chaos | a576cf0982b75dccdf9e9ab9f8070103f507147dd120e757d94659b8d94ee225

General

Target

aa.exe
Size

18KB
MD5

d812020fc265dfb10a4dee8c239e14d0
SHA1

69bf67761b8c07f0250a194e7d6ff44e74b22e02
SHA256

a576cf0982b75dccdf9e9ab9f8070103f507147dd120e757d94659b8d94ee225
SHA512

f94a9930ed34fbbdbddd5e146a88a171447d18d5c82d0e37c56f907a485a78f124a4c3c6b1ac05e52f57988527d2af6b872a12f02584b86d88e8c5ee4ae558a1
SSDEEP

384:r3MLWHn3kIASb5pl0joO7c4J/r91CzFb4ex:3n3kIP5pmBP/r9iFb4ex

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\read_it.txt

Ransom Note

All of your files have been encrypted by Pon Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2676-1-0x0000000001000000-0x000000000100A000-memory.dmp	family_chaos
behavioral1/files/0x00070000000120cd-5.dat	family_chaos
behavioral1/memory/2704-7-0x0000000000090000-0x000000000009A000-memory.dmp	family_chaos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2784	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2704	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2676	aa.exe
2676	aa.exe
2676	aa.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	aa.exe
Token: SeDebugPrivilege	2704	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2704	2676	aa.exe	30
PID 2676 wrote to memory of 2704	2676	aa.exe	30
PID 2676 wrote to memory of 2704	2676	aa.exe	30
PID 2704 wrote to memory of 2784	2704	svchost.exe	31
PID 2704 wrote to memory of 2784	2704	svchost.exe	31
PID 2704 wrote to memory of 2784	2704	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\read_it.txt

Filesize
886B

MD5
8f52688568bb3eeb53664f8584fe24c9

SHA1
f634f4f94031e5c2b4d736b379cfd1a83571b496

SHA256
ea7db6da967d15ebe74bd51019979cd6ef622b25f6d3890d2e1473de6d1a345a

SHA512
fe4400159041b5eb34eb26fcf0105b38ce89370a75644541eb7929edffa126638aef24fff3ce07dd01184594c3f86604e36dba885b4a6e677431d7e7e6d4da8f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
18KB

MD5
d812020fc265dfb10a4dee8c239e14d0

SHA1
69bf67761b8c07f0250a194e7d6ff44e74b22e02

SHA256
a576cf0982b75dccdf9e9ab9f8070103f507147dd120e757d94659b8d94ee225

SHA512
f94a9930ed34fbbdbddd5e146a88a171447d18d5c82d0e37c56f907a485a78f124a4c3c6b1ac05e52f57988527d2af6b872a12f02584b86d88e8c5ee4ae558a1

Download Submit
memory/2676-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2676-1-0x0000000001000000-0x000000000100A000-memory.dmp

Filesize
40KB

Download
memory/2704-7-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2704-9-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2704-14-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2704-15-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing