Overview

overview

10

Static

static

10

Chaos Rans...v4.exe

windows7-x64

10

Chaos Rans...v4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 11:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Chaos Ransomware Builder v4.exe

  • Size

    550KB

  • MD5

    8b855e56e41a6e10d28522a20c1e0341

  • SHA1

    17ea75272cfe3749c6727388fd444d2c970f9d01

  • SHA256

    f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

  • SHA512

    eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

  • SSDEEP

    3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

Score
10/10
chaosdefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 5 IoCs
  • Chaos family
    chaos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 31 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe
    "C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jqglezye\jqglezye.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F6B.tmp" "c:\Users\Admin\Documents\CSC59A5452B9E0E4B1582B637EB88E4A97.TMP"
        3⤵
          PID:2568
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:2840
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        1⤵
          PID:3044
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x4ec
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1120
        • C:\Users\Admin\Documents\saves.exe
          "C:\Users\Admin\Documents\saves.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            2⤵
            • Drops startup file
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2892
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2656
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:1512
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic shadowcopy delete
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1232
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2120
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                4⤵
                • Modifies boot configuration data using bcdedit
                PID:2300
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled no
                4⤵
                • Modifies boot configuration data using bcdedit
                PID:376
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2968
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete catalog -quiet
                4⤵
                • Deletes backup catalog
                PID:1472
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
              3⤵
              • Opens file in notepad (likely ransom note)
              PID:1920
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:944
        • C:\Windows\system32\wbengine.exe
          "C:\Windows\system32\wbengine.exe"
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:888
        • C:\Windows\System32\vdsldr.exe
          C:\Windows\System32\vdsldr.exe -Embedding
          1⤵
            PID:324
          • C:\Windows\System32\vds.exe
            C:\Windows\System32\vds.exe
            1⤵
              PID:2496
            • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
              "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
              1⤵
              • System Location Discovery: System Language Discovery
              • Enumerates system info in registry
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious use of SetWindowsHookEx
              PID:2720

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\RES9F6B.tmp
              Filesize

              1KB

              MD5

              a3261fef97a98f26d5573cddd0b09716

              SHA1

              dd4a1fdbec600cafbeafcf8d48ebfa16821d773b

              SHA256

              e43bc3b57c380e158242653e1b4eeadceca5eff48cdcea501d4dc3775c316a74

              SHA512

              4dc2a5fc5cf7a83b3546e15412967bd48585774a26dfaa51869a8f007138b2d2adbce803fa552ebe36e774c6d0db466aa5bab602728a8e9d10590e44305af0e2

              Download Submit

            • C:\Users\Admin\Desktop\read_it.txt
              Filesize

              964B

              MD5

              4217b8b83ce3c3f70029a056546f8fd0

              SHA1

              487cdb5733d073a0427418888e8f7070fe782a03

              SHA256

              7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

              SHA512

              2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

              Download Submit

            • C:\Users\Admin\Documents\saves.exe
              Filesize

              23KB

              MD5

              b494f33d26d5cb94d7df3604b28c391e

              SHA1

              6d7ffaff012f0990586bc41d1c7a70a6dcba14c9

              SHA256

              23044abd2d77b2100d5570b9ab98b3d551b37ead34598b16777ac2cda5db4d89

              SHA512

              2bccebc5768d3c9e0873f1035219fb273b037c4c63b02afcd2b89de30f0224c5ce71fe130e920c2745af7ebd0b5f79fe79c05db1d2259fb7ca2a516f08dd151a

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\jqglezye\jqglezye.0.cs
              Filesize

              30KB

              MD5

              69a0c4b88273f83d39c81e19826dadb7

              SHA1

              c5845061439348ed2f87349786a82703f53d5825

              SHA256

              ece2241f4981c1c7ee48e3ed6f14ce087510000c0f4a9776e6fc0c254ec08a7a

              SHA512

              371d0917cabff198f08c60558f4d0f26e82af6849ac56e8437b511ef2c1e8447e57256307475f2d9d543f57a846f78eab7604ed9509cb6d69a2bfb244bb5c62b

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\jqglezye\jqglezye.cmdline
              Filesize

              333B

              MD5

              328ed89629e6def1937fae5fc6c6ee15

              SHA1

              86e3b07488e1db2cb6704c676591c02a141392ae

              SHA256

              817a8bcd1abfb7f0656d28926db2cd18aedc426f932cf8d392ef5a474ba6611e

              SHA512

              d6625e9912236266a932c216ee419c9604b78863a35af187acdba0190da1238726c04634c6fa7000f44fec6afba62a3e97a652895be6752b64adf26fd06b3c1d

              Download Submit

            • \??\c:\Users\Admin\Documents\CSC59A5452B9E0E4B1582B637EB88E4A97.TMP
              Filesize

              1KB

              MD5

              c02cf2d379432ffbf7f981821d759125

              SHA1

              5c77f4e7ea93c6d8050a1aa5025857b6ea2ccdb5

              SHA256

              35bac091a04360b150cdd58d76f9dfcb541b5814f676547dfb31160d43cfefc0

              SHA512

              8313696e76becec1ff48915a3498ed01cc44bba59fd2cc05f70ad18af70d3581d91fefe4c6a3ac51458682b7782d6d116c5df9bc779f94316ad4a33032647c3a

              Download Submit

            • memory/1852-4-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1852-7-0x000000001EFF0000-0x000000001F000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1852-6-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1852-5-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1852-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1852-3-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1852-20-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1852-2-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1852-1-0x0000000000BF0000-0x0000000000C7E000-memory.dmp

              Filesize

              568KB

              Download

            • memory/2620-23-0x0000000001370000-0x000000000137C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2720-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2720-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2892-29-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

              Filesize

              48KB

              Download