chaos | e47cf35ebb754112c2edca1645a40e0d7985db3a70c93c453c434bef93d23c73

Resubmissions

01-05-2022 18:25

220501-w2v7qaadhl 10

01-05-2022 18:22

220501-wz279adge8 10

Analysis

max time kernel
48s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-05-2022 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

illegal and unillegal/dead.exe
Size

985KB
MD5

37a0d42671350931168039739cd65c4f
SHA1

e372320a7d1d073a913891e20468932a86c4a086
SHA256

8864d707d5e91e1c073e5d3bd4324793202449c647b1b1936df35fd734635d4a
SHA512

2f3828bd2525dd8b6cc8daae7e2bcff2ba508c2841eaaf8a0faa359ea9e07f7387bf503c309ece096e6899627d5e9a9c90abf7d197bb8199e4db28b83d03a93c

Score

10^/10

chaos ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 4 IoCs

resource	yara_rule
behavioral1/memory/1460-54-0x00000000011F0000-0x00000000012EC000-memory.dmp	family_chaos
behavioral1/files/0x000a000000003c9f-56.dat	family_chaos
behavioral1/files/0x000a000000003c9f-57.dat	family_chaos
behavioral1/memory/952-58-0x0000000001180000-0x000000000127C000-memory.dmp	family_chaos

Executes dropped EXE 1 IoCs

pid	Process
952	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1788	952	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1460	dead.exe
952	chrome.exe
952	chrome.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	dead.exe
Token: SeDebugPrivilege	952	chrome.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 952	1460	dead.exe	28
PID 1460 wrote to memory of 952	1460	dead.exe	28
PID 1460 wrote to memory of 952	1460	dead.exe	28
PID 952 wrote to memory of 1788	952	chrome.exe	29
PID 952 wrote to memory of 1788	952	chrome.exe	29
PID 952 wrote to memory of 1788	952	chrome.exe	29

C:\Users\Admin\AppData\Local\Temp\illegal and unillegal\dead.exe
"C:\Users\Admin\AppData\Local\Temp\illegal and unillegal\dead.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 952 -s 568
    3⤵
    - Program crash
    PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\chrome.exe

Filesize
985KB

MD5
37a0d42671350931168039739cd65c4f

SHA1
e372320a7d1d073a913891e20468932a86c4a086

SHA256
8864d707d5e91e1c073e5d3bd4324793202449c647b1b1936df35fd734635d4a

SHA512
2f3828bd2525dd8b6cc8daae7e2bcff2ba508c2841eaaf8a0faa359ea9e07f7387bf503c309ece096e6899627d5e9a9c90abf7d197bb8199e4db28b83d03a93c

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe

Filesize
985KB

MD5
37a0d42671350931168039739cd65c4f

SHA1
e372320a7d1d073a913891e20468932a86c4a086

SHA256
8864d707d5e91e1c073e5d3bd4324793202449c647b1b1936df35fd734635d4a

SHA512
2f3828bd2525dd8b6cc8daae7e2bcff2ba508c2841eaaf8a0faa359ea9e07f7387bf503c309ece096e6899627d5e9a9c90abf7d197bb8199e4db28b83d03a93c

Download Submit
memory/952-58-0x0000000001180000-0x000000000127C000-memory.dmp

Filesize
1008KB

Download
memory/1460-54-0x00000000011F0000-0x00000000012EC000-memory.dmp

Filesize
1008KB

Download