Malware Analysis Report

2025-06-16 06:23

Sample ID 230916-yphf7sdb4w
Target 0.bin
SHA256 37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60
Tags
chaos ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60

Threat Level: Known bad

The file 0.bin was found to be: Known bad.

Malicious Activity Summary

chaos ransomware spyware stealer

Chaos family

Chaos

Chaos Ransomware

Renames multiple (203) files with added filename extension

Renames multiple (184) files with added filename extension

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Drops desktop.ini file(s)

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-16 19:57

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-16 19:57

Reported

2023-09-16 20:00

Platform

win7-20230831-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (184) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PLEASEREAD.txt C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3750544865-3773649541-1858556521-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\system32\NOTEPAD.EXE
PID 1712 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\system32\NOTEPAD.EXE
PID 1712 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0.exe

"C:\Users\Admin\AppData\Local\Temp\0.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\PLEASEREAD.txt

Network

N/A

Files

memory/1712-0-0x00000000013B0000-0x00000000014A4000-memory.dmp

memory/1712-1-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

memory/1712-2-0x000000001AE80000-0x000000001AF00000-memory.dmp

C:\Users\Admin\Documents\PLEASEREAD.txt

MD5 929ad339c51b2a3b1bd4b3b7acf47379
SHA1 b555580144c617a5950aa55a800b09decb5e4c80
SHA256 b94bd148bc968f4e6c70f8479a16588424d587812cd17e9b2cc4ba8766d1b5d8
SHA512 0319b0c3a4b7223a489b7883b9a6d5f6c51fc0285a96940635b0247e0162b7a6bcc48c5c91b0896e1d676b5bbeac5e8ada4eb200b847cda1a33efc31be020dda

C:\Users\Admin\AppData\Roaming\PLEASEREAD.txt

MD5 929ad339c51b2a3b1bd4b3b7acf47379
SHA1 b555580144c617a5950aa55a800b09decb5e4c80
SHA256 b94bd148bc968f4e6c70f8479a16588424d587812cd17e9b2cc4ba8766d1b5d8
SHA512 0319b0c3a4b7223a489b7883b9a6d5f6c51fc0285a96940635b0247e0162b7a6bcc48c5c91b0896e1d676b5bbeac5e8ada4eb200b847cda1a33efc31be020dda

memory/1712-422-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

memory/1712-423-0x000000001AE80000-0x000000001AF00000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-16 19:57

Reported

2023-09-16 20:00

Platform

win10v2004-20230915-en

Max time kernel

140s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (203) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PLEASEREAD.txt C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1574508946-349927670-1185736483-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4444 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\system32\NOTEPAD.EXE
PID 4444 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0.exe

"C:\Users\Admin\AppData\Local\Temp\0.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\PLEASEREAD.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp

Files

memory/4444-0-0x0000000000610000-0x0000000000704000-memory.dmp

memory/4444-1-0x00007FF921F80000-0x00007FF922A41000-memory.dmp

memory/4444-2-0x000000001B560000-0x000000001B570000-memory.dmp

C:\Users\Admin\Documents\PLEASEREAD.txt

MD5 929ad339c51b2a3b1bd4b3b7acf47379
SHA1 b555580144c617a5950aa55a800b09decb5e4c80
SHA256 b94bd148bc968f4e6c70f8479a16588424d587812cd17e9b2cc4ba8766d1b5d8
SHA512 0319b0c3a4b7223a489b7883b9a6d5f6c51fc0285a96940635b0247e0162b7a6bcc48c5c91b0896e1d676b5bbeac5e8ada4eb200b847cda1a33efc31be020dda

memory/4444-294-0x00007FF921F80000-0x00007FF922A41000-memory.dmp

memory/4444-459-0x000000001B560000-0x000000001B570000-memory.dmp

C:\Users\Admin\AppData\Roaming\PLEASEREAD.txt

MD5 929ad339c51b2a3b1bd4b3b7acf47379
SHA1 b555580144c617a5950aa55a800b09decb5e4c80
SHA256 b94bd148bc968f4e6c70f8479a16588424d587812cd17e9b2cc4ba8766d1b5d8
SHA512 0319b0c3a4b7223a489b7883b9a6d5f6c51fc0285a96940635b0247e0162b7a6bcc48c5c91b0896e1d676b5bbeac5e8ada4eb200b847cda1a33efc31be020dda