1c5945ba631e642a275fb2b967c15a047b50640bb8d71908387d90074ef3bbdd

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChaosRansomwareBuilderVersion4-main/Src Code/CustomWindowsForm/BlackForm.resources
Size

116KB
MD5

df38993dea2e1a76a0be3c541db54a72
SHA1

563c9e87762a27c9f794bcbf2bf00aab10e33b06
SHA256

5a2ddd4b8d32f88a17c771e5ed1f1e4f90175fc3711ff7b026dc2e328ef0e2b4
SHA512

a9f09c93a86ee919a1efe4c8ed1019a9b86b76492eba7555f411011635f774b1ecea9eb60323e026b0a85371fc5382c7ae425048c99756aa505f662adb52d79d
SSDEEP

768:3GLYL6fkEP2nPHLM9KKuRYxSR8xobxlyKzWI6ck6HvgC+I1+pLqe:3Ik6sq2njM9qRYxSKGxly16Pn6RT

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2600	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2600	AcroRd32.exe
2600	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2684	2480	cmd.exe	31
PID 2480 wrote to memory of 2684	2480	cmd.exe	31
PID 2480 wrote to memory of 2684	2480	cmd.exe	31
PID 2684 wrote to memory of 2600	2684	rundll32.exe	32
PID 2684 wrote to memory of 2600	2684	rundll32.exe	32
PID 2684 wrote to memory of 2600	2684	rundll32.exe	32
PID 2684 wrote to memory of 2600	2684	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ChaosRansomwareBuilderVersion4-main\Src Code\CustomWindowsForm\BlackForm.resources"
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ChaosRansomwareBuilderVersion4-main\Src Code\CustomWindowsForm\BlackForm.resources
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ChaosRansomwareBuilderVersion4-main\Src Code\CustomWindowsForm\BlackForm.resources"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5f5592a370be2de786e37d73e2883d59

SHA1
a4d03144fa4fbc6df720f147e10eb0daf3ab2852

SHA256
22f23f082ad0a892abe98fe312cc130d4d462a26781d7051b3a38666c0ec916d

SHA512
f08b282f92ea17b77b7256a4bfc9c224c4e7b770494e1dfa1df62cb9b6e5bbd12d78ad381c4423fc0b6f2d4f31ad169e7c3a65d335fccd4feef1eaeddea2cecc

Download Submit