chaos | ecc6720d3a29597d8d905658694cea35cb46b9395ed80cf18155a06d48a05dab

Analysis

max time kernel
41s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 14:20

Target

f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe
Size

263KB
MD5

9d016244b7f58fa5e974ef5f6e1ae54e
SHA1

001bc943725ab768f8b8ecb2c9d3ae328f33c78b
SHA256

f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f
SHA512

292c222ca38e12c933769e128c9682a23719204214c1aca7e585eb1ef6c8c8b2090514298df16fe8b233482d8a7dedddd402c7db1d90aae8ea67915a2ff422d7
SSDEEP

6144:iBr9fEjPswpzDFi2XFF47RpYlvP8kq/ac6:DjPskM2Xv47RGlvy/ac6

Score

10^/10

chaos ransomware

Chaos Ransomware 4 IoCs

resource	yara_rule
behavioral1/memory/1492-54-0x0000000000AB0000-0x0000000000AF8000-memory.dmp	family_chaos
behavioral1/files/0x000500000000b2d2-56.dat	family_chaos
behavioral1/files/0x000500000000b2d2-57.dat	family_chaos
behavioral1/memory/276-58-0x0000000001090000-0x00000000010D8000-memory.dmp	family_chaos

Executes dropped EXE 1 IoCs

pid	Process
276	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1544	276	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1492	f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe
276	svchost.exe
276	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe
Token: SeDebugPrivilege	276	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 276	1492	f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe	27
PID 1492 wrote to memory of 276	1492	f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe	27
PID 1492 wrote to memory of 276	1492	f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe	27
PID 276 wrote to memory of 1544	276	svchost.exe	28
PID 276 wrote to memory of 1544	276	svchost.exe	28
PID 276 wrote to memory of 1544	276	svchost.exe	28

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
263KB

MD5
9d016244b7f58fa5e974ef5f6e1ae54e

SHA1
001bc943725ab768f8b8ecb2c9d3ae328f33c78b

SHA256
f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f

SHA512
292c222ca38e12c933769e128c9682a23719204214c1aca7e585eb1ef6c8c8b2090514298df16fe8b233482d8a7dedddd402c7db1d90aae8ea67915a2ff422d7

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
263KB

MD5
9d016244b7f58fa5e974ef5f6e1ae54e

SHA1
001bc943725ab768f8b8ecb2c9d3ae328f33c78b

SHA256
f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f

SHA512
292c222ca38e12c933769e128c9682a23719204214c1aca7e585eb1ef6c8c8b2090514298df16fe8b233482d8a7dedddd402c7db1d90aae8ea67915a2ff422d7

Download Submit
memory/276-58-0x0000000001090000-0x00000000010D8000-memory.dmp

Filesize
288KB

Download
memory/1492-54-0x0000000000AB0000-0x0000000000AF8000-memory.dmp

Filesize
288KB

Download