chaos | bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3

Analysis

max time kernel
94s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source/Cov29Cry/Chaos Ransomware Builder v4.exe
Size

550KB
MD5

8b855e56e41a6e10d28522a20c1e0341
SHA1

17ea75272cfe3749c6727388fd444d2c970f9d01
SHA256

f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
SHA512

eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
SSDEEP

3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

Score

10^/10

chaos ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral10/memory/2072-1-0x0000000000420000-0x00000000004AE000-memory.dmp	family_chaos
behavioral10/files/0x0008000000023cbc-12.dat	family_chaos
behavioral10/files/0x0008000000023cc3-20.dat	family_chaos

Chaos family
chaos
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Chaos Ransomware Builder v4.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	Chaos Ransomware Builder v4.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe
2072	Chaos Ransomware Builder v4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 4368	2072	Chaos Ransomware Builder v4.exe	105
PID 2072 wrote to memory of 4368	2072	Chaos Ransomware Builder v4.exe	105
PID 4368 wrote to memory of 1888	4368	csc.exe	107
PID 4368 wrote to memory of 1888	4368	csc.exe	107

C:\Users\Admin\AppData\Local\Temp\source\Cov29Cry\Chaos Ransomware Builder v4.exe
"C:\Users\Admin\AppData\Local\Temp\source\Cov29Cry\Chaos Ransomware Builder v4.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\04rcsqzz\04rcsqzz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES437C.tmp" "c:\Users\Admin\Documents\CSC93A311291E59481E8DB74CFFCB47FE1B.TMP"
    3⤵
    PID:1888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES437C.tmp

Filesize
1KB

MD5
14f560fb22fc1cdbe2b2e75df1d1af45

SHA1
85a1317443ad483b885e1e39e16d513679b0c37c

SHA256
5d27657df9cac5533a2629af7e1a012f136a1a34ddd2c253dd53cd65b388d95a

SHA512
a839618076c990ab59d0c748a647fc5484708a3674fad72923661545046c2501c614f473bccea8dafb80e276def31533ca92a57d453b416d9bfa0a430eeee950

Download Submit
C:\Users\Admin\Documents\cookedo.exe

Filesize
23KB

MD5
adc3f720b1cdfa580737c30c62e969b7

SHA1
5f1939cdbf541ea47098b5aa4bdaa544a85a0882

SHA256
f66b46db3ee41726d7063a3a7af0fae48fab4660c99ae53843974805a34511b9

SHA512
671ffe99d1dc4af7660be37ea37aeeff0c12d3a8ca1224cab83a5d8eb18aadba926ad11bcd1dce879d302556d62a657d69cfa87f76af74bff73668d756d4d31e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\04rcsqzz\04rcsqzz.0.cs

Filesize
30KB

MD5
76e03563ee3ab915bce443d213332ee7

SHA1
145d7da3c060b50eec81085a8fd05fcc3d849e78

SHA256
4c83fba26f2af551ca9044aca13e24ee109228b0c06563ebe75e36a0d294c607

SHA512
d40bb7d1d1427557198332d7ccd82182179a5cf2d61d0674f16d1b80104d6a1b111473f32965bbdb48f9e98ac386be5bf0bff7a0f80121bed58e6a482731bc1f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\04rcsqzz\04rcsqzz.cmdline

Filesize
335B

MD5
d86930023c4e92da95e3c64ee41472e8

SHA1
ab3fe48a0679ba7fb3ba3620ed85cfc70128482d

SHA256
b5635c4585b856650cfefaf3527aba3cf617a3869936c6ff9e2299c2af5fd60c

SHA512
6a1252cf0c75c742f64c4ebae765ba3ecd1d549d59b944258f4e70a392325c3f8d62d6bfdb54a584868ae9dd6b27bedfe55804bd41f554fbdcc46b3ce3d3c1d8

Download Submit
\??\c:\Users\Admin\Documents\CSC93A311291E59481E8DB74CFFCB47FE1B.TMP

Filesize
1KB

MD5
59297da0bd053e52e03c23724898ad9c

SHA1
566a2377811a4d34766c53fe1e71d6ed8bc2e16e

SHA256
1333be3f6e313464b8a6daf26043c16cca4027a750fb4a73216bc64704a36fa3

SHA512
ef06014d92729f1df7dddeb03fd2871207ae0643643ec5173701266b21151ba403c0c02cd343e5619dc3267753434fd90c5c6ad9d2a191da29d59e87d0b83523

Download Submit
memory/2072-3-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/2072-6-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/2072-7-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/2072-5-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/2072-4-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

Filesize
8KB

Download
memory/2072-0-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

Filesize
8KB

Download
memory/2072-2-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/2072-1-0x0000000000420000-0x00000000004AE000-memory.dmp

Filesize
568KB

Download
memory/2072-23-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download