Analysis Overview
SHA256
b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286
Threat Level: Known bad
The file Encrypt.exe was found to be: Known bad.
Malicious Activity Summary
Chaos family
Chaos
Chaos Ransomware
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-15 05:59
Signatures
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Chaos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-15 05:59
Reported
2024-09-15 05:59
Platform
win10v2004-20240802-en
Max time kernel
7s
Max time network
9s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Encrypt.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\Encrypt.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Encrypt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Encrypt.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Encrypt.exe
"C:\Users\Admin\AppData\Local\Temp\Encrypt.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
Files
memory/1852-0-0x00000000023F0000-0x00000000023F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe
| MD5 | e7d91103647b76f121b854fe806f80e2 |
| SHA1 | e6adca5f83dfb2cca099cf18d6960d422b82bb9e |
| SHA256 | 04ed744d9643830fc5f0499203a6fde506b5f2c89868695bfe179a8edb3b28c0 |
| SHA512 | 69dc672bfe3a89ebe71b8041159afab0231701ea59438feb1f000ddddf52627c1f7c6f36bd8c2f77f037dd2659e6ef8f27db283476dae228522051659f2f67b0 |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | 8728ba233fcb020a6a2eaabb90df630c |
| SHA1 | c6dc576f2e0423e8a0f36bba51fa7c65e1e281e7 |
| SHA256 | b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286 |
| SHA512 | 24e494c64647794fc9aa91da6975117d27984b4bb21859dbf0c60faba5b7f0ec26c26ebbe1ad57f185e1d7ecd4b797d530639d287456ac9bc2930a111fd4613a |
memory/1876-71-0x00007FFFF8B83000-0x00007FFFF8B85000-memory.dmp
memory/1876-119-0x0000000000750000-0x00000000007DC000-memory.dmp
memory/1852-130-0x0000000000400000-0x0000000000545000-memory.dmp
memory/1876-133-0x00007FFFF8B80000-0x00007FFFF9641000-memory.dmp
memory/1876-206-0x00007FFFF8B80000-0x00007FFFF9641000-memory.dmp
memory/3872-207-0x00007FF7D6E50000-0x00007FF7D6E60000-memory.dmp
memory/3872-208-0x00007FF7D6E50000-0x00007FF7D6E60000-memory.dmp
memory/3872-209-0x00007FF7D6E50000-0x00007FF7D6E60000-memory.dmp
memory/3872-211-0x00007FF7D6E50000-0x00007FF7D6E60000-memory.dmp
memory/3872-210-0x00007FF7D6E50000-0x00007FF7D6E60000-memory.dmp
memory/3872-212-0x00007FF7D44F0000-0x00007FF7D4500000-memory.dmp
memory/3872-213-0x00007FF7D44F0000-0x00007FF7D4500000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BncRRvIl.xlsm
| MD5 | e566fc53051035e1e6fd0ed1823de0f9 |
| SHA1 | 00bc96c48b98676ecd67e81a6f1d7754e4156044 |
| SHA256 | 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15 |
| SHA512 | a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04 |
C:\Users\Admin\AppData\Local\Temp\7EB75E00
| MD5 | e21ffaa95e11633919c01eccd3205e5e |
| SHA1 | c78135fded873e5573585d2634cd3f84d6560d23 |
| SHA256 | 0b7328c081e45fe16d6bc83974f680877ad0358a0fb80bfa3b0f5756a23d3250 |
| SHA512 | e0a6805e91ad349e42995c14bd98d15a1fd2db65fb123cf3afaa7b53b16d9e34b34991ce69756581f4028979ccf211ab027524757706d2a2837c97b57b0083aa |