chaos | ca452d795d8a7055e429e57205ff2b3a2083d28fe97dbb1ba591a3178df3a1a4

General

Target

e654d76dadfd3cefd9052a116afd0e00.exe
Size

1.1MB
MD5

e654d76dadfd3cefd9052a116afd0e00
SHA1

0774c3f2cdf2ef9760d1cacaeb9464e6f59cf745
SHA256

ca452d795d8a7055e429e57205ff2b3a2083d28fe97dbb1ba591a3178df3a1a4
SHA512

5c85e2aea0db6a2fb9e1ad9960f5c42cb7db62d0089c635ae71e1d029dab83b96116770e054e8633ebeb1e0144120f937e4381b1fa1c04fe8a045aff38cfbf47
SSDEEP

12288:+kN2/snXKG+LtGEUSVH+9drewoSVKxXtP2qdhGAqU1HkYXUHtv7E3vyepAyvuUY0:+kN2/sjDzAPvhuv4Tgqea0nRhO

Score

10^/10

chaos satana evasion ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1816-54-0x0000000000EB0000-0x0000000000FDC000-memory.dmp	family_chaos
C:\Users\Admin\AppData\Roaming\svchost.exe	family_chaos
C:\Users\Admin\AppData\Roaming\svchost.exe	family_chaos
behavioral1/memory/892-58-0x0000000001090000-0x00000000011BC000-memory.dmp	family_chaos

Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
ransomware satana
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

544 bcdedit.exe
1456 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1700 wbadmin.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

892 svchost.exe

pid	process
544	bcdedit.exe
1456	bcdedit.exe

pid	process
1700	wbadmin.exe

pid	process
892	svchost.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ConvertUninstall.tif => C:\Users\Admin\Pictures\ConvertUninstall.tif.SEX3	svchost.exe
File renamed	C:\Users\Admin\Pictures\LimitDismount.raw => C:\Users\Admin\Pictures\LimitDismount.raw.SEX3	svchost.exe
File renamed	C:\Users\Admin\Pictures\MountDisable.raw => C:\Users\Admin\Pictures\MountDisable.raw.SEX3	svchost.exe
File renamed	C:\Users\Admin\Pictures\ResetSearch.tif => C:\Users\Admin\Pictures\ResetSearch.tif.SEX3	svchost.exe
File renamed	C:\Users\Admin\Pictures\UpdateLimit.tif => C:\Users\Admin\Pictures\UpdateLimit.tif.SEX3	svchost.exe

Drops startup file 3 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!satana!.txt	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 33 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1u53gb033.jpg"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

632 vssadmin.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid process

892 svchost.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

e654d76dadfd3cefd9052a116afd0e00.exesvchost.exe

pid process

1816 e654d76dadfd3cefd9052a116afd0e00.exe
892 svchost.exe
892 svchost.exe

pid	process
632	vssadmin.exe

pid	process
892	svchost.exe

pid	process
1816	e654d76dadfd3cefd9052a116afd0e00.exe
892	svchost.exe
892	svchost.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

e654d76dadfd3cefd9052a116afd0e00.exesvchost.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	1816	e654d76dadfd3cefd9052a116afd0e00.exe
Token: SeDebugPrivilege	892	svchost.exe
Token: SeBackupPrivilege	424	vssvc.exe
Token: SeRestorePrivilege	424	vssvc.exe
Token: SeAuditPrivilege	424	vssvc.exe
Token: SeIncreaseQuotaPrivilege	964	WMIC.exe
Token: SeSecurityPrivilege	964	WMIC.exe
Token: SeTakeOwnershipPrivilege	964	WMIC.exe
Token: SeLoadDriverPrivilege	964	WMIC.exe
Token: SeSystemProfilePrivilege	964	WMIC.exe
Token: SeSystemtimePrivilege	964	WMIC.exe
Token: SeProfSingleProcessPrivilege	964	WMIC.exe
Token: SeIncBasePriorityPrivilege	964	WMIC.exe
Token: SeCreatePagefilePrivilege	964	WMIC.exe
Token: SeBackupPrivilege	964	WMIC.exe
Token: SeRestorePrivilege	964	WMIC.exe
Token: SeShutdownPrivilege	964	WMIC.exe
Token: SeDebugPrivilege	964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	964	WMIC.exe
Token: SeRemoteShutdownPrivilege	964	WMIC.exe
Token: SeUndockPrivilege	964	WMIC.exe
Token: SeManageVolumePrivilege	964	WMIC.exe
Token: 33	964	WMIC.exe
Token: 34	964	WMIC.exe
Token: 35	964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	964	WMIC.exe
Token: SeSecurityPrivilege	964	WMIC.exe
Token: SeTakeOwnershipPrivilege	964	WMIC.exe
Token: SeLoadDriverPrivilege	964	WMIC.exe
Token: SeSystemProfilePrivilege	964	WMIC.exe
Token: SeSystemtimePrivilege	964	WMIC.exe
Token: SeProfSingleProcessPrivilege	964	WMIC.exe
Token: SeIncBasePriorityPrivilege	964	WMIC.exe
Token: SeCreatePagefilePrivilege	964	WMIC.exe
Token: SeBackupPrivilege	964	WMIC.exe
Token: SeRestorePrivilege	964	WMIC.exe
Token: SeShutdownPrivilege	964	WMIC.exe
Token: SeDebugPrivilege	964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	964	WMIC.exe
Token: SeRemoteShutdownPrivilege	964	WMIC.exe
Token: SeUndockPrivilege	964	WMIC.exe
Token: SeManageVolumePrivilege	964	WMIC.exe
Token: 33	964	WMIC.exe
Token: 34	964	WMIC.exe
Token: 35	964	WMIC.exe
Token: SeBackupPrivilege	796	wbengine.exe
Token: SeRestorePrivilege	796	wbengine.exe
Token: SeSecurityPrivilege	796	wbengine.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

e654d76dadfd3cefd9052a116afd0e00.exesvchost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1816 wrote to memory of 892	1816	e654d76dadfd3cefd9052a116afd0e00.exe	svchost.exe
PID 1816 wrote to memory of 892	1816	e654d76dadfd3cefd9052a116afd0e00.exe	svchost.exe
PID 1816 wrote to memory of 892	1816	e654d76dadfd3cefd9052a116afd0e00.exe	svchost.exe
PID 892 wrote to memory of 588	892	svchost.exe	cmd.exe
PID 892 wrote to memory of 588	892	svchost.exe	cmd.exe
PID 892 wrote to memory of 588	892	svchost.exe	cmd.exe
PID 588 wrote to memory of 632	588	cmd.exe	vssadmin.exe
PID 588 wrote to memory of 632	588	cmd.exe	vssadmin.exe
PID 588 wrote to memory of 632	588	cmd.exe	vssadmin.exe
PID 588 wrote to memory of 964	588	cmd.exe	WMIC.exe
PID 588 wrote to memory of 964	588	cmd.exe	WMIC.exe
PID 588 wrote to memory of 964	588	cmd.exe	WMIC.exe
PID 892 wrote to memory of 1572	892	svchost.exe	cmd.exe
PID 892 wrote to memory of 1572	892	svchost.exe	cmd.exe
PID 892 wrote to memory of 1572	892	svchost.exe	cmd.exe
PID 1572 wrote to memory of 1456	1572	cmd.exe	bcdedit.exe
PID 1572 wrote to memory of 1456	1572	cmd.exe	bcdedit.exe
PID 1572 wrote to memory of 1456	1572	cmd.exe	bcdedit.exe
PID 1572 wrote to memory of 544	1572	cmd.exe	bcdedit.exe
PID 1572 wrote to memory of 544	1572	cmd.exe	bcdedit.exe
PID 1572 wrote to memory of 544	1572	cmd.exe	bcdedit.exe
PID 892 wrote to memory of 1120	892	svchost.exe	cmd.exe
PID 892 wrote to memory of 1120	892	svchost.exe	cmd.exe
PID 892 wrote to memory of 1120	892	svchost.exe	cmd.exe
PID 1120 wrote to memory of 1700	1120	cmd.exe	wbadmin.exe
PID 1120 wrote to memory of 1700	1120	cmd.exe	wbadmin.exe
PID 1120 wrote to memory of 1700	1120	cmd.exe	wbadmin.exe
PID 892 wrote to memory of 324	892	svchost.exe	NOTEPAD.EXE
PID 892 wrote to memory of 324	892	svchost.exe	NOTEPAD.EXE
PID 892 wrote to memory of 324	892	svchost.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\e654d76dadfd3cefd9052a116afd0e00.exe
"C:\Users\Admin\AppData\Local\Temp\e654d76dadfd3cefd9052a116afd0e00.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops startup file
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:964
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1120
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1572
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\!satana!.txt
    3⤵
    PID:324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Deletes backup catalog
PID:1700

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Modifies boot configuration data using bcdedit
PID:544

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1896

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Modifies boot configuration data using bcdedit
PID:1456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\!satana!.txt

Filesize
485B

MD5
4a69a5b8e518e19e288f56e02e85ff06

SHA1
7e468e1a3239a9f943e2f4286afb7df61d6a8567

SHA256
e9a25108a7253da4b02a86cdff843fc991566e53c05889bcfd0ddd006669de08

SHA512
87afc6879173b6012fb4c456c255ccb0cbede4e4942d5c48b4e998cb58df8c69b00d6e626bb5d6df51a479135f7aee6b0cd1a2b13d67741cdcc413b0c3a155db

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.1MB

MD5
e654d76dadfd3cefd9052a116afd0e00

SHA1
0774c3f2cdf2ef9760d1cacaeb9464e6f59cf745

SHA256
ca452d795d8a7055e429e57205ff2b3a2083d28fe97dbb1ba591a3178df3a1a4

SHA512
5c85e2aea0db6a2fb9e1ad9960f5c42cb7db62d0089c635ae71e1d029dab83b96116770e054e8633ebeb1e0144120f937e4381b1fa1c04fe8a045aff38cfbf47

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.1MB

MD5
e654d76dadfd3cefd9052a116afd0e00

SHA1
0774c3f2cdf2ef9760d1cacaeb9464e6f59cf745

SHA256
ca452d795d8a7055e429e57205ff2b3a2083d28fe97dbb1ba591a3178df3a1a4

SHA512
5c85e2aea0db6a2fb9e1ad9960f5c42cb7db62d0089c635ae71e1d029dab83b96116770e054e8633ebeb1e0144120f937e4381b1fa1c04fe8a045aff38cfbf47

Download Submit
memory/324-68-0x0000000000000000-mapping.dmp

Download
memory/544-64-0x0000000000000000-mapping.dmp

Download
memory/588-59-0x0000000000000000-mapping.dmp

Download
memory/632-60-0x0000000000000000-mapping.dmp

Download
memory/892-55-0x0000000000000000-mapping.dmp

Download
memory/892-58-0x0000000001090000-0x00000000011BC000-memory.dmp

Filesize
1.2MB

Download
memory/964-61-0x0000000000000000-mapping.dmp

Download
memory/1120-65-0x0000000000000000-mapping.dmp

Download
memory/1456-63-0x0000000000000000-mapping.dmp

Download
memory/1572-62-0x0000000000000000-mapping.dmp

Download
memory/1700-66-0x0000000000000000-mapping.dmp

Download
memory/1700-67-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download
memory/1816-54-0x0000000000EB0000-0x0000000000FDC000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads