Analysis

  • max time kernel
    71s
  • max time network
    64s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    25-11-2024 02:23

General

  • Target

    https://cdn.discordapp.com/attachments/1308616008101269526/1310430117843046440/Chaos_Ransomware_Builder_v4.exe?ex=674530a6&is=6743df26&hm=77c5ef4ffed41ac87fab65e00e50e68702e6fc09940f8fb8fde82c3c6fbbcc0b&

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Chaos family
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1308616008101269526/1310430117843046440/Chaos_Ransomware_Builder_v4.exe?ex=674530a6&is=6743df26&hm=77c5ef4ffed41ac87fab65e00e50e68702e6fc09940f8fb8fde82c3c6fbbcc0b&
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffccea6cc40,0x7ffccea6cc4c,0x7ffccea6cc58
      2⤵
        PID:4704
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2064,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2068 /prefetch:2
        2⤵
          PID:4164
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1932,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2484 /prefetch:3
          2⤵
            PID:5116
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2116,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2424 /prefetch:8
            2⤵
              PID:4656
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3164 /prefetch:1
              2⤵
                PID:3928
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3260 /prefetch:1
                2⤵
                  PID:2224
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5044,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5056 /prefetch:8
                  2⤵
                    PID:2612
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5068,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5092 /prefetch:8
                    2⤵
                      PID:2832
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5396,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5404 /prefetch:8
                      2⤵
                        PID:3184
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4472,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4460 /prefetch:8
                        2⤵
                          PID:3148
                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                        1⤵
                          PID:4692
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                          1⤵
                            PID:3320
                          • C:\Windows\System32\rundll32.exe
                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                            1⤵
                              PID:2392
                            • C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe
                              "C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe"
                              1⤵
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              PID:3772

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                              Filesize

                              649B

                              MD5

                              44ba3b3d169df6851b017c0348ceff8f

                              SHA1

                              29852b73b48859c6d0a79deb8ca941868f341fd1

                              SHA256

                              b76864f5879c72890f15cc9e6c6bd229196ba46e5319022f4cd031314e7ec23a

                              SHA512

                              f0d28bcd7745121705b0f0e42534badbfaa88a651b320cd4795aa18224c94a3efc8e8c9f66c8878a34d07a92ab08cb1734f90265ad810e5d0179224f7ddf861c

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                              Filesize

                              2KB

                              MD5

                              5cefa7167ca7a7729f883781d1a12a81

                              SHA1

                              3a7da019163a1ec9e58149d8b0b1855722cdf1ab

                              SHA256

                              ce4cfc395a59df0b30c9b3f2998f28ee4e8e9101624cb76b180b8d9c66f0a38b

                              SHA512

                              0f8921760f77ed1997a1ee99810ca05cdaf95d3b186aa8f95ed31f725a5e6e645d219f04e6adefe7923709f3d90afc876fe1eb033cbc44c9ba2bc1f51d9cf84b

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                              Filesize

                              1KB

                              MD5

                              49969da7a3f845e3426566f30e0a0fbb

                              SHA1

                              5c7991bf9c9935dcb7ea398be495c2c0d12bd186

                              SHA256

                              2e09550a44225de5c97e9d5b5cc95c19c8bff2da394d85d317e5db59724dab4a

                              SHA512

                              dc60f723e228303e482cf21a82561946282d95c85effb7561fca32f2cebebe0fad0e8942cbd4dee91ac175db0a99911be7771693cfac01a60706f9fb4602482d

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                              Filesize

                              2B

                              MD5

                              d751713988987e9331980363e24189ce

                              SHA1

                              97d170e1550eee4afc0af065b78cda302a97674c

                              SHA256

                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                              SHA512

                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              9KB

                              MD5

                              8051cae0116b65ac04fa40fec1aa41c1

                              SHA1

                              f488020e43f66b2677b3d09ca14aec914ef48600

                              SHA256

                              e64d3a7c4de9644d0e732292d20db7bc22385ea71b458102ceb86ea8dcdd5f15

                              SHA512

                              a4359a258065a2735349f70dc6f6735bd5420fd3d49de5bc811ad63141b06ad82b2503d5b7b0876019bacd30635aa5a7bb4d2e92ca412520a5c92c65a85ab9fd

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              9KB

                              MD5

                              6344ef6c626fbd7e790dee7c3a734372

                              SHA1

                              06de594898762aa50e19ee0cf856a6ef2348b8e9

                              SHA256

                              16ea5464d9eb54bed2ee617bf9a35b804bf64be2cb0b21e5a34429f5f291dd95

                              SHA512

                              8d6bb5fd1a8161c553a855203b2975ee0af6ac7909884395f98aa03f9ff3b94a9c97f3642a668258ea7c06edbb7d7cd4b75c7c970e6599665e31bbcd717fea61

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              9KB

                              MD5

                              58e1b6ce3cfb4df0ed43f8c01c471133

                              SHA1

                              88bc0b259f57ef4c932f9a6fe83b15734d4e8227

                              SHA256

                              26f3bbc1893479ca513032e724faff2904903ba4e1528c6456882dacf11c7ed5

                              SHA512

                              ebcb2ec64596e58bf516ce2a26981fd7454e73d7820308e51bf3ca1dbec935791017e9e2d276709670acd813d6a79409f1e1db0664e3917aabdce334b9450b7e

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              9KB

                              MD5

                              30ea85fc636778ccfcc5fe9eedfd3b66

                              SHA1

                              442e203edea2425423414577e752c4abb64295a3

                              SHA256

                              be0eb331f1b015e7e015e496a37d249d092d1c6ca8a5bea4b722e241228285b5

                              SHA512

                              156f3ca0e5543a78147db39b0ae475a009cf8975d1c0614255a0dd7bc2d90ca57c87af7e438d8e7e9ac0dbabb3740e8020a7cdb5fccbfd9c3dac0b8754d414e3

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              9KB

                              MD5

                              056b917228d63a823e829126d9af1d9e

                              SHA1

                              91f8b8d60c4170bb379b8ed325b9a02f56e9e20f

                              SHA256

                              7563c95c563adb53f5624fe559c6bbed43fcdceb7942e222828bbcf461ac8a5e

                              SHA512

                              828933bafab2a4b624f8e2b70a15e28ae934a2852fab69c424a092ffe147b3888517311095ae5aa6f5c2c4244dadf88e55ab1966e96e55fec7b8d1e6739537c8

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                              Filesize

                              118KB

                              MD5

                              f4166eed4ac4498db1f8f1ff2153a0ed

                              SHA1

                              afad548db038a16029fa73f5e2d13fc88afeece0

                              SHA256

                              75ce915cdc4d9bdec8a89ed0bfedae51c260aacd5016b8fb776c70315a52fbc2

                              SHA512

                              e00eb257595211919a9fe389d8dd4e120f12403ef170f03574e15e7476d8acece5d597990df3a871370314dd50488d07d328aac05020ab0340d6da3e607a33e7

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                              Filesize

                              118KB

                              MD5

                              9644b5ef12b9d41b0778844af6e7bf30

                              SHA1

                              6f7c1db38c81d201dea24c9d3f8d001d6b63f2f3

                              SHA256

                              1e11e8f03a73772ae155435abfe1479a1ceb75115d4375165426cf4b924ee90b

                              SHA512

                              ca35e2791d08824cb41d78e168dfdc8383c98cdd64fd8952a79a07ce4496389c3e843d8698a10f2e0234c4254f1dcacd4fd493265e0701c3996f0ca3b47ef435

                            • C:\Users\Admin\Downloads\Unconfirmed 137949.crdownload

                              Filesize

                              550KB

                              MD5

                              8b855e56e41a6e10d28522a20c1e0341

                              SHA1

                              17ea75272cfe3749c6727388fd444d2c970f9d01

                              SHA256

                              f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

                              SHA512

                              eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

                            • memory/3772-56-0x00007FFCBA110000-0x00007FFCBABD2000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/3772-72-0x00007FFCBA113000-0x00007FFCBA115000-memory.dmp

                              Filesize

                              8KB

                            • memory/3772-73-0x00007FFCBA110000-0x00007FFCBABD2000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/3772-57-0x00007FFCBA110000-0x00007FFCBABD2000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/3772-55-0x00007FFCBA110000-0x00007FFCBABD2000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/3772-54-0x00007FFCBA110000-0x00007FFCBABD2000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/3772-53-0x0000000000D00000-0x0000000000D8E000-memory.dmp

                              Filesize

                              568KB

                            • memory/3772-52-0x00007FFCBA113000-0x00007FFCBA115000-memory.dmp

                              Filesize

                              8KB