chaos | 994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea

General

Target

994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe
Size

190KB
MD5

50c8525d4becd3e68424f68eae6e6983
SHA1

db8835032d0dcce4b9899671bfa4d8e3ddfc825c
SHA256

994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea
SHA512

db51b7735eebb57126eb5640195bf9ebe00acc8914bfd2ef31e7e18bac890da63f46a3773e449766faabb31c865ebfb3cb9473e3800b8079a8204b397ee6ba79
SSDEEP

768:/KHkATXfZLdQeIOi1H88pup5n5uwESIL+aOppppOFb0xRbNqmM9dCgKcpdYRHM/W:j4Xfx+H8hpPuw2qieK9dC3cTKtswB

Score

10^/10

chaos persistence ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1220-1-0x0000000001140000-0x0000000001176000-memory.dmp	family_chaos
behavioral1/files/0x000a00000001202c-5.dat	family_chaos
behavioral1/memory/2248-7-0x0000000000B40000-0x0000000000B76000-memory.dmp	family_chaos

Chaos family
chaos

Drops startup file 1 IoCs

Processes:

svchost.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid	Process
2248	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Drops desktop.ini file(s) 14 IoCs

Processes:

svchost.exe

description	ioc	Process
File created	C:\Users\Admin\Links\desktop.ini	svchost.exe
File created	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File created	C:\Users\Admin\Music\desktop.ini	svchost.exe
File created	F:\$RECYCLE.BIN\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini	svchost.exe
File created	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File created	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File created	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File created	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File created	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File created	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File created	C:\Users\Admin\Favorites\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
1632	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid	Process
2248	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exesvchost.exe

pid	Process
1220	994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe
1220	994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe
1220	994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	1220	994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe
Token: SeDebugPrivilege	2248	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exesvchost.exe

description	pid	Process	procid_target
PID 1220 wrote to memory of 2248	1220	994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe	30
PID 1220 wrote to memory of 2248	1220	994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe	30
PID 1220 wrote to memory of 2248	1220	994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe	30
PID 2248 wrote to memory of 1632	2248	svchost.exe	31
PID 2248 wrote to memory of 1632	2248	svchost.exe	31
PID 2248 wrote to memory of 1632	2248	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe
"C:\Users\Admin\AppData\Local\Temp\994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
190KB

MD5
50c8525d4becd3e68424f68eae6e6983

SHA1
db8835032d0dcce4b9899671bfa4d8e3ddfc825c

SHA256
994ab65cf9072f47b962e271c7b5990a5552ca15de1d35b4f2c21b4c698de2ea

SHA512
db51b7735eebb57126eb5640195bf9ebe00acc8914bfd2ef31e7e18bac890da63f46a3773e449766faabb31c865ebfb3cb9473e3800b8079a8204b397ee6ba79

Download Submit
C:\Users\Admin\Downloads\read_it.txt

Filesize
75B

MD5
c4c96e7d10aae1da43f42944209827cf

SHA1
40ce5138fd5ee79c0ffeec8eed6f8596a31625e9

SHA256
ce4eac3c91c6c4948e92dc1590d483db3a39ae1db1943d2fab69c1068623fd9b

SHA512
7ab3600a1b286ef9dee986093bf10580f789ee8f6c72d09b03d6d8eea247ea762ffe4b5445a99c052e586c7e811e72892b01db3de46d9f45a8bbd3df3f992555

Download Submit
memory/1220-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

Filesize
4KB

Download
memory/1220-1-0x0000000001140000-0x0000000001176000-memory.dmp

Filesize
216KB

Download
memory/2248-7-0x0000000000B40000-0x0000000000B76000-memory.dmp

Filesize
216KB

Download
memory/2248-9-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2248-109-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2248-111-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads