chaos | 68ec37ccb2e6682f6f444b13b9d6f0098ef45774dcf856328d7c9af440891679

Resubmissions

31/03/2024, 14:56

240331-sa6ycsdg9y 10

27/03/2024, 12:31

240327-pp4vrsfc3z 10

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1ac6283bd50e46c49ea0cfae49e4a8f.exe
Size

40KB
MD5

e1ac6283bd50e46c49ea0cfae49e4a8f
SHA1

e0f4c6caf5e8b119a1b302591a39511872eb11cd
SHA256

68ec37ccb2e6682f6f444b13b9d6f0098ef45774dcf856328d7c9af440891679
SHA512

ca612f7b82e178feddaa14cdde0a1e25a65e5d1c0868ff39bb4db3447cba909ffa5bb813b8bf5ab038d33d45a7ea95de200cfd59d5cae890507aba8cc7556223
SSDEEP

768:UzctJwrPdpe9rrG5XdO1AF97rds0/poHWFC6JORwxIpizMAO2:actJgPW9rrGNdO1AjvWqS246WNizg2

Score

10^/10

chaos ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/3092-11-0x0000000000400000-0x000000000040C000-memory.dmp	family_chaos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1396 set thread context of 3092	1396	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	103

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe
3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3092	e1ac6283bd50e46c49ea0cfae49e4a8f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 3092	1396	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	103
PID 1396 wrote to memory of 3092	1396	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	103
PID 1396 wrote to memory of 3092	1396	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	103
PID 1396 wrote to memory of 3092	1396	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	103
PID 1396 wrote to memory of 3092	1396	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	103
PID 1396 wrote to memory of 3092	1396	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	103
PID 1396 wrote to memory of 3092	1396	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	103
PID 1396 wrote to memory of 3092	1396	e1ac6283bd50e46c49ea0cfae49e4a8f.exe	103

C:\Users\Admin\AppData\Local\Temp\e1ac6283bd50e46c49ea0cfae49e4a8f.exe
"C:\Users\Admin\AppData\Local\Temp\e1ac6283bd50e46c49ea0cfae49e4a8f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\e1ac6283bd50e46c49ea0cfae49e4a8f.exe
  "C:\Users\Admin\AppData\Local\Temp\e1ac6283bd50e46c49ea0cfae49e4a8f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2244,i,11986678581565715302,451159359636456336,262144 --variations-seed-version /prefetch:8
1⤵
PID:3224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e1ac6283bd50e46c49ea0cfae49e4a8f.exe.log

Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
memory/1396-4-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/1396-8-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/1396-3-0x0000000004E90000-0x0000000004F22000-memory.dmp

Filesize
584KB

Download
memory/1396-0-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/1396-5-0x0000000004E20000-0x0000000004E2A000-memory.dmp

Filesize
40KB

Download
memory/1396-6-0x0000000005120000-0x0000000005196000-memory.dmp

Filesize
472KB

Download
memory/1396-2-0x00000000053A0000-0x0000000005944000-memory.dmp

Filesize
5.6MB

Download
memory/1396-15-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1396-7-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1396-10-0x00000000050A0000-0x00000000050BE000-memory.dmp

Filesize
120KB

Download
memory/1396-9-0x0000000004E10000-0x0000000004E1E000-memory.dmp

Filesize
56KB

Download
memory/1396-1-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/3092-14-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/3092-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3092-16-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download