chaos | f4967fd913dc43ba20eeda786ce3da4119df5d86b4536c3b68f44c2ed09e42bf

General

Target

koala.exe
Size

16KB
MD5

607bf2b302c3941815dc159e356f06fd
SHA1

3d86bfc813a47dbede8f9420de418b2143e791e4
SHA256

f4967fd913dc43ba20eeda786ce3da4119df5d86b4536c3b68f44c2ed09e42bf
SHA512

1317171b290e0e0fc667d9b4210a34744e0b21416c56a7e56bc747851c6f1db375eb014b752ef304cd6527c5b288e49840ccf663b4a6e607afd1717653b095ea
SSDEEP

192:fXiJtJHunl2t90RGfWYQy3G8dcInaoVE66XwsXglbr5i7amDC/sBHvWjJ1T5Fx/X:fCul2tpOfGG2vn+wH87Tc8HuLTUX

Score

10^/10

chaos persistence ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2992-1-0x0000000000960000-0x000000000096A000-memory.dmp	family_chaos
behavioral1/files/0x000b000000014e5a-5.dat	family_chaos
behavioral1/memory/3040-7-0x0000000000C10000-0x0000000000C1A000-memory.dmp	family_chaos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3040	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Drops desktop.ini file(s) 14 IoCs

description	ioc	Process
File created	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File created	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File created	C:\Users\Admin\Music\desktop.ini	svchost.exe
File created	F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini	svchost.exe
File created	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File created	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File created	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File created	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File created	C:\Users\Admin\Links\desktop.ini	svchost.exe
File created	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File created	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File created	C:\Users\Admin\Favorites\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1464	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3040	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2992	koala.exe
2992	koala.exe
3040	svchost.exe
3040	svchost.exe
3040	svchost.exe
3040	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	koala.exe
Token: SeDebugPrivilege	3040	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1464	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3040	2992	koala.exe	28
PID 2992 wrote to memory of 3040	2992	koala.exe	28
PID 2992 wrote to memory of 3040	2992	koala.exe	28
PID 3040 wrote to memory of 1464	3040	svchost.exe	29
PID 3040 wrote to memory of 1464	3040	svchost.exe	29
PID 3040 wrote to memory of 1464	3040	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\koala.exe
"C:\Users\Admin\AppData\Local\Temp\koala.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    - Suspicious use of FindShellTrayWindow
    PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
16KB

MD5
607bf2b302c3941815dc159e356f06fd

SHA1
3d86bfc813a47dbede8f9420de418b2143e791e4

SHA256
f4967fd913dc43ba20eeda786ce3da4119df5d86b4536c3b68f44c2ed09e42bf

SHA512
1317171b290e0e0fc667d9b4210a34744e0b21416c56a7e56bc747851c6f1db375eb014b752ef304cd6527c5b288e49840ccf663b4a6e607afd1717653b095ea

Download Submit
C:\Users\Admin\Downloads\read_it.txt

Filesize
1KB

MD5
adc425a1c306a33d9d727120895abf29

SHA1
0613ad669cae1af9b90cb463d19eee9d7757c4e3

SHA256
5162a83bf8f5d56067cb93d6e35eed14bf10703e485a261cd7cca400ca88d31a

SHA512
ec2630f84c648a8bed9c69c928fbca2e187292e0e25a7507ada3e1f36a2403d7243c7b166b8a2f7b19ba877835a8a762c54d63940a03dce0597a1c159890be55

Download Submit
memory/2992-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2992-1-0x0000000000960000-0x000000000096A000-memory.dmp

Filesize
40KB

Download
memory/3040-7-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/3040-8-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-119-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-121-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-122-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads