chaos | 93bc55b5b7bb7651a194acafb39e39c21798eaa0c75fd463be751d76774034e8

General

Target

954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c.exe
Size

22KB
MD5

a4ac3f1674f24c6e596bf71fc47bd275
SHA1

24dbe7a81a5bda771d7557fa3f5000f4a9f27179
SHA256

954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c
SHA512

d75690b60afbc2999d5f2892b6ee924b902a1497f9820393c78edd64c061908462e98593267836bdab28bb9963fc30b4e780f0c7b5853fd067765e3a6df0bdc7

Score

10^/10

chaos evasion ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1708-54-0x0000000000810000-0x000000000081C000-memory.dmp	family_chaos
C:\Users\Admin\AppData\Roaming\svchost.exe	family_chaos
C:\Users\Admin\AppData\Roaming\svchost.exe	family_chaos
behavioral1/memory/948-58-0x00000000009C0000-0x00000000009CC000-memory.dmp	family_chaos

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1740 bcdedit.exe
1536 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2024 wbadmin.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

948 svchost.exe

pid	process
1740	bcdedit.exe
1536	bcdedit.exe

pid	process
2024	wbadmin.exe

pid	process
948	svchost.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ConvertFromStop.raw => C:\Users\Admin\Pictures\ConvertFromStop.raw.fuckazov	svchost.exe
File renamed	C:\Users\Admin\Pictures\RedoProtect.tif => C:\Users\Admin\Pictures\RedoProtect.tif.fuckazov	svchost.exe
File renamed	C:\Users\Admin\Pictures\ApproveHide.tif => C:\Users\Admin\Pictures\ApproveHide.tif.fuckazov	svchost.exe

Drops startup file 3 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stop_propaganda.txt	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 33 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

688 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1656 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid process

948 svchost.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c.exesvchost.exe

pid process

1708 954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c.exe
948 svchost.exe
948 svchost.exe

pid	process
688	vssadmin.exe

pid	process
1656	NOTEPAD.EXE

pid	process
948	svchost.exe

pid	process
1708	954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c.exe
948	svchost.exe
948	svchost.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c.exesvchost.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	1708	954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c.exe
Token: SeDebugPrivilege	948	svchost.exe
Token: SeBackupPrivilege	820	vssvc.exe
Token: SeRestorePrivilege	820	vssvc.exe
Token: SeAuditPrivilege	820	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1648	WMIC.exe
Token: SeSecurityPrivilege	1648	WMIC.exe
Token: SeTakeOwnershipPrivilege	1648	WMIC.exe
Token: SeLoadDriverPrivilege	1648	WMIC.exe
Token: SeSystemProfilePrivilege	1648	WMIC.exe
Token: SeSystemtimePrivilege	1648	WMIC.exe
Token: SeProfSingleProcessPrivilege	1648	WMIC.exe
Token: SeIncBasePriorityPrivilege	1648	WMIC.exe
Token: SeCreatePagefilePrivilege	1648	WMIC.exe
Token: SeBackupPrivilege	1648	WMIC.exe
Token: SeRestorePrivilege	1648	WMIC.exe
Token: SeShutdownPrivilege	1648	WMIC.exe
Token: SeDebugPrivilege	1648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1648	WMIC.exe
Token: SeRemoteShutdownPrivilege	1648	WMIC.exe
Token: SeUndockPrivilege	1648	WMIC.exe
Token: SeManageVolumePrivilege	1648	WMIC.exe
Token: 33	1648	WMIC.exe
Token: 34	1648	WMIC.exe
Token: 35	1648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1648	WMIC.exe
Token: SeSecurityPrivilege	1648	WMIC.exe
Token: SeTakeOwnershipPrivilege	1648	WMIC.exe
Token: SeLoadDriverPrivilege	1648	WMIC.exe
Token: SeSystemProfilePrivilege	1648	WMIC.exe
Token: SeSystemtimePrivilege	1648	WMIC.exe
Token: SeProfSingleProcessPrivilege	1648	WMIC.exe
Token: SeIncBasePriorityPrivilege	1648	WMIC.exe
Token: SeCreatePagefilePrivilege	1648	WMIC.exe
Token: SeBackupPrivilege	1648	WMIC.exe
Token: SeRestorePrivilege	1648	WMIC.exe
Token: SeShutdownPrivilege	1648	WMIC.exe
Token: SeDebugPrivilege	1648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1648	WMIC.exe
Token: SeRemoteShutdownPrivilege	1648	WMIC.exe
Token: SeUndockPrivilege	1648	WMIC.exe
Token: SeManageVolumePrivilege	1648	WMIC.exe
Token: 33	1648	WMIC.exe
Token: 34	1648	WMIC.exe
Token: 35	1648	WMIC.exe
Token: SeBackupPrivilege	672	wbengine.exe
Token: SeRestorePrivilege	672	wbengine.exe
Token: SeSecurityPrivilege	672	wbengine.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c.exesvchost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1708 wrote to memory of 948	1708	954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c.exe	svchost.exe
PID 1708 wrote to memory of 948	1708	954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c.exe	svchost.exe
PID 1708 wrote to memory of 948	1708	954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c.exe	svchost.exe
PID 948 wrote to memory of 776	948	svchost.exe	cmd.exe
PID 948 wrote to memory of 776	948	svchost.exe	cmd.exe
PID 948 wrote to memory of 776	948	svchost.exe	cmd.exe
PID 776 wrote to memory of 688	776	cmd.exe	vssadmin.exe
PID 776 wrote to memory of 688	776	cmd.exe	vssadmin.exe
PID 776 wrote to memory of 688	776	cmd.exe	vssadmin.exe
PID 776 wrote to memory of 1648	776	cmd.exe	WMIC.exe
PID 776 wrote to memory of 1648	776	cmd.exe	WMIC.exe
PID 776 wrote to memory of 1648	776	cmd.exe	WMIC.exe
PID 948 wrote to memory of 1148	948	svchost.exe	cmd.exe
PID 948 wrote to memory of 1148	948	svchost.exe	cmd.exe
PID 948 wrote to memory of 1148	948	svchost.exe	cmd.exe
PID 1148 wrote to memory of 1740	1148	cmd.exe	bcdedit.exe
PID 1148 wrote to memory of 1740	1148	cmd.exe	bcdedit.exe
PID 1148 wrote to memory of 1740	1148	cmd.exe	bcdedit.exe
PID 1148 wrote to memory of 1536	1148	cmd.exe	bcdedit.exe
PID 1148 wrote to memory of 1536	1148	cmd.exe	bcdedit.exe
PID 1148 wrote to memory of 1536	1148	cmd.exe	bcdedit.exe
PID 948 wrote to memory of 1800	948	svchost.exe	cmd.exe
PID 948 wrote to memory of 1800	948	svchost.exe	cmd.exe
PID 948 wrote to memory of 1800	948	svchost.exe	cmd.exe
PID 1800 wrote to memory of 2024	1800	cmd.exe	wbadmin.exe
PID 1800 wrote to memory of 2024	1800	cmd.exe	wbadmin.exe
PID 1800 wrote to memory of 2024	1800	cmd.exe	wbadmin.exe
PID 948 wrote to memory of 1656	948	svchost.exe	NOTEPAD.EXE
PID 948 wrote to memory of 1656	948	svchost.exe	NOTEPAD.EXE
PID 948 wrote to memory of 1656	948	svchost.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c.exe
"C:\Users\Admin\AppData\Local\Temp\954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:688

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
3⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:1740

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:1536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:2024

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\stop_propaganda.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:1656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1076

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1948

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

3

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\stop_propaganda.txt
Filesize
131B

MD5
4e70e7628592c28e0a1b796e5ff7cbb6

SHA1
21412f18b74b8ce46f7e7248a575d3c530c5c1d8

SHA256
49ccdd40ebfe0b3da0ca1d2c034b7e2eecaaffe273f0fb14cf4af50af09170f7

SHA512
f4eddbf3387972ad7facc2c5d1dd973fdde36a2910387b289ee06144bda16d51b6f26b4d0d08cd14a7da5dc958c31b0eb59781c3a437f6eeeedd67eeead9e7a8

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
22KB

MD5
a4ac3f1674f24c6e596bf71fc47bd275

SHA1
24dbe7a81a5bda771d7557fa3f5000f4a9f27179

SHA256
954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c

SHA512
d75690b60afbc2999d5f2892b6ee924b902a1497f9820393c78edd64c061908462e98593267836bdab28bb9963fc30b4e780f0c7b5853fd067765e3a6df0bdc7

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
22KB

MD5
a4ac3f1674f24c6e596bf71fc47bd275

SHA1
24dbe7a81a5bda771d7557fa3f5000f4a9f27179

SHA256
954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c

SHA512
d75690b60afbc2999d5f2892b6ee924b902a1497f9820393c78edd64c061908462e98593267836bdab28bb9963fc30b4e780f0c7b5853fd067765e3a6df0bdc7

Download Submit
memory/688-60-0x0000000000000000-mapping.dmp

Download
memory/776-59-0x0000000000000000-mapping.dmp

Download
memory/948-55-0x0000000000000000-mapping.dmp

Download
memory/948-58-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/1148-62-0x0000000000000000-mapping.dmp

Download
memory/1536-64-0x0000000000000000-mapping.dmp

Download
memory/1648-61-0x0000000000000000-mapping.dmp

Download
memory/1656-68-0x0000000000000000-mapping.dmp

Download
memory/1708-54-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/1740-63-0x0000000000000000-mapping.dmp

Download
memory/1800-65-0x0000000000000000-mapping.dmp

Download
memory/2024-66-0x0000000000000000-mapping.dmp

Download
memory/2024-67-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads