Overview
overview
9Static
static
7Chaos_V2_FIXED.zip
windows7-x64
1Chaos_V2_FIXED.zip
windows10-2004-x64
1Chaos.exe
windows7-x64
9Chaos.exe
windows10-2004-x64
9fpsunlocker.exe
windows7-x64
1fpsunlocker.exe
windows10-2004-x64
1ps.py
windows7-x64
3ps.py
windows10-2004-x64
3pssuspend.exe
windows7-x64
1pssuspend.exe
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 20:29
Behavioral task
behavioral1
Sample
Chaos_V2_FIXED.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Chaos_V2_FIXED.zip
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Chaos.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
Chaos.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
fpsunlocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
fpsunlocker.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
ps.py
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
ps.py
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
pssuspend.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
pssuspend.exe
Resource
win10v2004-20240412-en
General
-
Target
ps.py
-
Size
622KB
-
MD5
3a02c5c2ce5b235f7c6026c0c85f9c3d
-
SHA1
b1c745695ce203dfccc41ce95325a2f41f663d6d
-
SHA256
351628536b70b66a5b18d48710fc29c027235ae9f63015a36563a606d969c2cc
-
SHA512
f4f6e06e97a609253da2efebdde26a6cd7497538e4b159f59ed8bb968a0a73dd6e9d07752cc25038506068e3038478d3a589eaec112f0ffc413588cb1188756e
-
SSDEEP
12288:GZFwpMzfJJFQrvnR0e/wFXVLNe/OajxYImvf/Opyp:N/SowFXVV/Tv2m
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2540 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2540 AcroRd32.exe 2540 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 3040 wrote to memory of 2532 3040 cmd.exe rundll32.exe PID 3040 wrote to memory of 2532 3040 cmd.exe rundll32.exe PID 3040 wrote to memory of 2532 3040 cmd.exe rundll32.exe PID 2532 wrote to memory of 2540 2532 rundll32.exe AcroRd32.exe PID 2532 wrote to memory of 2540 2532 rundll32.exe AcroRd32.exe PID 2532 wrote to memory of 2540 2532 rundll32.exe AcroRd32.exe PID 2532 wrote to memory of 2540 2532 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ps.py1⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ps.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ps.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5bc90d2a101927fb436c053d41c603f49
SHA15bca840463b4ce3a3b0b4ddb01feb6dd0742ee3f
SHA2561077d6b3938e6c1cddb982d548ec272a7d44f880fb46eba441cc65b1bc9b86d5
SHA51256c33102b2dc8534e32c3dbd6695ffcb3c62243e001dfa9c427bf649521879da2d9f9c78820f7d629548bc8af19823e933a5e659b4d650590e5f384d87345a8b