Malware Analysis Report

2025-06-16 06:23

Sample ID 230918-j8l66sga4w
Target b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe
SHA256 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
Tags
chaos ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956

Threat Level: Known bad

The file b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe was found to be: Known bad.

Malicious Activity Summary

chaos ransomware spyware stealer

Chaos Ransomware

Chaos

Chaos family

Renames multiple (185) files with added filename extension

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-18 08:20

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-18 08:20

Reported

2023-09-18 08:23

Platform

win10v2004-20230915-en

Max time kernel

128s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (185) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3027552071-446050021-1254071215-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\n0zskuzcs.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe

"C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/232-0-0x00000000000D0000-0x00000000000E6000-memory.dmp

memory/232-1-0x00007FFE77790000-0x00007FFE78251000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 9eb958c38bd3d39c55b009f9a200f42f
SHA1 b5ab794dd5821d08f7ecd860ba7975a6644dd46d
SHA256 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
SHA512 f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 9eb958c38bd3d39c55b009f9a200f42f
SHA1 b5ab794dd5821d08f7ecd860ba7975a6644dd46d
SHA256 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
SHA512 f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 9eb958c38bd3d39c55b009f9a200f42f
SHA1 b5ab794dd5821d08f7ecd860ba7975a6644dd46d
SHA256 b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
SHA512 f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954

memory/2956-14-0x00007FFE77790000-0x00007FFE78251000-memory.dmp

memory/232-15-0x00007FFE77790000-0x00007FFE78251000-memory.dmp

C:\Users\Admin\Documents\read_it.txt

MD5 5585e6fc24994e065c4adbac963fc340
SHA1 3f9cbd088444f7d79c794259ea569a72c94976d8
SHA256 eb2bffbb68a9e7b325e1e9313902b4b7d7af2df7732e843ab3786afc819c4095
SHA512 82ebe4aecf5f6fb902befc31edb814f0f5cb3ce76b8458a5f13f0412619b093d21b6911d0a08c28273e18afbb3b6dea9b8823d22a1aa5250b627b7ba463a27bb

C:\Users\Admin\AppData\Roaming\read_it.txt

MD5 5585e6fc24994e065c4adbac963fc340
SHA1 3f9cbd088444f7d79c794259ea569a72c94976d8
SHA256 eb2bffbb68a9e7b325e1e9313902b4b7d7af2df7732e843ab3786afc819c4095
SHA512 82ebe4aecf5f6fb902befc31edb814f0f5cb3ce76b8458a5f13f0412619b093d21b6911d0a08c28273e18afbb3b6dea9b8823d22a1aa5250b627b7ba463a27bb

memory/2956-439-0x00007FFE77790000-0x00007FFE78251000-memory.dmp