Overview

overview

10

Static

static

10

Chaos Rans...v4.exe

windows7-x64

10

Chaos Rans...v4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 01:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Chaos Ransomware Builder v4.exe

  • Size

    550KB

  • MD5

    8b855e56e41a6e10d28522a20c1e0341

  • SHA1

    17ea75272cfe3749c6727388fd444d2c970f9d01

  • SHA256

    f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

  • SHA512

    eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

  • SSDEEP

    3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

Score
10/10
chaosransomwarespywarestealer

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 4 IoCs
  • Chaos family
    chaos
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 58 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe
    "C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dh3xhebv\dh3xhebv.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4328
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD443.tmp" "c:\Users\Admin\Downloads\CSCF39FDB26F5BD4C09A83E80E9C240FA.TMP"
        3⤵
          PID:3856
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1628
      • C:\Users\Admin\Downloads\test.exe
        "C:\Users\Admin\Downloads\test.exe"
        1⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3192
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
          2⤵
          • Opens file in notepad (likely ransom note)
          • Suspicious use of FindShellTrayWindow
          PID:1948
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\read_it.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:3236

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESD443.tmp
        Filesize

        1KB

        MD5

        a54d71bda36b758371790d531e5dc3e6

        SHA1

        b05a12ef688daa01619d797f35c92bd8728b0a0b

        SHA256

        29baa43d1be22b64f7ed73776479f338079794dc79fd1f0262f6e2d505123765

        SHA512

        906e2a35f9dd1697aff8ac645daaecac8c4423c35040cb7cc8f8ec85bc973dcd6c1ea7be7b1fe9588ce8bbd77f691b992bbefeb1bba2ebad5b78abdef347a9fe

        Download Submit

      • C:\Users\Admin\Documents\read_it.txt
        Filesize

        8B

        MD5

        545bf515e72dd243fb9d0ebd736714d6

        SHA1

        b9d6cea96f73d2965be5a23bfef3a7df7d2817ba

        SHA256

        5b0926e5b01feb50b0c9ede29cdd69eb124c2f563ce20937409d34991722bfcc

        SHA512

        c469aa74bfa7bd669f09884f5b9e9f0db6e64a6705c35b1a0d4121021eb1789a3a59e0b40e59bfad5807eb14afce61c2cd54a27e32e9aa81cbacb42785ac4336

        Download Submit

      • C:\Users\Admin\Downloads\test.exe
        Filesize

        21KB

        MD5

        924b56881fef779447cedaed99ad7c5d

        SHA1

        5c1919d921310c902d6adb0596ca9d5aa9656856

        SHA256

        4c7825c290cc4df2751d1f325fabaf3db59dc8fc742de1fd01b148539787f543

        SHA512

        cf042154b0c08d54d0868c6fffdd6d4911911953b9adb5f0b8aaeaf5c119b6725167d018351f6a0fc477070f122e078a1e3330600f2be51d929cdd6a17e95f30

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\dh3xhebv\dh3xhebv.0.cs
        Filesize

        30KB

        MD5

        bd3c0e54b1908b2182e6a4ac386c3f85

        SHA1

        199c351359496aa15538a24309639194ce7669d8

        SHA256

        103ba27618f62846270f4b7c01b3568279466d9c4a55418c04e0efc32fa78b74

        SHA512

        f5aab83ca3e20223612328db442f391856fb4e69ca8703ae15cc1c833fa3da993b26fa3dbd7220cc48b667de3879626a9c5710240c144f019906551908253473

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\dh3xhebv\dh3xhebv.cmdline
        Filesize

        332B

        MD5

        c39205393bec8dd161a7ab0c01355359

        SHA1

        3bef5ea99229421d4f4bb4452d775b8fe4812fe3

        SHA256

        38494b47c258f9e3dbc0f585ec9f975256cd3ff740c08173effc8904c5f4ee4b

        SHA512

        f58768e94ee58278824bed7da9b405e099d5f203436c4a3cf279e29407bc8903d075ed32b0e1035cefe7993e28b1f25b135d8e6219f7d9e16fe5cf3e06372054

        Download Submit

      • \??\c:\Users\Admin\Downloads\CSCF39FDB26F5BD4C09A83E80E9C240FA.TMP
        Filesize

        1KB

        MD5

        4a8b69d1b2c8695736b8c2273da513dc

        SHA1

        6519bfd357318ebc69831e8c9a12626c5a34dc2e

        SHA256

        d9edfacf147f183b116c4ba680fe1087d13f04fa7dc92ca7e9bc9f2fdbca24b6

        SHA512

        e4bf306c4ff1b6be85fa7824ba7e9c50906e965553fcbcb9debd966220b0328134d99ceedc6d563296332056c243dd310e8fe36e2fee2c3864f7aa67fde225e5

        Download Submit

      • memory/1088-6-0x000000001B6C0000-0x000000001B869000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1088-20-0x000000001B6C0000-0x000000001B869000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1088-8-0x00007FFA5E2C0000-0x00007FFA5ED81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1088-9-0x00007FFA5E2C0000-0x00007FFA5ED81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1088-10-0x000000001B6C0000-0x000000001B869000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1088-11-0x00007FFA5E2C0000-0x00007FFA5ED81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1088-12-0x00007FFA5E2C0000-0x00007FFA5ED81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1088-13-0x000000001B6C0000-0x000000001B869000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1088-19-0x000000001B6C0000-0x000000001B869000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1088-7-0x000000001B6C0000-0x000000001B869000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1088-21-0x000000001B6C0000-0x000000001B869000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1088-0-0x00007FFA5E2C3000-0x00007FFA5E2C5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1088-5-0x00007FFA5E2C0000-0x00007FFA5ED81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1088-4-0x00007FFA5E2C3000-0x00007FFA5E2C5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1088-3-0x00007FFA5E2C0000-0x00007FFA5ED81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1088-35-0x000000001B6C0000-0x000000001B869000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1088-36-0x00007FFA5E2C0000-0x00007FFA5ED81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1088-2-0x00007FFA5E2C0000-0x00007FFA5ED81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1088-1-0x00000000007E0000-0x000000000086E000-memory.dmp

        Filesize

        568KB

        Download

      • memory/3192-39-0x0000000000980000-0x000000000098C000-memory.dmp

        Filesize

        48KB

        Download