 0x2887:$s7: checkAdminPrivilage
      • 0x289b:$s7: checkdeleteShadowCopies
      • 0x28b3:$s7: checkdisableRecoveryMode
      • 0x28cc:$s7: checkdeleteBackupCatalog
      • 0x2a94:$s8: deleteShadowCopies
      • 0x2aa7:$s8: disableRecoveryMode
      • 0x2abb:$s8: deleteBackupCatalog
      • 0x280e:$s9: spreadName
      • 0x282a:$s10: processName
      • 0x294f:$s11: sleepOutOfTempFolder
      • 0x2964:$s12: AlreadyRunning
      • 0x2973:$s13: random_bytes
      • 0x29d4:$s14: encryptDirectory
      • 0x2f1f:$s14: encryptDirectory
      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.urlURL_File_Local_EXEDetects an .url file that points to a local executableFlorian Roth (Nextron Systems)
      • 0x0:$s1: [InternetShortcut]
      • 0x14:$s2: URL=file:///C:\Users\user\AppData\Roaming\svchost.exe
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.urlMethodology_Suspicious_Shortcut_Local_URLDetects local script usage for .URL persistence@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
      • 0x14:$file: URL=file:///
      • 0x0:$url_explicit: [InternetShortcut]
      C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_Chaos_1Yara detected Chaos RansomwareJoe Security
        C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_Conti_ransomwareYara detected Conti ransomwareJoe Security
          C:\Users\user\AppData\Roaming\svchost.exeMALWARE_Win_ChaosDetects Chaos ransomwareditekSHen
          • 0x352a:$s1: <EncyptedKey>
          • 0x3546:$s1: <EncyptedKey>
          • 0x390f:$s2: <EncryptedKey>
          • 0x3cbc:$s3: C:\Users\
          • 0x3d86:$s6: (?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})
          • 0x2802:$s7: checkSpread
          • 0x2849:$s7: checkSleep
          • 0x2887:$s7: checkAdminPrivilage
          • 0x289b:$s7: checkdeleteShadowCopies
          • 0x28b3:$s7: checkdisableRecoveryMode
          • 0x28cc:$s7: checkdeleteBackupCatalog
          • 0x2a94:$s8: deleteShadowCopies
          • 0x2aa7:$s8: disableRecoveryMode
          • 0x2abb:$s8: deleteBackupCatalog
          • 0x280e:$s9: spreadName
          • 0x282a:$s10: processName
          • 0x294f:$s11: sleepOutOfTempFolder
          • 0x2964:$s12: AlreadyRunning
          • 0x2973:$s13: random_bytes
          • 0x29d4:$s14: encryptDirectory
          • 0x2f1f:$s14: encryptDirectory
          SourceRuleDescriptionAuthorStrings
          00000000.00000000.243529247.0000000000E52000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Chaos_1Yara detected Chaos RansomwareJoe Security
            00000000.00000000.243529247.0000000000E52000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_ChaosDetects Chaos ransomwareditekSHen
            • 0x332a:$s1: <EncyptedKey>
            • 0x3346:$s1: <EncyptedKey>
            • 0x370f:$s2: <EncryptedKey>
            • 0x3abc:$s3: C:\Users\
            • 0x3b86:$s6: (?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})
            • 0x2602:$s7: checkSpread
            • 0x2649:$s7: checkSleep
            • 0x2687:$s7: checkAdminPrivilage
            • 0x269b:$s7: checkdeleteShadowCopies
            • 0x26b3:$s7: checkdisableRecoveryMode
            • 0x26cc:$s7: checkdeleteBackupCatalog
            • 0x2894:$s8: deleteShadowCopies
            • 0x28a7:$s8: disableRecoveryMode
            • 0x28bb:$s8: deleteBackupCatalog
            • 0x260e:$s9: spreadName
            • 0x262a:$s10: processName
            • 0x274f:$s11: sleepOutOfTempFolder
            • 0x2764:$s12: AlreadyRunning
            • 0x2773:$s13: random_bytes
            • 0x27d4:$s14: encryptDirectory
            • 0x2d1f:$s14: encryptDirectory
            00000001.00000002.511531668.0000000002FC4000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_ChaosDetects Chaos ransomwareditekSHen
            • 0x1fe4:$m1: Chaos is
            • 0x343c:$m1: Chaos is
            • 0x268c:$m2: Payment informationAmount:
            • 0x3c30:$m2: Payment informationAmount:
            • 0x25f6:$m3: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
            • 0x3b60:$m3: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
            • 0x240e:$m4: where do I get Bitcoin
            • 0x390c:$m4: where do I get Bitcoin
            0000001C.00000002.511323362.000000000302E000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_ChaosDetects Chaos ransomwareditekSHen
            • 0x1094:$m1: Chaos is
            • 0x24ec:$m1: Chaos is
            • 0x173c:$m2: Payment informationAmount:
            • 0x2ce0:$m2: Payment informationAmount:
            • 0x16a6:$m3: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
            • 0x2c10:$m3: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
            • 0x14be:$m4: where do I get Bitcoin
            • 0x29bc:$m4: where do I get Bitcoin
            00000001.00000002.511531668.0000000002DFE000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_ChaosDetects Chaos ransomwareditekSHen
            • 0x1c274:$m1: Chaos is
            • 0x1d6cc:$m1: Chaos is
            • 0xa2ecc:$m1: Chaos is
            • 0xa4324:$m1: Chaos is
            • 0x1c91c:$m2: Payment informationAmount:
            • 0x1dec0:$m2: Payment informationAmount:
            • 0xa3574:$m2: Payment informationAmount:
            • 0xa4b18:$m2: Payment informationAmount:
            • 0x1c886:$m3: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
            • 0x1ddf0:$m3: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
            • 0xa34de:$m3: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
            • 0xa4a48:$m3: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
            • 0x1c69e:$m4: where do I get Bitcoin
            • 0x1db9c:$m4: where do I get Bitcoin
            • 0xa32f6:$m4: where do I get Bitcoin
            • 0xa47f4:$m4: where do I get Bitcoin
            Click to see the 11 entries
            SourceRuleDescriptionAuthorStrings
            0.0.a8BgfRCsUv.exe.e50000.0.unpackDestructive_Ransomware_Gen1Detects destructive malwareFlorian Roth (Nextron Systems)
            • 0x3bc4:$x1: /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
            • 0x3b4b:$x2: delete shadows /all /quiet
            • 0x3c90:$x3: delete catalog -quiet
            0.0.a8BgfRCsUv.exe.e50000.0.unpackJoeSecurity_Chaos_1Yara detected Chaos RansomwareJoe Security
              0.0.a8BgfRCsUv.exe.e50000.0.unpackMALWARE_Win_ChaosDetects Chaos ransomwareditekSHen
              • 0x352a:$s1: <EncyptedKey>
              • 0x3546:$s1: <EncyptedKey>
              • 0x390f:$s2: <EncryptedKey>
              • 0x3cbc:$s3: C:\Users\
              • 0x3d86:$s6: (?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})
              • 0x2802:$s7: checkSpread
              • 0x2849:$s7: checkSleep
              • 0x2887:$s7: checkAdminPrivilage
              • 0x289b:$s7: checkdeleteShadowCopies
              • 0x28b3:$s7: checkdisableRecoveryMode
              • 0x28cc:$s7: checkdeleteBackupCatalog
              • 0x2a94:$s8: deleteShadowCopies
              • 0x2aa7:$s8: disableRecoveryMode
              • 0x2abb:$s8: deleteBackupCatalog
              • 0x280e:$s9: spreadName
              • 0x282a:$s10: processName
              • 0x294f:$s11: sleepOutOfTempFolder
              • 0x2964:$s12: AlreadyRunning
              • 0x2973:$s13: random_bytes
              • 0x29d4:$s14: encryptDirectory
              • 0x2f1f:$s14: encryptDirectory

              Operating System Destruction

              barindex
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete, CommandLine: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 5472, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete, ProcessId: 2588, ProcessName: cmd.exe

              Data Obfuscation

              barindex
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 5472, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url
              No Snort rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: a8BgfRCsUv.exeReversingLabs: Detection: 92%
              Source: a8BgfRCsUv.exeVirustotal: Detection: 81%Perma Link
              Source: a8BgfRCsUv.exeAvira: detected
              Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
              Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 92%
              Source: C:\Users\user\AppData\Roaming\svchost.exeVirustotal: Detection: 81%Perma Link
              Source: a8BgfRCsUv.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected
              Source: 0.0.a8BgfRCsUv.exe.e50000.0.unpackAvira: Label: TR/ATRAPS.Gen
              Source: 0000001C.00000002.511323362.000000000302E000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Chaos {"Ransom Note": "----> Chaos is multi language ransomware. Translate your note to any language <----\r\nAll of your files have been encrypted\r\nYour computer was infected with a ransomware virus. Your files have been encrypted and you won't \r\nbe able to decrypt them without our help.What can I do to get my files back?You can buy our special \r\ndecryption software, this software will allow you to recover all of your data and remove the\r\nransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.\r\nHow do I pay, where do I get Bitcoin?\r\nPurchasing Bitcoin varies from country to country, you are best advised to do a quick google search\r\nyourself to find out how to buy Bitcoin. \r\nMany of our customers have reported these sites to be fast and reliable:\r\nCoinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com\r\n\r\nPayment informationAmount: 0.1473766 BTC\r\nBitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0\r\n\r\n", "Bitcoin Wallet": "bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0"}
              Source: a8BgfRCsUv.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: a8BgfRCsUv.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\BA\89\b\release\win32\Music.UI\Music.UI.pdb source: a8BgfRCsUv.exe, svchost.exe.0.dr
              Source: Binary string: ifsutil.pdb source: WBuser.0.etl.19.dr
              Source: Binary string: vssvc.pdb source: WBuser.0.etl.19.dr
              Source: Binary string: wbadmin.pdb source: WBuser.0.etl.19.dr
              Source: Binary string: .core.pdb.ico.pas source: a8BgfRCsUv.exe, svchost.exe.0.dr
              Source: Binary string: wbuser.pdb source: WBuser.0.etl.19.dr
              Source: Binary string: C:\BA\89\b\release\win32\Music.UI\Music.UI.pdbz source: a8BgfRCsUv.exe, svchost.exe.0.dr
              Source: Binary string: uudf.pdb source: WBuser.0.etl.19.dr
              Source: Binary string: vssapi.pdb source: WBuser.0.etl.19.dr
              Source: Binary string: spp.pdb source: WBuser.0.etl.19.dr
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
              Source: C:\Windows\System32\wbuser.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
              Source: a8BgfRCsUv.exe, svchost.exe.0.drString found in binary or memory: http://oracle.com/contracts.
              Source: C:\Users\user\AppData\Roaming\svchost.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeWindow created: window name: CLIPBRDWNDCLASS

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Source: Yara matchFile source: a8BgfRCsUv.exe, type: SAMPLE
              Source: Yara matchFile source: Process Memory Space: a8BgfRCsUv.exe PID: 6136, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
              Source: Yara matchFile source: Process Memory Space: a8BgfRCsUv.exe PID: 6136, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5472, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5236, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: a8BgfRCsUv.exe PID: 6136, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5472, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5236, type: MEMORYSTR
              Source: Yara matchFile source: a8BgfRCsUv.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.a8BgfRCsUv.exe.e50000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.243529247.0000000000E52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
              Source: C:\Users\user\AppData\Roaming\svchost.exeFile moved: C:\Users\user\Desktop\GNLQNHOLWB\WHZAGPPPLA.mp3Jump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: C:\Users\user\Desktop\GNLQNHOLWB\WHZAGPPPLA.mp3Jump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeFile moved: C:\Users\user\Desktop\MIVTQDBATG.mp3Jump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: C:\Users\user\Desktop\MIVTQDBATG.mp3Jump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeFile moved: C:\Users\user\Desktop\BWDRWEEARI\OVWVVIANZH.jpgJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
              Source: a8BgfRCsUv.exe, 00000000.00000000.243529247.0000000000E52000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: /C yvssadmin delete shadows /all /quiet & wmic shadowcopy delete
              Source: a8BgfRCsUv.exe, 00000000.00000002.259028258.00000000031E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteJump to behavior
              Source: svchost.exe, 00000001.00000002.511255734.0000000000CF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              Source: svchost.exe, 00000001.00000002.519650531.000000001B700000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies/C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;IU)(A;OICI;FA;;;SY)rs
              Source: svchost.exe, 00000001.00000002.519650531.000000001B700000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteC:\Users\user\AppData\Local\Microsoft\Windows\INetCacheche
              Source: svchost.exe, 00000001.00000002.511531668.0000000002FC0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ?/C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              Source: svchost.exe, 00000001.00000002.510991542.0000000000CA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete/C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              Source: svchost.exe, 00000001.00000002.510991542.0000000000CA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete#-
              Source: svchost.exe, 00000001.00000002.511531668.0000000002CAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy deleteJump to behavior
              Source: vssadmin.exe, 00000006.00000002.289138345.000001B747855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmindeleteshadows/all/quiet
              Source: vssadmin.exe, 00000006.00000002.289044687.000001B747510000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet vssadmin delete shadows /all /quiet Winsta0\Default
              Source: vssadmin.exe, 00000006.00000002.289044687.000001B747510000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin delete shadows /all /quiet
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              Source: svchost.exe, 0000001C.00000002.510792106.0000000000EA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteLIST
              Source: svchost.exe, 0000001C.00000002.510792106.0000000000EA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete@
              Source: svchost.exe, 0000001C.00000002.511323362.0000000003029000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ?/C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              Source: svchost.exe, 0000001C.00000002.521009346.000000001D202000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteC:\Users\user\AppData\Local\Microsoft\Windows\INetCookies
              Source: svchost.exe, 0000001C.00000002.511323362.0000000002D11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              Source: svchost.exe, 0000001C.00000002.511003672.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
              Source: vssadmin.exe, 0000001F.00000002.334335372.000001C7DAFF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmindeleteshadows/all/quiet
              Source: vssadmin.exe, 0000001F.00000002.334259530.000001C7DAE40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet vssadmin delete shadows /all /quiet Winsta0\Defaultp$
              Source: vssadmin.exe, 0000001F.00000002.334259530.000001C7DAE40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin delete shadows /all /quiet
              Source: vssadmin.exe, 0000001F.00000002.334259530.000001C7DAE40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin delete shadows /all /quiet 4$
              Source: vssadmin.exe, 0000001F.00000002.334259530.000001C7DAE6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005152- TID: 00003228- CMD: vssadmin delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
              Source: vssadmin.exe, 0000001F.00000002.334071343.0000007D43F3B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005152- TID: 00003228- CMD: vssadmin delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
              Source: a8BgfRCsUv.exeBinary or memory string: /C yvssadmin delete shadows /all /quiet & wmic shadowcopy delete
              Source: svchost.exe.0.drBinary or memory string: /C yvssadmin delete shadows /all /quiet & wmic shadowcopy delete
              Source: a8BgfRCsUv.exe, 00000000.00000002.265402778.000000001BBE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
              Source: a8BgfRCsUv.exe, 00000000.00000002.265402778.000000001BBE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ(
              Source: a8BgfRCsUv.exe, 00000000.00000002.265402778.000000001BBE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ
              Source: a8BgfRCsUv.exe, 00000000.00000002.265402778.000000001BBE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ*
              Source: a8BgfRCsUv.exeString found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
              Source: a8BgfRCsUv.exeString found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ(
              Source: a8BgfRCsUv.exeString found in binary or memory: ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ
              Source: a8BgfRCsUv.exeString found in binary or memory: ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ*
              Source: svchost.exe.0.drString found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
              Source: svchost.exe.0.drString found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ(
              Source: svchost.exe.0.drString found in binary or memory: ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ
              Source: svchost.exe.0.drString found in binary or memory: ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ*

              System Summary

              barindex
              Source: a8BgfRCsUv.exe, type: SAMPLEMatched rule: Detects Chaos ransomware Author: ditekSHen
              Source: 0.0.a8BgfRCsUv.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: Detects destructive malware Author: Florian Roth (Nextron Systems)
              Source: 0.0.a8BgfRCsUv.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chaos ransomware Author: ditekSHen
              Source: 00000000.00000000.243529247.0000000000E52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Chaos ransomware Author: ditekSHen
              Source: 00000001.00000002.511531668.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chaos ransomware Author: ditekSHen
              Source: 0000001C.00000002.511323362.000000000302E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chaos ransomware Author: ditekSHen
              Source: 00000001.00000002.511531668.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chaos r