chaos | 35f81c70e570891c59d7fdcef17d22d6f6df913a0e30dcb1dd6fc42a38b48475

Resubmissions

30-07-2023 23:06

230730-23w4asbf54 10

30-07-2023 20:04

230730-ytlz7abc77 10

30-07-2023 20:00

230730-yqxyaabc67 10

Analysis

max time kernel
54s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2023 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

database.tar
Size

69.7MB
MD5

ea91bffa35a90c625af0fa48b10b7efe
SHA1

d6d3818f44d82c1e3e2933aa13e87c592d4e7670
SHA256

35f81c70e570891c59d7fdcef17d22d6f6df913a0e30dcb1dd6fc42a38b48475
SHA512

a9c53f487f3552fe7749ba0a9c79cf6a8b3c06794f7862b696c6e04f164cb0630791ed772120267e5c9c0276cc0efc4b269fa4629575df544bcd4f745954a74c
SSDEEP

1572864:UvrzuXaQLrouRp2OztQNmsoF5bfq1oDRl6toF88B99ea7/KOAhi:QrzELrDhQ0soF5bm6d8A5n

Score

10^/10

chaos persistence ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/files/0x0003000000022613-150.dat	family_chaos
behavioral1/files/0x0003000000022613-151.dat	family_chaos
behavioral1/memory/4644-152-0x0000000000EA0000-0x0000000000F2E000-memory.dmp	family_chaos

Executes dropped EXE 4 IoCs

pid	Process
4644	Chaos Ransomware BuilderV4.exe
4236	lol.exe
1276	lol.exe
1428	RealBomb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	lol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*lol = "C:\\Users\\Admin\\Desktop\\lol.exe safe"	lol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
4644	Chaos Ransomware BuilderV4.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
4236	lol.exe
4236	lol.exe
4236	lol.exe
4236	lol.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1276	lol.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	1004	7zG.exe
Token: 35	1004	7zG.exe
Token: SeSecurityPrivilege	1004	7zG.exe
Token: SeSecurityPrivilege	1004	7zG.exe
Token: SeDebugPrivilege	4644	Chaos Ransomware BuilderV4.exe
Token: SeIncBasePriorityPrivilege	4236	lol.exe
Token: SeIncBasePriorityPrivilege	1276	lol.exe
Token: 33	868	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	868	AUDIODG.EXE
Token: SeDebugPrivilege	3448	taskmgr.exe
Token: SeSystemProfilePrivilege	3448	taskmgr.exe
Token: SeCreateGlobalPrivilege	3448	taskmgr.exe
Token: SeShutdownPrivilege	4236	lol.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1004	7zG.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
468	OpenWith.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe
1276	lol.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 1276	4236	lol.exe	110
PID 4236 wrote to memory of 1276	4236	lol.exe	110
PID 1428 wrote to memory of 3976	1428	RealBomb.exe	114
PID 1428 wrote to memory of 3976	1428	RealBomb.exe	114

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\database.tar
1⤵
- Modifies registry class
PID:4624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3716

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap22064:74:7zEvent21431
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1004

C:\Users\Admin\Desktop\Chaos Ransomware BuilderV4.exe
"C:\Users\Admin\Desktop\Chaos Ransomware BuilderV4.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Users\Admin\Desktop\lol.exe
"C:\Users\Admin\Desktop\lol.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Users\Admin\Desktop\lol.exe
  C:\Users\Admin\Desktop\lol.exe msg
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1276
- C:\Users\Admin\Desktop\lol.exe
  C:\Users\Admin\Desktop\lol.exe lol
  2⤵
  PID:5420
- C:\Users\Admin\Desktop\lol.exe
  C:\Users\Admin\Desktop\lol.exe lol
  2⤵
  PID:5448

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x41c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Users\Admin\Desktop\RealBomb.exe
"C:\Users\Admin\Desktop\RealBomb.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2EEB.tmp\2EEC.tmp\2EED.bat C:\Users\Admin\Desktop\RealBomb.exe"
  2⤵
  PID:3976

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3448

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2EEB.tmp\2EEC.tmp\2EED.bat

Filesize
1KB

MD5
5f614e851a366cef3bb3ff1f1dad288c

SHA1
d377d0053be0a7f386888c311d82f019489ca1c1

SHA256
d75111e4c4d93f8469acf4adfa5d0ae314c127f62f740450f01927de24e45642

SHA512
4a65c3c09b1ab5ddddcc97f079cdb5f60de3828ff73c9cda5895f484e5255e2c2b51d26e6b5b10ae6c73a4a77f7d94091beb88d278d9f6b7c21dceece9ffa397

Download Submit
C:\Users\Admin\Desktop\Chaos Ransomware BuilderV4.exe

Filesize
550KB

MD5
8b855e56e41a6e10d28522a20c1e0341

SHA1
17ea75272cfe3749c6727388fd444d2c970f9d01

SHA256
f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

SHA512
eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

Download Submit
C:\Users\Admin\Desktop\Chaos Ransomware BuilderV4.exe

Filesize
550KB

MD5
8b855e56e41a6e10d28522a20c1e0341

SHA1
17ea75272cfe3749c6727388fd444d2c970f9d01

SHA256
f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

SHA512
eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

Download Submit
C:\Users\Admin\Desktop\RealBomb.exe

Filesize
5.7MB

MD5
6dc0846ba8e5b8be7566221ed0c5f1ce

SHA1
71c31ead12e6fd46238544cf971bea8482a78f54

SHA256
a51117b4e0388c3be68689917c55563b548f1fdfef9ce212187fdd20faab7360

SHA512
801b568c6da6ce750be6ed6501afd63e95e824db7da577da7221fa42e6e33702f7a8723657be83a4516d463fe6ded3282dfa0473d137c28cb9b57ee6e8b3ad39

Download Submit
C:\Users\Admin\Desktop\RealBomb.exe

Filesize
5.7MB

MD5
6dc0846ba8e5b8be7566221ed0c5f1ce

SHA1
71c31ead12e6fd46238544cf971bea8482a78f54

SHA256
a51117b4e0388c3be68689917c55563b548f1fdfef9ce212187fdd20faab7360

SHA512
801b568c6da6ce750be6ed6501afd63e95e824db7da577da7221fa42e6e33702f7a8723657be83a4516d463fe6ded3282dfa0473d137c28cb9b57ee6e8b3ad39

Download Submit
C:\Users\Admin\Desktop\lol.exe

Filesize
1.0MB

MD5
e142b63cce234916e2256eeeeebeb49c

SHA1
7e572d2909be93852ac7a18ff5a81f57f2029dd7

SHA256
0db8bf2d0c58b383c9f90274aee85d4c4937affa0ddd2d8f4f0fcb8f060b7e4e

SHA512
a31abd812f27667916ee4a9f7332d204e9e42696a657de450be501940d43e0b822143d18f996729814a3e76910c60515f1aab7cf99d51e60f9db23dc69853f53

Download Submit
C:\Users\Admin\Desktop\lol.exe

Filesize
1.0MB

MD5
e142b63cce234916e2256eeeeebeb49c

SHA1
7e572d2909be93852ac7a18ff5a81f57f2029dd7

SHA256
0db8bf2d0c58b383c9f90274aee85d4c4937affa0ddd2d8f4f0fcb8f060b7e4e

SHA512
a31abd812f27667916ee4a9f7332d204e9e42696a657de450be501940d43e0b822143d18f996729814a3e76910c60515f1aab7cf99d51e60f9db23dc69853f53

Download Submit
C:\Users\Admin\Desktop\lol.exe

Filesize
1.0MB

MD5
e142b63cce234916e2256eeeeebeb49c

SHA1
7e572d2909be93852ac7a18ff5a81f57f2029dd7

SHA256
0db8bf2d0c58b383c9f90274aee85d4c4937affa0ddd2d8f4f0fcb8f060b7e4e

SHA512
a31abd812f27667916ee4a9f7332d204e9e42696a657de450be501940d43e0b822143d18f996729814a3e76910c60515f1aab7cf99d51e60f9db23dc69853f53

Download Submit
memory/1276-201-0x00007FF7D4830000-0x00007FF7D4997000-memory.dmp

Filesize
1.4MB

Download
memory/1276-164-0x00007FF7D4830000-0x00007FF7D4997000-memory.dmp

Filesize
1.4MB

Download
memory/3448-196-0x00000231A54F0000-0x00000231A54F1000-memory.dmp

Filesize
4KB

Download
memory/3448-199-0x00000231A54F0000-0x00000231A54F1000-memory.dmp

Filesize
4KB

Download
memory/3448-194-0x00000231A54F0000-0x00000231A54F1000-memory.dmp

Filesize
4KB

Download
memory/3448-195-0x00000231A54F0000-0x00000231A54F1000-memory.dmp

Filesize
4KB

Download
memory/3448-198-0x00000231A54F0000-0x00000231A54F1000-memory.dmp

Filesize
4KB

Download
memory/3448-200-0x00000231A54F0000-0x00000231A54F1000-memory.dmp

Filesize
4KB

Download
memory/3448-197-0x00000231A54F0000-0x00000231A54F1000-memory.dmp

Filesize
4KB

Download
memory/3448-190-0x00000231A54F0000-0x00000231A54F1000-memory.dmp

Filesize
4KB

Download
memory/3448-188-0x00000231A54F0000-0x00000231A54F1000-memory.dmp

Filesize
4KB

Download
memory/3448-189-0x00000231A54F0000-0x00000231A54F1000-memory.dmp

Filesize
4KB

Download
memory/4236-187-0x00007FF7D4830000-0x00007FF7D4997000-memory.dmp

Filesize
1.4MB

Download
memory/4236-162-0x00007FF7D4830000-0x00007FF7D4997000-memory.dmp

Filesize
1.4MB

Download
memory/4644-153-0x00007FFCEBA10000-0x00007FFCEC4D1000-memory.dmp

Filesize
10.8MB

Download
memory/4644-154-0x000000001BB70000-0x000000001BB80000-memory.dmp

Filesize
64KB

Download
memory/4644-155-0x000000001BB70000-0x000000001BB80000-memory.dmp

Filesize
64KB

Download
memory/4644-156-0x000000001BB70000-0x000000001BB80000-memory.dmp

Filesize
64KB

Download
memory/4644-157-0x00007FFCEBA10000-0x00007FFCEC4D1000-memory.dmp

Filesize
10.8MB

Download
memory/4644-159-0x00007FFCEBA10000-0x00007FFCEC4D1000-memory.dmp

Filesize
10.8MB

Download
memory/4644-152-0x0000000000EA0000-0x0000000000F2E000-memory.dmp

Filesize
568KB

Download