chaos | c423bd973d16de69ee63ff5321c3e2cbc5dd4fcf6c30a9e4e2fdb752449a26b9

Analysis

max time kernel
49s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

537KB
MD5

db63c855e1a1f5ee8bbeb93a5c6a94d3
SHA1

bb88714fddab5ebf931141b831954d99b91d2394
SHA256

c423bd973d16de69ee63ff5321c3e2cbc5dd4fcf6c30a9e4e2fdb752449a26b9
SHA512

0045bcd3d07da072aae92f508a806b529e6eb2d62d9c09eef85208a3083a4d9748a9d74346561f151d0b4e6e8bfba78ff8f80ae35fc717709ff3a25ce71b3172
SSDEEP

12288:Pq4W8F32U2rKrMtiDUsZL6g+e8gk255H63:PzmVK4MULLy5B

Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2112-1-0x0000000000EA0000-0x0000000000F2C000-memory.dmp	family_chaos
behavioral1/files/0x0003000000011ba4-5.dat	family_chaos
behavioral1/memory/2644-7-0x0000000000D50000-0x0000000000DDC000-memory.dmp	family_chaos

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2640	bcdedit.exe
2892	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
688	wbadmin.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2644	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uz7e2tfqu.jpg"	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2296	vssadmin.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1352	NOTEPAD.EXE
1248	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2644	svchost.exe
1336	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2112	main.exe
2112	main.exe
2112	main.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	main.exe
Token: SeDebugPrivilege	2644	svchost.exe
Token: SeBackupPrivilege	1780	vssvc.exe
Token: SeRestorePrivilege	1780	vssvc.exe
Token: SeAuditPrivilege	1780	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2044	WMIC.exe
Token: SeSecurityPrivilege	2044	WMIC.exe
Token: SeTakeOwnershipPrivilege	2044	WMIC.exe
Token: SeLoadDriverPrivilege	2044	WMIC.exe
Token: SeSystemProfilePrivilege	2044	WMIC.exe
Token: SeSystemtimePrivilege	2044	WMIC.exe
Token: SeProfSingleProcessPrivilege	2044	WMIC.exe
Token: SeIncBasePriorityPrivilege	2044	WMIC.exe
Token: SeCreatePagefilePrivilege	2044	WMIC.exe
Token: SeBackupPrivilege	2044	WMIC.exe
Token: SeRestorePrivilege	2044	WMIC.exe
Token: SeShutdownPrivilege	2044	WMIC.exe
Token: SeDebugPrivilege	2044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2044	WMIC.exe
Token: SeRemoteShutdownPrivilege	2044	WMIC.exe
Token: SeUndockPrivilege	2044	WMIC.exe
Token: SeManageVolumePrivilege	2044	WMIC.exe
Token: 33	2044	WMIC.exe
Token: 34	2044	WMIC.exe
Token: 35	2044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2044	WMIC.exe
Token: SeSecurityPrivilege	2044	WMIC.exe
Token: SeTakeOwnershipPrivilege	2044	WMIC.exe
Token: SeLoadDriverPrivilege	2044	WMIC.exe
Token: SeSystemProfilePrivilege	2044	WMIC.exe
Token: SeSystemtimePrivilege	2044	WMIC.exe
Token: SeProfSingleProcessPrivilege	2044	WMIC.exe
Token: SeIncBasePriorityPrivilege	2044	WMIC.exe
Token: SeCreatePagefilePrivilege	2044	WMIC.exe
Token: SeBackupPrivilege	2044	WMIC.exe
Token: SeRestorePrivilege	2044	WMIC.exe
Token: SeShutdownPrivilege	2044	WMIC.exe
Token: SeDebugPrivilege	2044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2044	WMIC.exe
Token: SeRemoteShutdownPrivilege	2044	WMIC.exe
Token: SeUndockPrivilege	2044	WMIC.exe
Token: SeManageVolumePrivilege	2044	WMIC.exe
Token: 33	2044	WMIC.exe
Token: 34	2044	WMIC.exe
Token: 35	2044	WMIC.exe
Token: SeBackupPrivilege	2196	wbengine.exe
Token: SeRestorePrivilege	2196	wbengine.exe
Token: SeSecurityPrivilege	2196	wbengine.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1336	WINWORD.EXE
1336	WINWORD.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2644	2112	main.exe	31
PID 2112 wrote to memory of 2644	2112	main.exe	31
PID 2112 wrote to memory of 2644	2112	main.exe	31
PID 2644 wrote to memory of 2216	2644	svchost.exe	32
PID 2644 wrote to memory of 2216	2644	svchost.exe	32
PID 2644 wrote to memory of 2216	2644	svchost.exe	32
PID 2216 wrote to memory of 2296	2216	cmd.exe	34
PID 2216 wrote to memory of 2296	2216	cmd.exe	34
PID 2216 wrote to memory of 2296	2216	cmd.exe	34
PID 2216 wrote to memory of 2044	2216	cmd.exe	38
PID 2216 wrote to memory of 2044	2216	cmd.exe	38
PID 2216 wrote to memory of 2044	2216	cmd.exe	38
PID 2644 wrote to memory of 2964	2644	svchost.exe	40
PID 2644 wrote to memory of 2964	2644	svchost.exe	40
PID 2644 wrote to memory of 2964	2644	svchost.exe	40
PID 2964 wrote to memory of 2640	2964	cmd.exe	42
PID 2964 wrote to memory of 2640	2964	cmd.exe	42
PID 2964 wrote to memory of 2640	2964	cmd.exe	42
PID 2964 wrote to memory of 2892	2964	cmd.exe	43
PID 2964 wrote to memory of 2892	2964	cmd.exe	43
PID 2964 wrote to memory of 2892	2964	cmd.exe	43
PID 2644 wrote to memory of 2740	2644	svchost.exe	44
PID 2644 wrote to memory of 2740	2644	svchost.exe	44
PID 2644 wrote to memory of 2740	2644	svchost.exe	44
PID 2740 wrote to memory of 688	2740	cmd.exe	46
PID 2740 wrote to memory of 688	2740	cmd.exe	46
PID 2740 wrote to memory of 688	2740	cmd.exe	46
PID 2644 wrote to memory of 1352	2644	svchost.exe	50
PID 2644 wrote to memory of 1352	2644	svchost.exe	50
PID 2644 wrote to memory of 1352	2644	svchost.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2296
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2044
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2640
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2892
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:688
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2172

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:840

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\read_it.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1248

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\LockConvertTo.docx"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
e270c5b726bc93d131fd877a2c525ff9

SHA1
f51a54a342c836c72542897925f3929ea41fb9d0

SHA256
f6dc3cf0966f0063e0e2bf0bd2d9c6dc520e8ee4b601316ac36a65b931e45035

SHA512
4d15bdaa78d10c6f0abc6d75e480233f37e9b4323e1cc3662cf6e485a6a515ffb4dd83596b1af4eee6f6dfde1dadb62780e36bbba0f933103134103d0a27ce29

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
537KB

MD5
db63c855e1a1f5ee8bbeb93a5c6a94d3

SHA1
bb88714fddab5ebf931141b831954d99b91d2394

SHA256
c423bd973d16de69ee63ff5321c3e2cbc5dd4fcf6c30a9e4e2fdb752449a26b9

SHA512
0045bcd3d07da072aae92f508a806b529e6eb2d62d9c09eef85208a3083a4d9748a9d74346561f151d0b4e6e8bfba78ff8f80ae35fc717709ff3a25ce71b3172

Download Submit
C:\Users\Admin\Desktop\read_it.txt

Filesize
741B

MD5
9624d8d9e455487acab423bd81962fa4

SHA1
0096b484dac2c5c6a4568b55083eb39632aee972

SHA256
a6b206d4f3694e920fb06af93c6c5a2e7f052485bec2bfa57bc238134a4353ac

SHA512
8ddb82b56c7e09ea939921f4df6c1196257356457d7fc09ca2d9035ab4c4af3a9419a41e46b22bd2e7bc3614592b59e35075679ed417280f7150809aae3cbd5e

Download Submit
memory/1336-78-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1336-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2112-0-0x000007FEF6193000-0x000007FEF6194000-memory.dmp

Filesize
4KB

Download
memory/2112-1-0x0000000000EA0000-0x0000000000F2C000-memory.dmp

Filesize
560KB

Download
memory/2644-8-0x000007FEF57A3000-0x000007FEF57A4000-memory.dmp

Filesize
4KB

Download
memory/2644-7-0x0000000000D50000-0x0000000000DDC000-memory.dmp

Filesize
560KB

Download
memory/2644-73-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-74-0x000007FEF57A3000-0x000007FEF57A4000-memory.dmp

Filesize
4KB

Download
memory/2644-76-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download