Overview

overview

10

Static

static

Chaos Rans...v4.exe

windows7_x64

10

Chaos Rans...v4.exe

windows10_x64

1

Resubmissions

10-10-2021 08:37

211010-kh77dsffh5 10

10-10-2021 08:28

211010-kdbbvsfgck 10

Analysis

  • max time kernel
    126s
  • max time network
    94s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    10-10-2021 08:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Chaos Ransomware Builder v4.exe

  • Size

    550KB

  • MD5

    8b855e56e41a6e10d28522a20c1e0341

  • SHA1

    17ea75272cfe3749c6727388fd444d2c970f9d01

  • SHA256

    f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

  • SHA512

    eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

Score
10/10
evasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0
Wallets

bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 33 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 45 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe
    "C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bd0mxubm\bd0mxubm.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF779.tmp" "c:\Users\Admin\Desktop\CSC23C098CE257C49CE8058BC3BF995A716.TMP"
        3⤵
          PID:1920
    • C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe
      "C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1524
    • C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe
      "C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1072
    • C:\Users\Admin\Desktop\xxxxxx.exe
      "C:\Users\Admin\Desktop\xxxxxx.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        2⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Drops startup file
        • Drops desktop.ini file(s)
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:820
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1436
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:1304
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1620
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:928
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1780
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1072
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1456
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:564
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
          3⤵
          • Opens file in notepad (likely ransom note)
          PID:1736
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:932
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1748
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:108
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:204

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RESF779.tmp
          MD5

          a663fe9db56182c7430c8628b5bb1945

          SHA1

          a1eae854051249af02d251170c573f0841969a14

          SHA256

          29fbcef9167a69cf5dd98e596a01d278b5a33452c4e0fc60d69e4ece0515a64a

          SHA512

          582353bd3ad4d75abe07dc6f741099a08c3f8678abc12fb0d149a5eaf55d9389caebf91613585579b465937bdda38dcb3b1fb405322de98fe0c401fe314fb708

          Download Submit

        • C:\Users\Admin\AppData\Roaming\read_it.txt
          MD5

          4217b8b83ce3c3f70029a056546f8fd0

          SHA1

          487cdb5733d073a0427418888e8f7070fe782a03

          SHA256

          7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

          SHA512

          2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

          Download Submit

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          MD5

          bd2190e3dc9cb02bcf58245bfa3c3c8e

          SHA1

          72e12283f55b76c70cdfb9937bca77713d780869

          SHA256

          e176033711533ac5e60d2c2d8582245ac3a6ec67d3094a304fc5cdeff8d69644

          SHA512

          5cf4f0da150e6e78fb7036cc14680c66196d968b8129bc3af7ed7204cdbc2bc06633dd5460c455606d712d6d9d77d163a6da034427a8cef950d9ed664da0d630

          Download Submit

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          MD5

          bd2190e3dc9cb02bcf58245bfa3c3c8e

          SHA1

          72e12283f55b76c70cdfb9937bca77713d780869

          SHA256

          e176033711533ac5e60d2c2d8582245ac3a6ec67d3094a304fc5cdeff8d69644

          SHA512

          5cf4f0da150e6e78fb7036cc14680c66196d968b8129bc3af7ed7204cdbc2bc06633dd5460c455606d712d6d9d77d163a6da034427a8cef950d9ed664da0d630

          Download Submit

        • C:\Users\Admin\Desktop\xxxxxx.exe
          MD5

          bd2190e3dc9cb02bcf58245bfa3c3c8e

          SHA1

          72e12283f55b76c70cdfb9937bca77713d780869

          SHA256

          e176033711533ac5e60d2c2d8582245ac3a6ec67d3094a304fc5cdeff8d69644

          SHA512

          5cf4f0da150e6e78fb7036cc14680c66196d968b8129bc3af7ed7204cdbc2bc06633dd5460c455606d712d6d9d77d163a6da034427a8cef950d9ed664da0d630

          Download Submit

        • C:\Users\Admin\Desktop\xxxxxx.exe
          MD5

          bd2190e3dc9cb02bcf58245bfa3c3c8e

          SHA1

          72e12283f55b76c70cdfb9937bca77713d780869

          SHA256

          e176033711533ac5e60d2c2d8582245ac3a6ec67d3094a304fc5cdeff8d69644

          SHA512

          5cf4f0da150e6e78fb7036cc14680c66196d968b8129bc3af7ed7204cdbc2bc06633dd5460c455606d712d6d9d77d163a6da034427a8cef950d9ed664da0d630

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\bd0mxubm\bd0mxubm.0.cs
          MD5

          e8f69874334114b7af075f9c839be102

          SHA1

          a8711c6009831bdc1d162b1031f6470ed771188c

          SHA256

          86fa19dc720300235985a93f59acf8d883c56bd7ca8ab96a3eb49f0baf429162

          SHA512

          46cf37bd1811c77a214b5e0fe47ad7d06819f6d565b1fb6803a2544e91cc44775b18b8ce8d27e97c9154c4e33a8d4729c7e192ef2c8ea8e5b4225201ecaba76d

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\bd0mxubm\bd0mxubm.cmdline
          MD5

          12ff7a53bfc8c084646ce2f1cad107dd

          SHA1

          b40c6e359bc509140c6f4c84511676d5d295ca68

          SHA256

          438d25a15467532a5aa2967547ff84dad13386a26e0824713638e37ddf2ac7c6

          SHA512

          951657c89fffd2cd13eaff893bbc62872d12bfea5837c052e54075531312752fd8d384008bd8e7e7d8b19c9040804b644e40b93d90b4c7874aacc073b0e62ee3

          Download Submit

        • \??\c:\Users\Admin\Desktop\CSC23C098CE257C49CE8058BC3BF995A716.TMP
          MD5

          cff8054328e1b62e52ea8b9bd9d88d71

          SHA1

          e760ad2c1e81ab14ee2a7788bfe3cb88813a9036

          SHA256

          468ff6353da1bdbaf411df28d004fc93afeafcf95909cda5dd4513483f69b25e

          SHA512

          cb9c7dc7d7be4af0ff492299151ef5c95503ad82101774adb539a7ad8837f40e8923652a66268022fca3d1cfbcc348e7a2cf5fefa76ad994aaa9c5d0fbadba33

          Download Submit

        • memory/564-98-0x0000000000000000-mapping.dmp

          Download

        • memory/564-99-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

          Filesize

          8KB

          Download

        • memory/820-88-0x00000000008D0000-0x00000000008D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/820-90-0x000000001AC20000-0x000000001AC22000-memory.dmp

          Filesize

          8KB

          Download

        • memory/820-85-0x0000000000000000-mapping.dmp

          Download

        • memory/928-94-0x0000000000000000-mapping.dmp

          Download

        • memory/1072-68-0x000000001B2E0000-0x000000001B2E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1072-96-0x0000000000000000-mapping.dmp

          Download

        • memory/1072-70-0x000000001B2E6000-0x000000001B305000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1304-92-0x0000000000000000-mapping.dmp

          Download

        • memory/1436-91-0x0000000000000000-mapping.dmp

          Download

        • memory/1456-97-0x0000000000000000-mapping.dmp

          Download

        • memory/1524-65-0x0000000000BA0000-0x0000000000BA2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1524-69-0x0000000000BA6000-0x0000000000BC5000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1596-83-0x0000000000D10000-0x0000000000D11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1620-93-0x0000000000000000-mapping.dmp

          Download

        • memory/1680-74-0x000000001EF40000-0x000000001EF41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1680-73-0x000000001B1E6000-0x000000001B1E7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1680-72-0x000000001B1E5000-0x000000001B1E6000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1680-71-0x000000001B1C6000-0x000000001B1E5000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1680-60-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1680-62-0x000000001B1C0000-0x000000001B1C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1736-100-0x0000000000000000-mapping.dmp

          Download

        • memory/1748-75-0x0000000000000000-mapping.dmp

          Download

        • memory/1780-95-0x0000000000000000-mapping.dmp

          Download

        • memory/1920-78-0x0000000000000000-mapping.dmp

          Download