Extracted

• • Target

    RansomewareBuilder.exe

  • Size

    5.4MB

  • MD5

    e326e0bb654c0c28d1683c3f740e9a9d

  • SHA1

    9c1cbd909ab5897532c11be445cf8384f71ee9b7

  • SHA256

    aad594c4d58ad64350c4e9b4314dcf7fa5b8bb70eb41b0d20f6a0c49a058086c

  • SHA512

    86c01e92a90ee6573e2f0e384191f0b4ee56ddb92ad9bd8023cbf86a4566d999d56e186eacdfc0ce6f0bb3c4960def13beacb067444a1a229ad7d58d81ba5f91

  • SSDEEP

    49152:NuKIx29kk3sN2rEt/U964aKjSEvoYY+A2N:

  Score

  10^/10

  chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos

  • Chaos Ransomware

  • Chaos family

    chaos

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Renames multiple (198) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Disables Task Manager via registry modification

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1behavioral2