Analysis
-
max time kernel
149s -
max time network
109s -
platform
windows11-21h2_x64 -
resource
win11-20250314-en -
resource tags
arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/03/2025, 22:54
Behavioral task
behavioral1
Sample
Chaos Ransomware Builder v4.exe
Resource
win11-20250314-en
General
-
Target
Chaos Ransomware Builder v4.exe
-
Size
550KB
-
MD5
8b855e56e41a6e10d28522a20c1e0341
-
SHA1
17ea75272cfe3749c6727388fd444d2c970f9d01
-
SHA256
f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
-
SHA512
eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
-
SSDEEP
3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168
Malware Config
Extracted
C:\Users\Admin\Desktop\read_it.txt
chaos
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/memory/2488-1-0x0000000000910000-0x000000000099E000-memory.dmp family_chaos behavioral1/files/0x001900000002b286-15.dat family_chaos behavioral1/files/0x001900000002b28f-23.dat family_chaos behavioral1/memory/6132-25-0x0000000000410000-0x000000000041C000-memory.dmp family_chaos -
Chaos family
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Azera Spoofer.url Azera Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Azera Spoofer.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt Azera Spoofer.exe -
Executes dropped EXE 4 IoCs
pid Process 6132 Azera Spoofer.exe 1672 Azera Spoofer.exe 2060 Azera Spoofer.exe 4716 Azera Spoofer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Public\Videos\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Azera Spoofer.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3920535620-1286624088-2946613906-1000\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Public\Documents\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\Music\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Public\Music\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\Links\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Azera Spoofer.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Azera Spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e8005398e082303024b98265d99428e115f0000 Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Chaos Ransomware Builder v4.exe Key created \Registry\User\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\NotificationData Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings Azera Spoofer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 Chaos Ransomware Builder v4.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3896 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1672 Azera Spoofer.exe 3160 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 6132 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 1672 Azera Spoofer.exe 2060 Azera Spoofer.exe 2060 Azera Spoofer.exe 2060 Azera Spoofer.exe 2060 Azera Spoofer.exe 2060 Azera Spoofer.exe 2060 Azera Spoofer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2488 Chaos Ransomware Builder v4.exe 3160 vlc.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2488 Chaos Ransomware Builder v4.exe Token: SeDebugPrivilege 6132 Azera Spoofer.exe Token: SeDebugPrivilege 1672 Azera Spoofer.exe Token: SeDebugPrivilege 2060 Azera Spoofer.exe Token: SeDebugPrivilege 4716 Azera Spoofer.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 3160 vlc.exe 3160 vlc.exe 3160 vlc.exe 3160 vlc.exe 3160 vlc.exe 3160 vlc.exe 3160 vlc.exe 3160 vlc.exe 3160 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 3160 vlc.exe 3160 vlc.exe 3160 vlc.exe 3160 vlc.exe 3160 vlc.exe 3160 vlc.exe 3160 vlc.exe 3160 vlc.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 2488 Chaos Ransomware Builder v4.exe 3160 vlc.exe 6020 OpenWith.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2488 wrote to memory of 728 2488 Chaos Ransomware Builder v4.exe 84 PID 2488 wrote to memory of 728 2488 Chaos Ransomware Builder v4.exe 84 PID 728 wrote to memory of 4576 728 csc.exe 86 PID 728 wrote to memory of 4576 728 csc.exe 86 PID 6132 wrote to memory of 1672 6132 Azera Spoofer.exe 91 PID 6132 wrote to memory of 1672 6132 Azera Spoofer.exe 91 PID 1672 wrote to memory of 3896 1672 Azera Spoofer.exe 92 PID 1672 wrote to memory of 3896 1672 Azera Spoofer.exe 92 PID 2060 wrote to memory of 4716 2060 Azera Spoofer.exe 97 PID 2060 wrote to memory of 4716 2060 Azera Spoofer.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzw4hw02\dzw4hw02.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES995D.tmp" "c:\Users\Admin\Desktop\CSCC5855C0F578847B8A792E68995892451.TMP"3⤵PID:4576
-
-
-
C:\Users\Admin\Desktop\Azera Spoofer.exe"C:\Users\Admin\Desktop\Azera Spoofer.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6132 -
C:\Users\Admin\AppData\Roaming\Azera Spoofer.exe"C:\Users\Admin\AppData\Roaming\Azera Spoofer.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:3896
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\MergeEdit.M2T"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3160
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6020
-
C:\Users\Admin\Desktop\Azera Spoofer.exe"C:\Users\Admin\Desktop\Azera Spoofer.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Roaming\Azera Spoofer.exe"C:\Users\Admin\AppData\Roaming\Azera Spoofer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD54ae344179932dc8e2c6fe2079f9753ef
SHA160eacc624412b1f34809780769e3b212f138ea9c
SHA2563063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4
SHA512fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19
-
Filesize
1KB
MD58dbf8f8ce7d9be8beda22ebd09803edc
SHA1201b61aec06fdb8bfbd26f35375ada839e8fa09c
SHA256204c1942040cd168aea555f10cbd64cd2ec06b2f41e45dd835214e3d19d5d3cc
SHA5121ae5db90bd51d617c5b2e40b95e08ee48429e2b1a880bc6eeb9d997d5b151437282239433a812c9f5fc9f046dcc92190a9d3f09b259a1face3351e5386d04bd3
-
Filesize
23KB
MD5a9253d775b8f1855787f6933f5133397
SHA189de2768f4b17c30a184e7a1856266a5252c0fae
SHA256bc1e9c244bbfc653c4a54dfb967188cbbdf5fe7f27bd9c3cf3b6792f19896d17
SHA512dfc57074e8fa34972833d3445f6c35ae3caa82f356f5244b7ed959824dcee911dacb80ec23b17b89e8b7bd5c315d3b9f1f91c9e8671dd0dfbb1f4b98fc77dc20
-
Filesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740
-
Filesize
30KB
MD5aedfa941025c3bbcc512d122660fab00
SHA127370a8a713c5de0872b3951fb5e857e47ebc20a
SHA256f2142bbef1dd90e46519ab107919c357f5b90e8f263ba25c14fe6b6fb00e83b7
SHA5122b517767f613bc7c08ab30798ae11e24f2b3805f9f51c4d3db91c4c06d67aaa483bab2b7136d69fe42133c0ca909122cb54ae812f2c936b46e25d97d670042f7
-
Filesize
339B
MD59ac0e6e00e316100c8f4718a8b7596e3
SHA14ee2f9137aeb5b6a2f59e6493fffa1fc860187ba
SHA2561534c411b73c87485fbde68d1e37ceb12893c4deb5e1057e47cd7c7e7ff7fe1e
SHA512ac5704a84d913833f78b9a3fb62313731f0e647f979cbc193e39fda70dce042b032f74ff831c44cfee2cb40aa0d52a6c78527ee873a6e6dc7fe11cc63e897549
-
Filesize
1KB
MD564c760b6d85efe189ee6c0a4a007194b
SHA1c41596f65dac164760424220752d1ed5bf0f90d8
SHA256d8cbba8e0d46d4b1251a999de5b71e40238c3494c48746dc2cc66b386b563ad6
SHA512fab48100cd9e08749091baf645469e5cb0644acb4a913c1368a55893cccd3a937e557930fbc7b74f4ed54d38faaf0f6f1e9e6df46c4029b3780b9970967fd5f2