Analysis

  • max time kernel
    18s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 17:50

General

  • Target

    setup.exe

  • Size

    743KB

  • MD5

    55ef0aace1137504eed6ded17eaa95b3

  • SHA1

    5305dfd2c8c58db59779621eddbc177e3123e900

  • SHA256

    059eef9289b4c13d6e4f2128855f2f5a5e8710c254a9646c613ff1b905338b35

  • SHA512

    3509b03b1c5c8611f4518e44638c0a37f990645502a2707f48c9d7279bef2fe978b7e81d0ee8d697365e89cc94520c78f34dafd734ec1718036915bcdfbe0bd8

  • SSDEEP

    12288:zbQIi8rXTWcJHsp63L2gf6PUpiXN8xVfUm42CgAiM8+iMNB6dfn:zbQfQjWKM072s6PUpiXNWN02CgAiMxz8

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 1 IoCs
  • Chaos family
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\system32\msg.exe
        msg * If you see a admin prompt for stub.exe, accept it. It is the installer
        3⤵
          PID:2848
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe
          7zr x stub.wim
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe

      Filesize

      579KB

      MD5

      9f018e5feb96aae0e893a739c83a8b1f

      SHA1

      ec3b89ef381fd44deaf386b49223857a47b66bd8

      SHA256

      d2c0045523cf053a6b43f9315e9672fc2535f06aeadd4ffa53c729cd8b2b6dfe

      SHA512

      44d8504a693ad4d6b79631b653fc19b572de6bbe38713b53c45d9c9d5d3710aa8df93ee867a2a24419ebe883b8255fd18f30f8cf374b2242145fd6acb2189659

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.bat

      Filesize

      149B

      MD5

      a51991cfbe5f3c4f5b971e88664b182f

      SHA1

      a760e7177d6b7d3219b4fa96904411578798ac20

      SHA256

      1c8c26ce57cb19be5aabae40b9051b6ee694f872c09296c7eb803c6574e4284a

      SHA512

      7c7d58687180fa6b4688459786e90376409323c9b255756636d4bf81b8f9e4b8ac485b7308d4fd94ac95a36c1f0014dd0c8ef07659b004f8d6c7445a8303c883

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\stub.wim

      Filesize

      23KB

      MD5

      ca9e55c46ef083cc7d041ca0e73cf40b

      SHA1

      61bc48a6b6d5dc6686ab55dff330bdaf2c7d3dfb

      SHA256

      ff8f3124fc3990644d9f509b33e109992d081ccbfac24cba880680f58587a6ff

      SHA512

      e772ae58c00af74d6f3e47e22f969e52a46da9aecc16ad5bf5315cea1979ab0d110bb95baa8d6e650bec60c9d7e2a70373b9d5178b2b311a6e5946ee9e157a36