Analysis
-
max time kernel
1793s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-03-2024 19:18
Behavioral task
behavioral1
Sample
BloodEagle Ransomware Builder.exe
Resource
win7-20240221-en
4 signatures
1800 seconds
Behavioral task
behavioral2
Sample
BloodEagle Ransomware Builder.exe
Resource
win10v2004-20240226-en
4 signatures
1800 seconds
General
-
Target
BloodEagle Ransomware Builder.exe
-
Size
683KB
-
MD5
bd74ac3a184b41087eaffe1c4e5575f1
-
SHA1
dcf0cc5cf9d633f398bda7821bb04b89ac60870d
-
SHA256
87675dc68eac28c09af5658389267f7160d34865aaa4d2abaf4f127432333bcc
-
SHA512
bed0db9ed78e0459b151849b6c04ed626a664b6779fdce3b5ccdced5dc06c2eea208b08dc1cf153a6781587c45fba3d92a8f5a27952c58fcace27330a75d9526
-
SSDEEP
3072:hL6xoPurnfsj7A0H7GMgXuD//bFLAkC3IGYWEyNakhm5Zt1HrTM/rFLjZkJ:8kj0aGMVFLQJPJUEFL2
Score
10/10
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4008-0-0x00000000001A0000-0x0000000000250000-memory.dmp family_chaos -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
BloodEagle Ransomware Builder.exepid process 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
BloodEagle Ransomware Builder.exedescription pid process Token: SeDebugPrivilege 4008 BloodEagle Ransomware Builder.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BloodEagle Ransomware Builder.exe"C:\Users\Admin\AppData\Local\Temp\BloodEagle Ransomware Builder.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:2488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5416 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:5060