chaos | f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

Analysis

max time kernel
94s
max time network
97s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01/12/2024, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chaos Ransomware Builder v4.exe
Size

550KB
MD5

8b855e56e41a6e10d28522a20c1e0341
SHA1

17ea75272cfe3749c6727388fd444d2c970f9d01
SHA256

f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
SHA512

eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
SSDEEP

3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 4 IoCs

resource	yara_rule
behavioral2/memory/4820-1-0x00000000000F0000-0x000000000017E000-memory.dmp	family_chaos
behavioral2/files/0x001a00000002ab02-11.dat	family_chaos
behavioral2/files/0x001a00000002ab07-22.dat	family_chaos
behavioral2/memory/248-23-0x00000000002D0000-0x00000000002DC000-memory.dmp	family_chaos

Chaos family
chaos

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
248	123.exe
3360	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2410826464-2353372766-2364966905-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000001c31590bae18db017395d070b318db017395d070b318db0114000000	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Chaos Ransomware Builder v4.exe
Key created	\Registry\User\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\NotificationData	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Chaos Ransomware Builder v4.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3140	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3360	svchost.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
4820	Chaos Ransomware Builder v4.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
248	123.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe
3360	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	Chaos Ransomware Builder v4.exe
Token: SeDebugPrivilege	248	123.exe
Token: SeDebugPrivilege	3360	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4820	Chaos Ransomware Builder v4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 5112	4820	Chaos Ransomware Builder v4.exe	79
PID 4820 wrote to memory of 5112	4820	Chaos Ransomware Builder v4.exe	79
PID 5112 wrote to memory of 4532	5112	csc.exe	81
PID 5112 wrote to memory of 4532	5112	csc.exe	81
PID 248 wrote to memory of 3360	248	123.exe	86
PID 248 wrote to memory of 3360	248	123.exe	86
PID 3360 wrote to memory of 3140	3360	svchost.exe	87
PID 3360 wrote to memory of 3140	3360	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe
"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kuue30ar\kuue30ar.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE30D.tmp" "c:\Users\Admin\Desktop\CSC42FBFDC1A0E54EE6A19AB527708C6540.TMP"
    3⤵
    PID:4532

C:\Users\Admin\Desktop\123.exe
"C:\Users\Admin\Desktop\123.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:248
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE30D.tmp

Filesize
1KB

MD5
395b0d542c0040215770173e8673c71f

SHA1
e2c024c4c8c25711d1735f430b482a3dd5155a64

SHA256
7a83c0e8fee2b7bf40cc413609706fa381d67fedc93bc092c507d925ac4a1b07

SHA512
188c53783ddce76f1471717d2c5379647e906479bb35ebbe48c01ee79f608de34acd833ad1d6d74dc2dce4c9d593bddd8b4c86127a928ddc24741076a719218c

Download Submit
C:\Users\Admin\Desktop\123.exe

Filesize
21KB

MD5
3e08c6a6046359864f9b9ae20ecf386e

SHA1
26e4a9067c9f1fe867640b072860b7283cd32f84

SHA256
818e92554c0e817f8d31de30f81961ecf9ff23d2b8c2c5f253852f5de63a57e7

SHA512
6661d5568a22de97b2d4a26de9c8df9638b7255ea28738a0f1107d7303878c105b31ef8e1fe88dbf6c190046173e09fc750a282e31bbed668a908c4092f11eb9

Download Submit
C:\Users\Admin\Desktop\read_it.txt

Filesize
8B

MD5
489af8f31a5c7a455eb58447bc18bcfc

SHA1
c104b12924586019a69bb1b8b80bffea1a3c5e3b

SHA256
510c5962491beb1c943242159169e89fe810947affbfd61a7d9b527aa13d4292

SHA512
6976f0bdcd85cae947907a77535ca83f2d1e77db9ac46136ceb47e4cc1600e2d93725ff744a90d488e079baec2ee7f5bc1bc10ddfcbc4c3546eca2f6f8458723

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kuue30ar\kuue30ar.0.cs

Filesize
29KB

MD5
d4c0cfd2fb38ef6a48eef0eb9918ae5f

SHA1
2f7ad2c4c2668b1738dcea4fd9295c972aac164e

SHA256
07d700bb34d614fd43777ddf3f9c477781ace33785ecab06734f0f0e3e475853

SHA512
d0254957ddb252431d56a341dcf8346f48a70a33a46561c48a93d79ff233d50c7513670e885f7c14cffd5a949ab2263a90b02d870318e3c19b99afb1451e45ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kuue30ar\kuue30ar.cmdline

Filesize
329B

MD5
0dc99c4c47f96d8a70e01a30995c57e0

SHA1
bc5bea3445b659eb8122bb8272f88efc0a65e117

SHA256
78132aa6c7625eeb8549d85ce2936b594c81dfb1fdf17f3cbafea78cb18479d3

SHA512
89ebf1be180f80f08408c307d48bbb51193298367be85c589ac6e4adefbafdf4623017f1a8d5144a6ab1b9b2dcdb55aded0e0dd7d8398764ddc911cc8cb60269

Download Submit
\??\c:\Users\Admin\Desktop\CSC42FBFDC1A0E54EE6A19AB527708C6540.TMP

Filesize
1KB

MD5
5f836ebb68ad0971adf50d08a00fb498

SHA1
59ba6ae7f8c218bd8f340142e88d5129e52640de

SHA256
1f85819bb24593bbfcf03c85e593cc0081235562d0f761f766683659437cb763

SHA512
6c4ba6fbc594109f9286046e5deba323f8d25eb6806438e3db7a20e2adc57071c279e42b5d7b3452703bd5cfe01c20d098e66e0f6fffa414033e4be392a96c39

Download Submit
memory/248-23-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/4820-3-0x00007FF952210000-0x00007FF952CD2000-memory.dmp

Filesize
10.8MB

Download
memory/4820-6-0x00007FF952210000-0x00007FF952CD2000-memory.dmp

Filesize
10.8MB

Download
memory/4820-5-0x00007FF952213000-0x00007FF952215000-memory.dmp

Filesize
8KB

Download
memory/4820-4-0x00007FF952210000-0x00007FF952CD2000-memory.dmp

Filesize
10.8MB

Download
memory/4820-20-0x00007FF952210000-0x00007FF952CD2000-memory.dmp

Filesize
10.8MB

Download
memory/4820-0-0x00007FF952213000-0x00007FF952215000-memory.dmp

Filesize
8KB

Download
memory/4820-2-0x00007FF952210000-0x00007FF952CD2000-memory.dmp

Filesize
10.8MB

Download
memory/4820-1-0x00000000000F0000-0x000000000017E000-memory.dmp

Filesize
568KB

Download