Edit tour
Windows
Analysis Report
a8BgfRCsUv.exe
Overview
General Information
Detection
Chaos, Conti, TrojanRansom
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Conti ransomware
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected TrojanRansom
Antivirus / Scanner detection for submitted sample
Sigma detected: Delete shadow copy via WMIC
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Multi AV Scanner detection for dropped file
Yara detected Chaos Ransomware
Deletes the backup plan of Windows
Uses bcdedit to modify the Windows boot settings
Machine Learning detection for sample
Creates files inside the volume driver (system volume information)
Modifies existing user documents (likely ransomware behavior)
May disable shadow drive data (uses vssadmin)
Machine Learning detection for dropped file
Deletes shadow drive data (may be related to ransomware)
Found potential ransomware demand text
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Creates COM task schedule object (often to register a task for autostart)
Creates files inside the system directory
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Enables security privileges
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- a8BgfRCsUv.exe (PID: 6136 cmdline:
C:\Users\u ser\Deskto p\a8BgfRCs Uv.exe MD5: AE7795F6305AD315589FF4846AD1EF14) - svchost.exe (PID: 5472 cmdline:
"C:\Users\ user\AppDa ta\Roaming \svchost.e xe" MD5: AE7795F6305AD315589FF4846AD1EF14) - cmd.exe (PID: 2588 cmdline:
"C:\Window s\System32 \cmd.exe" /C vssadmi n delete s hadows /al l /quiet & wmic shad owcopy del ete MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 1420 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - vssadmin.exe (PID: 1792 cmdline:
vssadmin d elete shad ows /all / quiet MD5: 47D51216EF45075B5F7EAA117CC70E40) - WMIC.exe (PID: 5432 cmdline:
wmic shado wcopy dele te MD5: EC80E603E0090B3AC3C1234C2BA43A0F) - cmd.exe (PID: 5424 cmdline:
"C:\Window s\System32 \cmd.exe" /C bcdedit /set {def ault} boot statuspoli cy ignorea llfailures & bcdedit /set {def ault} reco veryenable d no MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 3016 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - bcdedit.exe (PID: 6132 cmdline:
bcdedit /s et {defaul t} bootsta tuspolicy ignoreallf ailures MD5: 6E05CD5195FDB8B6C68FC90074817293) - bcdedit.exe (PID: 5296 cmdline:
bcdedit /s et {defaul t} recover yenabled n o MD5: 6E05CD5195FDB8B6C68FC90074817293) - cmd.exe (PID: 4064 cmdline:
"C:\Window s\System32 \cmd.exe" /C wbadmin delete ca talog -qui et MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 3068 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - wbadmin.exe (PID: 5268 cmdline:
wbadmin de lete catal og -quiet MD5: EE1E2C4D42579B19D765420E07589148)
- wbuser.exe (PID: 4908 cmdline:
C:\Windows \system32\ wbuser.exe MD5: 6E235F75DF84C387388D23D697D6540B)
- vdsldr.exe (PID: 1332 cmdline:
C:\Windows \System32\ vdsldr.exe -Embeddin g MD5: CD0D2028997ABCA78774E062CEC4E701)
- vds.exe (PID: 1964 cmdline:
C:\Windows \System32\ vds.exe MD5: 4940B49502323905B66039D0D1AB4613)
- OpenWith.exe (PID: 404 cmdline:
C:\Windows \system32\ OpenWith.e xe -Embedd ing MD5: D179D03728E95E040A889F760C1FC402)
- svchost.exe (PID: 5236 cmdline:
"C:\Users\ user\AppDa ta\Roaming \svchost.e xe" MD5: AE7795F6305AD315589FF4846AD1EF14) - cmd.exe (PID: 5592 cmdline:
"C:\Window s\System32 \cmd.exe" /C vssadmi n delete s hadows /al l /quiet & wmic shad owcopy del ete MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5584 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - vssadmin.exe (PID: 5152 cmdline:
vssadmin d elete shad ows /all / quiet MD5: 47D51216EF45075B5F7EAA117CC70E40) - WMIC.exe (PID: 5952 cmdline:
wmic shado wcopy dele te MD5: EC80E603E0090B3AC3C1234C2BA43A0F) - cmd.exe (PID: 5276 cmdline:
"C:\Window s\System32 \cmd.exe" /C bcdedit /set {def ault} boot statuspoli cy ignorea llfailures & bcdedit /set {def ault} reco veryenable d no MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 2508 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - bcdedit.exe (PID: 3128 cmdline:
bcdedit /s et {defaul t} bootsta tuspolicy ignoreallf ailures MD5: 6E05CD5195FDB8B6C68FC90074817293) - bcdedit.exe (PID: 3424 cmdline:
bcdedit /s et {defaul t} recover yenabled n o MD5: 6E05CD5195FDB8B6C68FC90074817293) - cmd.exe (PID: 2852 cmdline:
"C:\Window s\System32 \cmd.exe" /C wbadmin delete ca talog -qui et MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4456 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - wbadmin.exe (PID: 2044 cmdline:
wbadmin de lete catal og -quiet MD5: EE1E2C4D42579B19D765420E07589148)
- OpenWith.exe (PID: 3396 cmdline:
C:\Windows \system32\ OpenWith.e xe -Embedd ing MD5: D179D03728E95E040A889F760C1FC402)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Chaos | In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a "Ryuk .Net Ransomware Builder" even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Conti, Conti Lock | Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang. | No Attribution |
{"Ransom Note": "----> Chaos is multi language ransomware. Translate your note to any language <----\r\nAll of your files have been encrypted\r\nYour computer was infected with a ransomware virus. Your files have been encrypted and you won't \r\nbe able to decrypt them without our help.What can I do to get my files back?You can buy our special \r\ndecryption software, this software will allow you to recover all of your data and remove the\r\nransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.\r\nHow do I pay, where do I get Bitcoin?\r\nPurchasing Bitcoin varies from country to country, you are best advised to do a quick google search\r\nyourself to find out how to buy Bitcoin. \r\nMany of our customers have reported these sites to be fast and reliable:\r\nCoinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com\r\n\r\nPayment informationAmount: 0.1473766 BTC\r\nBitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0\r\n\r\n", "Bitcoin Wallet": "bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Chaos_1 | Yara detected Chaos Ransomware | Joe Security | ||
JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | ||
MALWARE_Win_Chaos | Detects Chaos ransomware | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
URL_File_Local_EXE | Detects an .url file that points to a local executable | Florian Roth (Nextron Systems) |
| |
Methodology_Suspicious_Shortcut_Local_URL | Detects local script usage for .URL persistence | @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson) |
| |
JoeSecurity_Chaos_1 | Yara detected Chaos Ransomware | Joe Security | ||
JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | ||
MALWARE_Win_Chaos | Detects Chaos ransomware | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Chaos_1 | Yara detected Chaos Ransomware | Joe Security | ||
MALWARE_Win_Chaos | Detects Chaos ransomware | ditekSHen |
| |
MALWARE_Win_Chaos | Detects Chaos ransomware | ditekSHen |
| |
MALWARE_Win_Chaos | Detects Chaos ransomware | ditekSHen |
| |
MALWARE_Win_Chaos | Detects Chaos ransomware | ditekSHen |
| |
Click to see the 11 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Destructive_Ransomware_Gen1 | Detects destructive malware | Florian Roth (Nextron Systems) |
| |
JoeSecurity_Chaos_1 | Yara detected Chaos Ransomware | Joe Security | ||
MALWARE_Win_Chaos | Detects Chaos ransomware | ditekSHen |
|
Operating System Destruction |
---|
Source: | Author: Joe Security: |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Avira: |
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | String found in binary or memory: |
Source: | Window created: | Jump to behavior | ||
Source: | Window created: |
Spam, unwanted Advertisements and Ransom Demands |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File moved: | Jump to behavior | ||
Source: | File deleted: | Jump to behavior | ||
Source: | File moved: | Jump to behavior | ||
Source: | File deleted: | Jump to behavior | ||
Source: | File moved: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Process created: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: | |||
Source: | Binary or memory string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |