chaos | 02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1

Analysis

max time kernel
91s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2022 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
Size

49KB
MD5

5e685c7264d47dd21ebfa36a9437d142
SHA1

0984924bd1ff568a94e16240935c03a91e7a8ddf
SHA256

02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1
SHA512

bd7b34592aecaa4184c191159acc7724a0f393efe98673a36596ff7665e9415b49238293f187a36564287e8cfdbb7478fc1759f81a3b5d9b52c3f7e47b5cf294
SSDEEP

768:bqo2mpeWxyfr9+d4mZryx7L2ksQ1QCEez:2o2Ixyfr9+dsx32XKZz

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral2/memory/4596-132-0x0000000000FE0000-0x0000000000FF2000-memory.dmp	family_chaos
behavioral2/files/0x0006000000022e29-136.dat	family_chaos
behavioral2/files/0x0006000000022e29-135.dat	family_chaos

Executes dropped EXE 1 IoCs

pid	Process
856	PENTA.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\WriteRemove.raw => C:\Users\Admin\Pictures\WriteRemove.raw.PENTA	PENTA.exe
File renamed	C:\Users\Admin\Pictures\MeasureUnlock.raw => C:\Users\Admin\Pictures\MeasureUnlock.raw.PENTA	PENTA.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	PENTA.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PENTA.url	PENTA.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PENTA.url	PENTA.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PENTA_README.txt	PENTA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mpjjoc52z.jpg"	PENTA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	PENTA.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
892	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
856	PENTA.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe
856	PENTA.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
Token: SeDebugPrivilege	856	PENTA.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 856	4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe	79
PID 4596 wrote to memory of 856	4596	HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe	79
PID 856 wrote to memory of 892	856	PENTA.exe	84
PID 856 wrote to memory of 892	856	PENTA.exe	84

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Agent.gen-02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Roaming\PENTA.exe
  "C:\Users\Admin\AppData\Roaming\PENTA.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks computer location settings
  - Drops startup file
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\PENTA_README.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\PENTA.exe

Filesize
49KB

MD5
5e685c7264d47dd21ebfa36a9437d142

SHA1
0984924bd1ff568a94e16240935c03a91e7a8ddf

SHA256
02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1

SHA512
bd7b34592aecaa4184c191159acc7724a0f393efe98673a36596ff7665e9415b49238293f187a36564287e8cfdbb7478fc1759f81a3b5d9b52c3f7e47b5cf294

Download Submit
C:\Users\Admin\AppData\Roaming\PENTA.exe

Filesize
49KB

MD5
5e685c7264d47dd21ebfa36a9437d142

SHA1
0984924bd1ff568a94e16240935c03a91e7a8ddf

SHA256
02db375475c56ba5c97f602e4c2eea8cac66e08d9a31ec7efabe35210b0d0aa1

SHA512
bd7b34592aecaa4184c191159acc7724a0f393efe98673a36596ff7665e9415b49238293f187a36564287e8cfdbb7478fc1759f81a3b5d9b52c3f7e47b5cf294

Download Submit
C:\Users\Admin\AppData\Roaming\PENTA_README.txt

Filesize
929B

MD5
2eb269ce83ecd8571f29b9991337387a

SHA1
549c8a78cc3b44ef0f5f4b15220b3672b30632cf

SHA256
efa8c2cf45e480b9ea08f68964d49e40b33cefdb9fac2a4e73a9677de1f0725e

SHA512
ccd1025903a64e8f3e76d9c15e168d66943bc55d275ea68cef7f855ed12cf68152c6400755278cf3624e8cba0a5c721d97b9394edfd0aa146aec768c842ddaab

Download Submit
memory/856-138-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/856-141-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-132-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

Filesize
72KB

Download
memory/4596-133-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-137-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download