Analysis Overview
SHA256
b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956
Threat Level: Known bad
The file b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe was found to be: Known bad.
Malicious Activity Summary
Chaos Ransomware
Chaos
Chaos family
Renames multiple (185) files with added filename extension
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Drops desktop.ini file(s)
Sets desktop wallpaper using registry
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-18 08:20
Signatures
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Chaos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-18 08:20
Reported
2023-09-18 08:23
Platform
win10v2004-20230915-en
Max time kernel
128s
Max time network
132s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Renames multiple (185) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-3027552071-446050021-1254071215-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\n0zskuzcs.jpg" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 232 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 232 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 2956 wrote to memory of 5020 | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2956 wrote to memory of 5020 | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe
"C:\Users\Admin\AppData\Local\Temp\b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
memory/232-0-0x00000000000D0000-0x00000000000E6000-memory.dmp
memory/232-1-0x00007FFE77790000-0x00007FFE78251000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 9eb958c38bd3d39c55b009f9a200f42f |
| SHA1 | b5ab794dd5821d08f7ecd860ba7975a6644dd46d |
| SHA256 | b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956 |
| SHA512 | f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 9eb958c38bd3d39c55b009f9a200f42f |
| SHA1 | b5ab794dd5821d08f7ecd860ba7975a6644dd46d |
| SHA256 | b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956 |
| SHA512 | f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 9eb958c38bd3d39c55b009f9a200f42f |
| SHA1 | b5ab794dd5821d08f7ecd860ba7975a6644dd46d |
| SHA256 | b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956 |
| SHA512 | f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954 |
memory/2956-14-0x00007FFE77790000-0x00007FFE78251000-memory.dmp
memory/232-15-0x00007FFE77790000-0x00007FFE78251000-memory.dmp
C:\Users\Admin\Documents\read_it.txt
| MD5 | 5585e6fc24994e065c4adbac963fc340 |
| SHA1 | 3f9cbd088444f7d79c794259ea569a72c94976d8 |
| SHA256 | eb2bffbb68a9e7b325e1e9313902b4b7d7af2df7732e843ab3786afc819c4095 |
| SHA512 | 82ebe4aecf5f6fb902befc31edb814f0f5cb3ce76b8458a5f13f0412619b093d21b6911d0a08c28273e18afbb3b6dea9b8823d22a1aa5250b627b7ba463a27bb |
C:\Users\Admin\AppData\Roaming\read_it.txt
| MD5 | 5585e6fc24994e065c4adbac963fc340 |
| SHA1 | 3f9cbd088444f7d79c794259ea569a72c94976d8 |
| SHA256 | eb2bffbb68a9e7b325e1e9313902b4b7d7af2df7732e843ab3786afc819c4095 |
| SHA512 | 82ebe4aecf5f6fb902befc31edb814f0f5cb3ce76b8458a5f13f0412619b093d21b6911d0a08c28273e18afbb3b6dea9b8823d22a1aa5250b627b7ba463a27bb |
memory/2956-439-0x00007FFE77790000-0x00007FFE78251000-memory.dmp