Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
67s -
max time network
11s -
platform
windows11-21h2_x64 -
resource
win11-20240730-en -
resource tags
arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system -
submitted
31/07/2024, 08:31
Behavioral task
behavioral1
Sample
Chaos Ransomware Builder v4.exe
Resource
win11-20240730-en
windows11-21h2-x64
17 signatures
150 seconds
General
-
Target
Chaos Ransomware Builder v4.exe
-
Size
550KB
-
MD5
8b855e56e41a6e10d28522a20c1e0341
-
SHA1
17ea75272cfe3749c6727388fd444d2c970f9d01
-
SHA256
f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
-
SHA512
eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
-
SSDEEP
3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\read_it.txt
Family
chaos
Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <----
All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help.What can I do to get my files back?You can buy our special
decryption software, this software will allow you to recover all of your data and remove the
ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.
How do I pay, where do I get Bitcoin?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
Payment informationAmount: 0.1473766 BTC
Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/memory/1104-1-0x00000000000D0000-0x000000000015E000-memory.dmp family_chaos behavioral1/files/0x000400000002aacf-11.dat family_chaos behavioral1/files/0x000100000002aadf-21.dat family_chaos behavioral1/memory/2124-22-0x0000000000A00000-0x0000000000A0C000-memory.dmp family_chaos -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2124 st.exe 3532 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-25141632-2315680713-2621025411-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 59 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} Chaos Ransomware Builder v4.exe Key created \Registry\User\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\NotificationData Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Chaos Ransomware Builder v4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-25141632-2315680713-2621025411-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Chaos Ransomware Builder v4.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 572 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3532 svchost.exe 5036 vlc.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 2124 st.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1104 Chaos Ransomware Builder v4.exe 5036 vlc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1104 Chaos Ransomware Builder v4.exe Token: SeDebugPrivilege 2124 st.exe Token: SeDebugPrivilege 3532 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 5036 vlc.exe 5036 vlc.exe 5036 vlc.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 5036 vlc.exe 5036 vlc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 1104 Chaos Ransomware Builder v4.exe 5036 vlc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1104 wrote to memory of 3956 1104 Chaos Ransomware Builder v4.exe 81 PID 1104 wrote to memory of 3956 1104 Chaos Ransomware Builder v4.exe 81 PID 3956 wrote to memory of 3464 3956 csc.exe 83 PID 3956 wrote to memory of 3464 3956 csc.exe 83 PID 2124 wrote to memory of 3532 2124 st.exe 89 PID 2124 wrote to memory of 3532 2124 st.exe 89 PID 3532 wrote to memory of 572 3532 svchost.exe 90 PID 3532 wrote to memory of 572 3532 svchost.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vh0kpfl5\vh0kpfl5.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES606.tmp" "c:\Users\Admin\Downloads\CSCAA154D0B3E27476CA1561C87A48E64C6.TMP"3⤵PID:3464
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2892
-
C:\Users\Admin\Downloads\st.exe"C:\Users\Admin\Downloads\st.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:572
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f070136cfddd7777b08f8c20ecd3af74
SHA15d67935b9fa6f42b9a345608c81022c9dd269990
SHA256549cbe9e8f27fdb2d65d3c53872ddcd6f4277ba1230c1f9e7dae7b0767ff5f5a
SHA512d62fe98ff750e9ee4a006bcac984359481426eb1d3fd9105944e8f83c38f85462f1d819d868f25895b9e961a2272c4c3e8408406f20a68d2199723cdff390cf0
-
Filesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740
-
Filesize
22KB
MD563cef9cf4d2cb6ac3522c206d32ddfd2
SHA170acdf2e83852518c3181f4078d6bff1107c3d54
SHA2561ea4cf5051176042b20df46de836340c241759347f53b9a5b067ea11ec809465
SHA5125a24b0ee1840a54b13163ed2241f25e41bd3124b0f2c96820565d4bcc409d651f57ca7c0183ec6cc35b227078c370d7d00c07848e4c9cc6e0de5e21c4b21a04c
-
Filesize
30KB
MD50a3503a3e039d45a8ca2c54fc21529b1
SHA1a0182ebcb423258e010d9c6be52f0de1adb212d4
SHA2562e90be1ba090dc11a7ed62b2bb0895be89e9bb94876003034fb3e040921b28c0
SHA512bede9d01405bb89b805398cd80921fcd2608ad76d6d264883b9a7311b3e9f62ced75f9ddd575b3eea180b4b8a43bf18a299a7026ff6466924b56576eb6450559
-
Filesize
330B
MD57eeead6bd34d18a4233c01539e3cc668
SHA1b3ae6827bad4cb6bfa5276809a3ed372cdf259f6
SHA256fb012dbabcf8fc87d0203ae67587c944a0a0d53e6302a48e0f90e3ac7b02c358
SHA5121e9be6e37e986d861cc06562b123e02fa54baace404f84ca7893cc625294f9d5dcae1fb471cefc8943330e8f6eb7a1f60f690c8cf973bba7a2b96ef234e5ea66
-
Filesize
1KB
MD52f582f5bd11ac3fae43d46b9314c7141
SHA1805361df6add9a47307590dd37dfb7b2d1f7118f
SHA256850db1be22b7b1c73fc7042d2fde482ab5090cdf491c898517e18187e1b9b920
SHA512f1ccc2b6be453d3b1510ddefd58f136a2690ab874383ea15792e5f5ce847ec0d9afe61bbd624dad20d05cba55e9f6d2a0d820ed41ad5cf411b7bb2c1b227a0c9