Resubmissions

22/03/2025, 22:54

250322-2vv62aswev 10

22/03/2025, 22:48

250322-2rhrjasvfw 10

Analysis

  • max time kernel
    149s
  • max time network
    109s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250314-en
  • resource tags

    arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22/03/2025, 22:54

General

  • Target

    Chaos Ransomware Builder v4.exe

  • Size

    550KB

  • MD5

    8b855e56e41a6e10d28522a20c1e0341

  • SHA1

    17ea75272cfe3749c6727388fd444d2c970f9d01

  • SHA256

    f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

  • SHA512

    eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

  • SSDEEP

    3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 4 IoCs
  • Chaos family
  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe
    "C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzw4hw02\dzw4hw02.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:728
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES995D.tmp" "c:\Users\Admin\Desktop\CSCC5855C0F578847B8A792E68995892451.TMP"
        3⤵
          PID:4576
    • C:\Users\Admin\Desktop\Azera Spoofer.exe
      "C:\Users\Admin\Desktop\Azera Spoofer.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:6132
      • C:\Users\Admin\AppData\Roaming\Azera Spoofer.exe
        "C:\Users\Admin\AppData\Roaming\Azera Spoofer.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
          3⤵
          • Opens file in notepad (likely ransom note)
          PID:3896
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\MergeEdit.M2T"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3160
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:6020
    • C:\Users\Admin\Desktop\Azera Spoofer.exe
      "C:\Users\Admin\Desktop\Azera Spoofer.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Users\Admin\AppData\Roaming\Azera Spoofer.exe
        "C:\Users\Admin\AppData\Roaming\Azera Spoofer.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Azera Spoofer.exe.log

      Filesize

      226B

      MD5

      4ae344179932dc8e2c6fe2079f9753ef

      SHA1

      60eacc624412b1f34809780769e3b212f138ea9c

      SHA256

      3063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4

      SHA512

      fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19

    • C:\Users\Admin\AppData\Local\Temp\RES995D.tmp

      Filesize

      1KB

      MD5

      8dbf8f8ce7d9be8beda22ebd09803edc

      SHA1

      201b61aec06fdb8bfbd26f35375ada839e8fa09c

      SHA256

      204c1942040cd168aea555f10cbd64cd2ec06b2f41e45dd835214e3d19d5d3cc

      SHA512

      1ae5db90bd51d617c5b2e40b95e08ee48429e2b1a880bc6eeb9d997d5b151437282239433a812c9f5fc9f046dcc92190a9d3f09b259a1face3351e5386d04bd3

    • C:\Users\Admin\Desktop\Azera Spoofer.exe

      Filesize

      23KB

      MD5

      a9253d775b8f1855787f6933f5133397

      SHA1

      89de2768f4b17c30a184e7a1856266a5252c0fae

      SHA256

      bc1e9c244bbfc653c4a54dfb967188cbbdf5fe7f27bd9c3cf3b6792f19896d17

      SHA512

      dfc57074e8fa34972833d3445f6c35ae3caa82f356f5244b7ed959824dcee911dacb80ec23b17b89e8b7bd5c315d3b9f1f91c9e8671dd0dfbb1f4b98fc77dc20

    • C:\Users\Admin\Desktop\read_it.txt

      Filesize

      964B

      MD5

      4217b8b83ce3c3f70029a056546f8fd0

      SHA1

      487cdb5733d073a0427418888e8f7070fe782a03

      SHA256

      7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

      SHA512

      2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

    • \??\c:\Users\Admin\AppData\Local\Temp\dzw4hw02\dzw4hw02.0.cs

      Filesize

      30KB

      MD5

      aedfa941025c3bbcc512d122660fab00

      SHA1

      27370a8a713c5de0872b3951fb5e857e47ebc20a

      SHA256

      f2142bbef1dd90e46519ab107919c357f5b90e8f263ba25c14fe6b6fb00e83b7

      SHA512

      2b517767f613bc7c08ab30798ae11e24f2b3805f9f51c4d3db91c4c06d67aaa483bab2b7136d69fe42133c0ca909122cb54ae812f2c936b46e25d97d670042f7

    • \??\c:\Users\Admin\AppData\Local\Temp\dzw4hw02\dzw4hw02.cmdline

      Filesize

      339B

      MD5

      9ac0e6e00e316100c8f4718a8b7596e3

      SHA1

      4ee2f9137aeb5b6a2f59e6493fffa1fc860187ba

      SHA256

      1534c411b73c87485fbde68d1e37ceb12893c4deb5e1057e47cd7c7e7ff7fe1e

      SHA512

      ac5704a84d913833f78b9a3fb62313731f0e647f979cbc193e39fda70dce042b032f74ff831c44cfee2cb40aa0d52a6c78527ee873a6e6dc7fe11cc63e897549

    • \??\c:\Users\Admin\Desktop\CSCC5855C0F578847B8A792E68995892451.TMP

      Filesize

      1KB

      MD5

      64c760b6d85efe189ee6c0a4a007194b

      SHA1

      c41596f65dac164760424220752d1ed5bf0f90d8

      SHA256

      d8cbba8e0d46d4b1251a999de5b71e40238c3494c48746dc2cc66b386b563ad6

      SHA512

      fab48100cd9e08749091baf645469e5cb0644acb4a913c1368a55893cccd3a937e557930fbc7b74f4ed54d38faaf0f6f1e9e6df46c4029b3780b9970967fd5f2

    • memory/2488-5-0x00007FFF91F93000-0x00007FFF91F95000-memory.dmp

      Filesize

      8KB

    • memory/2488-4-0x00007FFF91F90000-0x00007FFF92A52000-memory.dmp

      Filesize

      10.8MB

    • memory/2488-9-0x00007FFF91F90000-0x00007FFF92A52000-memory.dmp

      Filesize

      10.8MB

    • memory/2488-10-0x00007FFF91F90000-0x00007FFF92A52000-memory.dmp

      Filesize

      10.8MB

    • memory/2488-7-0x00007FFF91F90000-0x00007FFF92A52000-memory.dmp

      Filesize

      10.8MB

    • memory/2488-6-0x00007FFF91F90000-0x00007FFF92A52000-memory.dmp

      Filesize

      10.8MB

    • memory/2488-0-0x00007FFF91F93000-0x00007FFF91F95000-memory.dmp

      Filesize

      8KB

    • memory/2488-8-0x00007FFF91F90000-0x00007FFF92A52000-memory.dmp

      Filesize

      10.8MB

    • memory/2488-3-0x00007FFF91F90000-0x00007FFF92A52000-memory.dmp

      Filesize

      10.8MB

    • memory/2488-1-0x0000000000910000-0x000000000099E000-memory.dmp

      Filesize

      568KB

    • memory/2488-2-0x00007FFF91F90000-0x00007FFF92A52000-memory.dmp

      Filesize

      10.8MB

    • memory/3160-111-0x00007FFF9E7C0000-0x00007FFF9E7F4000-memory.dmp

      Filesize

      208KB

    • memory/3160-110-0x00007FF7002D0000-0x00007FF7003C8000-memory.dmp

      Filesize

      992KB

    • memory/3160-112-0x00007FFF8C0A0000-0x00007FFF8C356000-memory.dmp

      Filesize

      2.7MB

    • memory/3160-113-0x00007FFF8ABB0000-0x00007FFF8BC60000-memory.dmp

      Filesize

      16.7MB

    • memory/6132-25-0x0000000000410000-0x000000000041C000-memory.dmp

      Filesize

      48KB