chaos | 999d43ee4c9a1ec38c0b00fc38abe0b29b13cc83983c6ee895cbb2768b29022d | Triage

Analysis

max time kernel
155s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 08:33

Sharing

Report Analysis Logs

General

Target

37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
Size

953KB
MD5

5fc3bd9632a02f189d81f75fc3b12ebf
SHA1

6abbc78a6fb421adf80051365dbfaff0b3fb696b
SHA256

37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60
SHA512

cf0b9df6db5c85ebc85967dbfbdd99ada401f718445f69f258d9d0a9466f7b58a7bb2f1287cb5679988bd79b42807fa0e0e7fc419557f0af3fbb620b40b2c2af
SSDEEP

12288:OzEPMLC814R2hig4tHkg2W+AU+R2TjsPvEpv8LpgUO4EP3SL98l0zmWHQuTwYzz5:0ztQE1ov2AZ9HjkftWyq

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\PLEASEREAD.txt

Ransom Note

WELCOME, DODO has returned AGAIN. Your files have been encrypted and you won't be able to decrypt them. You can buy decryption software from us, this software will allow you to recover all of your data and remove the ransomware from your computer. The price of the software is $15. Payment can be made in Bitcoin How do I pay, where do I get Bitcoin? Purchasing cryptocurrency varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Payment information: send $15, to one of our addresses, then send us email with payment confirmation and you'll get the decryption software in email. Email Address : dodocryptomail@proton.me BTC address: bc1qwel3y5ef4sgumcnm9njln3eupvxutymlv732gu We Promise ALl your files will be back as soon as u pay

Emails

dodocryptomail@proton.me

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/4136-0-0x0000000000390000-0x0000000000484000-memory.dmp	family_chaos

Renames multiple (215) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

Drops startup file 2 IoCs

Processes:

37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PLEASEREAD.txt	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

Processes:

37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2344688013-2965468717-2034126-1000\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2552 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

pid process

4136 37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

pid	process
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

description pid process

Token: SeDebugPrivilege 4136 37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe

description	pid	process	target process
PID 4136 wrote to memory of 2552	4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe	NOTEPAD.EXE
PID 4136 wrote to memory of 2552	4136	37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
"C:\Users\Admin\AppData\Local\Temp\37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\PLEASEREAD.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:2552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\PLEASEREAD.txt
Filesize
823B

MD5
929ad339c51b2a3b1bd4b3b7acf47379

SHA1
b555580144c617a5950aa55a800b09decb5e4c80

SHA256
b94bd148bc968f4e6c70f8479a16588424d587812cd17e9b2cc4ba8766d1b5d8

SHA512
0319b0c3a4b7223a489b7883b9a6d5f6c51fc0285a96940635b0247e0162b7a6bcc48c5c91b0896e1d676b5bbeac5e8ada4eb200b847cda1a33efc31be020dda

Download Submit
C:\Users\Admin\Documents\PLEASEREAD.txt
Filesize
823B

MD5
929ad339c51b2a3b1bd4b3b7acf47379

SHA1
b555580144c617a5950aa55a800b09decb5e4c80

SHA256
b94bd148bc968f4e6c70f8479a16588424d587812cd17e9b2cc4ba8766d1b5d8

SHA512
0319b0c3a4b7223a489b7883b9a6d5f6c51fc0285a96940635b0247e0162b7a6bcc48c5c91b0896e1d676b5bbeac5e8ada4eb200b847cda1a33efc31be020dda

Download Submit
memory/4136-0-0x0000000000390000-0x0000000000484000-memory.dmp

Filesize
976KB

Download
memory/4136-1-0x00007FF875D60000-0x00007FF876821000-memory.dmp

Filesize
10.8MB

Download
memory/4136-2-0x000000001B240000-0x000000001B250000-memory.dmp

Filesize
64KB

Download
memory/4136-481-0x00007FF875D60000-0x00007FF876821000-memory.dmp

Filesize
10.8MB

Download
memory/4136-483-0x000000001B240000-0x000000001B250000-memory.dmp

Filesize
64KB

Download