Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
325s -
max time network
326s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250128-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
02/02/2025, 13:31
Behavioral task
behavioral1
Sample
Chaos Ransomware Builder v4.exe
Resource
win10ltsc2021-20250128-en
General
-
Target
Chaos Ransomware Builder v4.exe
-
Size
550KB
-
MD5
8b855e56e41a6e10d28522a20c1e0341
-
SHA1
17ea75272cfe3749c6727388fd444d2c970f9d01
-
SHA256
f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
-
SHA512
eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
-
SSDEEP
3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168
Malware Config
Extracted
C:\Users\Admin\Documents\read_it.txt
chaos
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/memory/2276-1-0x0000000000800000-0x000000000088E000-memory.dmp family_chaos behavioral1/files/0x0007000000027e04-26.dat family_chaos behavioral1/files/0x0007000000027e0a-35.dat family_chaos behavioral1/memory/1308-37-0x0000000000BF0000-0x0000000000BFC000-memory.dmp family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 988 bcdedit.exe 1492 bcdedit.exe -
Renames multiple (239) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 4780 wbadmin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Control Panel\International\Geo\Nation o.exe Key value queried \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 1308 o.exe 4380 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 31 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2839013668-2276131261-2828740280-1000\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4704 vssadmin.exe -
Modifies registry class 57 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Chaos Ransomware Builder v4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" Chaos Ransomware Builder v4.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1416 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4380 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 2276 Chaos Ransomware Builder v4.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 1308 o.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4380 svchost.exe 4784 WMIC.exe 4784 WMIC.exe 4784 WMIC.exe 4784 WMIC.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2276 Chaos Ransomware Builder v4.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 2276 Chaos Ransomware Builder v4.exe Token: SeDebugPrivilege 1308 o.exe Token: SeDebugPrivilege 4380 svchost.exe Token: SeBackupPrivilege 1560 vssvc.exe Token: SeRestorePrivilege 1560 vssvc.exe Token: SeAuditPrivilege 1560 vssvc.exe Token: SeIncreaseQuotaPrivilege 4784 WMIC.exe Token: SeSecurityPrivilege 4784 WMIC.exe Token: SeTakeOwnershipPrivilege 4784 WMIC.exe Token: SeLoadDriverPrivilege 4784 WMIC.exe Token: SeSystemProfilePrivilege 4784 WMIC.exe Token: SeSystemtimePrivilege 4784 WMIC.exe Token: SeProfSingleProcessPrivilege 4784 WMIC.exe Token: SeIncBasePriorityPrivilege 4784 WMIC.exe Token: SeCreatePagefilePrivilege 4784 WMIC.exe Token: SeBackupPrivilege 4784 WMIC.exe Token: SeRestorePrivilege 4784 WMIC.exe Token: SeShutdownPrivilege 4784 WMIC.exe Token: SeDebugPrivilege 4784 WMIC.exe Token: SeSystemEnvironmentPrivilege 4784 WMIC.exe Token: SeRemoteShutdownPrivilege 4784 WMIC.exe Token: SeUndockPrivilege 4784 WMIC.exe Token: SeManageVolumePrivilege 4784 WMIC.exe Token: 33 4784 WMIC.exe Token: 34 4784 WMIC.exe Token: 35 4784 WMIC.exe Token: 36 4784 WMIC.exe Token: SeIncreaseQuotaPrivilege 4784 WMIC.exe Token: SeSecurityPrivilege 4784 WMIC.exe Token: SeTakeOwnershipPrivilege 4784 WMIC.exe Token: SeLoadDriverPrivilege 4784 WMIC.exe Token: SeSystemProfilePrivilege 4784 WMIC.exe Token: SeSystemtimePrivilege 4784 WMIC.exe Token: SeProfSingleProcessPrivilege 4784 WMIC.exe Token: SeIncBasePriorityPrivilege 4784 WMIC.exe Token: SeCreatePagefilePrivilege 4784 WMIC.exe Token: SeBackupPrivilege 4784 WMIC.exe Token: SeRestorePrivilege 4784 WMIC.exe Token: SeShutdownPrivilege 4784 WMIC.exe Token: SeDebugPrivilege 4784 WMIC.exe Token: SeSystemEnvironmentPrivilege 4784 WMIC.exe Token: SeRemoteShutdownPrivilege 4784 WMIC.exe Token: SeUndockPrivilege 4784 WMIC.exe Token: SeManageVolumePrivilege 4784 WMIC.exe Token: 33 4784 WMIC.exe Token: 34 4784 WMIC.exe Token: 35 4784 WMIC.exe Token: 36 4784 WMIC.exe Token: SeBackupPrivilege 2040 wbengine.exe Token: SeRestorePrivilege 2040 wbengine.exe Token: SeSecurityPrivilege 2040 wbengine.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2276 Chaos Ransomware Builder v4.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2276 wrote to memory of 1900 2276 Chaos Ransomware Builder v4.exe 85 PID 2276 wrote to memory of 1900 2276 Chaos Ransomware Builder v4.exe 85 PID 1900 wrote to memory of 556 1900 csc.exe 87 PID 1900 wrote to memory of 556 1900 csc.exe 87 PID 1308 wrote to memory of 4380 1308 o.exe 95 PID 1308 wrote to memory of 4380 1308 o.exe 95 PID 4380 wrote to memory of 1996 4380 svchost.exe 97 PID 4380 wrote to memory of 1996 4380 svchost.exe 97 PID 1996 wrote to memory of 4704 1996 cmd.exe 99 PID 1996 wrote to memory of 4704 1996 cmd.exe 99 PID 1996 wrote to memory of 4784 1996 cmd.exe 102 PID 1996 wrote to memory of 4784 1996 cmd.exe 102 PID 4380 wrote to memory of 4336 4380 svchost.exe 103 PID 4380 wrote to memory of 4336 4380 svchost.exe 103 PID 4336 wrote to memory of 988 4336 cmd.exe 105 PID 4336 wrote to memory of 988 4336 cmd.exe 105 PID 4336 wrote to memory of 1492 4336 cmd.exe 106 PID 4336 wrote to memory of 1492 4336 cmd.exe 106 PID 4380 wrote to memory of 4492 4380 svchost.exe 107 PID 4380 wrote to memory of 4492 4380 svchost.exe 107 PID 4492 wrote to memory of 4780 4492 cmd.exe 109 PID 4492 wrote to memory of 4780 4492 cmd.exe 109 PID 4380 wrote to memory of 1416 4380 svchost.exe 113 PID 4380 wrote to memory of 1416 4380 svchost.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dduatvzx\dduatvzx.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD58B.tmp" "c:\Users\Admin\Downloads\CSCEE4C269799F5442DAABD7BAA3B296324.TMP"3⤵PID:556
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1852
-
C:\Users\Admin\Downloads\o.exe"C:\Users\Admin\Downloads\o.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4704
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:988
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1492
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:4780
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1416
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2288
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD523b47f32ab5c6bfbe5e20d028d93b83b
SHA10958f7a763cc684aa54a3f01ee8806575056ad1a
SHA256b34c8eb294f12cc76be5ad2b2bb79e174c869dd4140d1507d56faf32e75ac844
SHA512b7c2cf013396dcf52ec488e71ab67d241459ab0eec3235ed0c3aec8c2fdf5a5c341a230cdeb47723868e2916d6f004ac83f1fced0f9be40785d05c9a974f0728
-
Filesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740
-
Filesize
23KB
MD5c8288b79e036bcbb8555ee9b9deb7ff2
SHA11e131f6ac8a91fa460fc27aaf89f3b1f0c2da11d
SHA2562d41872578ca7429da171fbebe86da3197a3de9fa5e2c3682511f08c6d3d521b
SHA512dab421a73692f8df2bb05e442af9893d86a6024881a5d6d173334d279c764f3ec57f5843cfc36c6eb6a103b057a40448d9da77556b3e3096b968843c4d9a4912
-
Filesize
31KB
MD51917370b65214d864236a65d2c22c8c3
SHA118443893d637cc39e52e13e2e5b003d5cde17a28
SHA2561b6033208e4827fb3657e253c2f74177ea2c17b65bce6b44fac95d0f2df7cc97
SHA51272b90f4fe80942ad1367ad950631bf23068f7412fcada9bdb274bb546f172b073480e20d906fa535409e3378fa6f3e5ce3d6a414d2038664dab0e7da9ec8e4f2
-
Filesize
329B
MD5c743f7ab0a8091ee7563e450c6b05185
SHA1945046db083c75ae9e6525c53ea6266c43a82d20
SHA256e62410227a138ec257981b3a700a91784b41427aec40d67015015f9981e58d43
SHA512179e9458f0fddf0f523069ac4dece96bafb01a013c4fb2455326250f1827660a0a561a603c82c8277e21c28789afc50b32d3a792ea576550fcd988842ea4e85e
-
Filesize
1KB
MD5e20d58e5e0918921d5a7b19766e2426f
SHA1e87d86e4469186d80a606efe465dceb316d15bfb
SHA25695dbbac78f45063b75b22df03b1bf31d4ec27bbb9dd488df36962eb3e75ba0a6
SHA5127a3565bd4f3242d3a16612aab9a98f9dbf861407c5eee4afc236708f0e5e4043c78fcfe1c919b1950bd2e6479f40d4562d3295154420dbbeec883951cc68ae5a