chaos | f4967fd913dc43ba20eeda786ce3da4119df5d86b4536c3b68f44c2ed09e42bf

General

Target

koala.exe
Size

16KB
MD5

607bf2b302c3941815dc159e356f06fd
SHA1

3d86bfc813a47dbede8f9420de418b2143e791e4
SHA256

f4967fd913dc43ba20eeda786ce3da4119df5d86b4536c3b68f44c2ed09e42bf
SHA512

1317171b290e0e0fc667d9b4210a34744e0b21416c56a7e56bc747851c6f1db375eb014b752ef304cd6527c5b288e49840ccf663b4a6e607afd1717653b095ea
SSDEEP

192:fXiJtJHunl2t90RGfWYQy3G8dcInaoVE66XwsXglbr5i7amDC/sBHvWjJ1T5Fx/X:fCul2tpOfGG2vn+wH87Tc8HuLTUX

Score

10^/10

chaos persistence ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/4428-0-0x00000000005F0000-0x00000000005FA000-memory.dmp	family_chaos
behavioral2/files/0x0008000000023440-6.dat	family_chaos

Renames multiple (62) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	koala.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Drops desktop.ini file(s) 16 IoCs

description	ioc	Process
File created	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File created	C:\Users\Admin\Music\desktop.ini	svchost.exe
File created	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File created	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File created	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File created	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File created	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File created	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File created	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File created	C:\Users\Admin\Links\desktop.ini	svchost.exe
File created	F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	svchost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3108	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2716	svchost.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
4428	koala.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	koala.exe
Token: SeDebugPrivilege	2716	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 2716	4428	koala.exe	81
PID 4428 wrote to memory of 2716	4428	koala.exe	81
PID 2716 wrote to memory of 3108	2716	svchost.exe	82
PID 2716 wrote to memory of 3108	2716	svchost.exe	82

C:\Users\Admin\AppData\Local\Temp\koala.exe
"C:\Users\Admin\AppData\Local\Temp\koala.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
16KB

MD5
607bf2b302c3941815dc159e356f06fd

SHA1
3d86bfc813a47dbede8f9420de418b2143e791e4

SHA256
f4967fd913dc43ba20eeda786ce3da4119df5d86b4536c3b68f44c2ed09e42bf

SHA512
1317171b290e0e0fc667d9b4210a34744e0b21416c56a7e56bc747851c6f1db375eb014b752ef304cd6527c5b288e49840ccf663b4a6e607afd1717653b095ea

Download Submit
C:\Users\Admin\Pictures\read_it.txt

Filesize
1KB

MD5
adc425a1c306a33d9d727120895abf29

SHA1
0613ad669cae1af9b90cb463d19eee9d7757c4e3

SHA256
5162a83bf8f5d56067cb93d6e35eed14bf10703e485a261cd7cca400ca88d31a

SHA512
ec2630f84c648a8bed9c69c928fbca2e187292e0e25a7507ada3e1f36a2403d7243c7b166b8a2f7b19ba877835a8a762c54d63940a03dce0597a1c159890be55

Download Submit
memory/2716-14-0x00007FFF4ABA0000-0x00007FFF4B661000-memory.dmp

Filesize
10.8MB

Download
memory/2716-150-0x00007FFF4ABA0000-0x00007FFF4B661000-memory.dmp

Filesize
10.8MB

Download
memory/4428-0-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/4428-1-0x00007FFF4ABA3000-0x00007FFF4ABA5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads