chaos | f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

General

Target

Chaos Ransomware Builder v4.exe
Size

550KB
MD5

8b855e56e41a6e10d28522a20c1e0341
SHA1

17ea75272cfe3749c6727388fd444d2c970f9d01
SHA256

f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
SHA512

eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
SSDEEP

3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

Score

10^/10

chaos discovery ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 1 IoCs

resource	yara_rule
behavioral1/memory/3952-1-0x0000000000830000-0x00000000008BE000-memory.dmp	family_chaos

Chaos family
chaos

Downloads MZ/PE file 1 IoCs

flow	pid	Process
41	3312	Process not Found

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3216	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe
3952	Chaos Ransomware Builder v4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3952	Chaos Ransomware Builder v4.exe

C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe
"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2768" "1204" "1068" "1208" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2968

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjNCODdFRDEtODMxNi00RkYxLUFDQTUtODI0REZCODFBQzE3fSIgdXNlcmlkPSJ7NjBFNTg5OTMtQjZGNC00M0U3LUE3NzAtMkVCRDkwOTIzNDExfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsyQTIwMzhEOC1CMEE4LTQ3REYtOTFFOS0zNzcyQ0NDNkVDOEF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iOCIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1MDYxIj48ZXZlbnQgZXZlbnR0eXBlPSIzMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iNCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU1NjUzOTQyNyIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3216

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core
1⤵
- System Location Discovery: System Language Discovery
PID:5332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
670KB

MD5
0ae0e21b6352160660ec57088ac2ec8a

SHA1
859201a829b3c0645fd37329d07b243331445741

SHA256
8d956f606c9cb40540734df06abd83d79263562b83b81db1e829df3695083d7d

SHA512
d2145771c7ce23e44e42ae6fd70370bca1444d51c5b27fff575ef3cf4dbc54385a2c2307ad1425a0c2fff13f5f8833146eb8210204b256ee1c29d1923dffa893

Download Submit
memory/3952-0-0x00007FFF64263000-0x00007FFF64265000-memory.dmp

Filesize
8KB

Download
memory/3952-1-0x0000000000830000-0x00000000008BE000-memory.dmp

Filesize
568KB

Download
memory/3952-2-0x00007FFF64260000-0x00007FFF64D22000-memory.dmp

Filesize
10.8MB

Download
memory/3952-3-0x00007FFF64260000-0x00007FFF64D22000-memory.dmp

Filesize
10.8MB

Download
memory/3952-4-0x00007FFF64260000-0x00007FFF64D22000-memory.dmp

Filesize
10.8MB

Download
memory/3952-5-0x00007FFF64263000-0x00007FFF64265000-memory.dmp

Filesize
8KB

Download
memory/3952-6-0x00007FFF64260000-0x00007FFF64D22000-memory.dmp

Filesize
10.8MB

Download
memory/3952-7-0x000000001BF60000-0x000000001C107000-memory.dmp

Filesize
1.7MB

Download
memory/3952-8-0x000000001BF60000-0x000000001C107000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads