chaos | e47cf35ebb754112c2edca1645a40e0d7985db3a70c93c453c434bef93d23c73

Resubmissions

01-05-2022 18:25

220501-w2v7qaadhl 10

01-05-2022 18:22

220501-wz279adge8 10

Analysis

max time kernel
48s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-05-2022 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

illegal and unillegal/dead.exe
Size

985KB
MD5

37a0d42671350931168039739cd65c4f
SHA1

e372320a7d1d073a913891e20468932a86c4a086
SHA256

8864d707d5e91e1c073e5d3bd4324793202449c647b1b1936df35fd734635d4a
SHA512

2f3828bd2525dd8b6cc8daae7e2bcff2ba508c2841eaaf8a0faa359ea9e07f7387bf503c309ece096e6899627d5e9a9c90abf7d197bb8199e4db28b83d03a93c

Score

10^/10

chaos ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1460-54-0x00000000011F0000-0x00000000012EC000-memory.dmp	family_chaos
C:\Users\Admin\AppData\Roaming\chrome.exe	family_chaos
C:\Users\Admin\AppData\Roaming\chrome.exe	family_chaos
behavioral1/memory/952-58-0x0000000001180000-0x000000000127C000-memory.dmp	family_chaos

Executes dropped EXE 1 IoCs

Processes:

chrome.exe

pid process

952 chrome.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1788 952 WerFault.exe chrome.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

dead.exechrome.exe

pid process

1460 dead.exe
952 chrome.exe
952 chrome.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dead.exechrome.exe

description pid process

Token: SeDebugPrivilege 1460 dead.exe
Token: SeDebugPrivilege 952 chrome.exe

pid	process
952	chrome.exe

pid	pid_target	process	target process
1788	952	WerFault.exe	chrome.exe

pid	process
1460	dead.exe
952	chrome.exe
952	chrome.exe

description	pid	process
Token: SeDebugPrivilege	1460	dead.exe
Token: SeDebugPrivilege	952	chrome.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

dead.exechrome.exe

description	pid	process	target process
PID 1460 wrote to memory of 952	1460	dead.exe	chrome.exe
PID 1460 wrote to memory of 952	1460	dead.exe	chrome.exe
PID 1460 wrote to memory of 952	1460	dead.exe	chrome.exe
PID 952 wrote to memory of 1788	952	chrome.exe	WerFault.exe
PID 952 wrote to memory of 1788	952	chrome.exe	WerFault.exe
PID 952 wrote to memory of 1788	952	chrome.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\illegal and unillegal\dead.exe
"C:\Users\Admin\AppData\Local\Temp\illegal and unillegal\dead.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 952 -s 568
3⤵
- Program crash
PID:1788

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\chrome.exe
Filesize
985KB

MD5
37a0d42671350931168039739cd65c4f

SHA1
e372320a7d1d073a913891e20468932a86c4a086

SHA256
8864d707d5e91e1c073e5d3bd4324793202449c647b1b1936df35fd734635d4a

SHA512
2f3828bd2525dd8b6cc8daae7e2bcff2ba508c2841eaaf8a0faa359ea9e07f7387bf503c309ece096e6899627d5e9a9c90abf7d197bb8199e4db28b83d03a93c

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe
Filesize
985KB

MD5
37a0d42671350931168039739cd65c4f

SHA1
e372320a7d1d073a913891e20468932a86c4a086

SHA256
8864d707d5e91e1c073e5d3bd4324793202449c647b1b1936df35fd734635d4a

SHA512
2f3828bd2525dd8b6cc8daae7e2bcff2ba508c2841eaaf8a0faa359ea9e07f7387bf503c309ece096e6899627d5e9a9c90abf7d197bb8199e4db28b83d03a93c

Download Submit
memory/952-55-0x0000000000000000-mapping.dmp

Download
memory/952-58-0x0000000001180000-0x000000000127C000-memory.dmp

Filesize
1008KB

Download
memory/1460-54-0x00000000011F0000-0x00000000012EC000-memory.dmp

Filesize
1008KB

Download
memory/1788-59-0x0000000000000000-mapping.dmp

Download