1c5945ba631e642a275fb2b967c15a047b50640bb8d71908387d90074ef3bbdd

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChaosRansomwareBuilderVersion4-main/Src Code/CustomWindowsForm/Compiler.cs
Size

1KB
MD5

cadd44bc0d105fb158089916964fbf33
SHA1

0816331de8eb34c51e66970edf7676b04b6e8dcf
SHA256

1fbd45441ba367054398f7648bcee32910742351b37944154473733ca7925126
SHA512

d069eb00f8311982563a33e4e57b9f68ae75fb1cf4d546328e0bfedaff9b670a4fc14bafe0a731f16be123dde7fa8fdf9b20ff3325c6d1a53797925a0fe2e605

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2804	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2804	AcroRd32.exe
2804	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2804	2212	cmd.exe	32
PID 2212 wrote to memory of 2804	2212	cmd.exe	32
PID 2212 wrote to memory of 2804	2212	cmd.exe	32
PID 2212 wrote to memory of 2804	2212	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ChaosRansomwareBuilderVersion4-main\Src Code\CustomWindowsForm\Compiler.cs"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ChaosRansomwareBuilderVersion4-main\Src Code\CustomWindowsForm\Compiler.cs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3e6ad5e481717075299b064135df8d02

SHA1
4e1b36dc4f67847844aea5e8d3032ff2a6cd8171

SHA256
db2fdb9762fc9f4409756c4c10d70c7bbfe05f4092121dcf821d36649369721d

SHA512
bfe490241d0b9387368f3dc18d8348fb7fad4ea1a904d33722d19c48f4756e70c7f5b71e629f461a5a402be61bc23ae08312e9ede2b9ae3352b66bcb308e5714

Download Submit