Analysis Overview
SHA256
059eef9289b4c13d6e4f2128855f2f5a5e8710c254a9646c613ff1b905338b35
Threat Level: Known bad
The file setup.exe was found to be: Known bad.
Malicious Activity Summary
Chaos
Chaos Ransomware
Chaos family
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-22 17:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-22 17:50
Reported
2025-03-22 17:50
Platform
win7-20240903-en
Max time kernel
18s
Max time network
16s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Chaos family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.bat" "
C:\Windows\system32\msg.exe
msg * If you see a admin prompt for stub.exe, accept it. It is the installer
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe
7zr x stub.wim
Network
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.bat
| MD5 | a51991cfbe5f3c4f5b971e88664b182f |
| SHA1 | a760e7177d6b7d3219b4fa96904411578798ac20 |
| SHA256 | 1c8c26ce57cb19be5aabae40b9051b6ee694f872c09296c7eb803c6574e4284a |
| SHA512 | 7c7d58687180fa6b4688459786e90376409323c9b255756636d4bf81b8f9e4b8ac485b7308d4fd94ac95a36c1f0014dd0c8ef07659b004f8d6c7445a8303c883 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe
| MD5 | 9f018e5feb96aae0e893a739c83a8b1f |
| SHA1 | ec3b89ef381fd44deaf386b49223857a47b66bd8 |
| SHA256 | d2c0045523cf053a6b43f9315e9672fc2535f06aeadd4ffa53c729cd8b2b6dfe |
| SHA512 | 44d8504a693ad4d6b79631b653fc19b572de6bbe38713b53c45d9c9d5d3710aa8df93ee867a2a24419ebe883b8255fd18f30f8cf374b2242145fd6acb2189659 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\stub.wim
| MD5 | ca9e55c46ef083cc7d041ca0e73cf40b |
| SHA1 | 61bc48a6b6d5dc6686ab55dff330bdaf2c7d3dfb |
| SHA256 | ff8f3124fc3990644d9f509b33e109992d081ccbfac24cba880680f58587a6ff |
| SHA512 | e772ae58c00af74d6f3e47e22f969e52a46da9aecc16ad5bf5315cea1979ab0d110bb95baa8d6e650bec60c9d7e2a70373b9d5178b2b311a6e5946ee9e157a36 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-22 17:50
Reported
2025-03-22 17:50
Platform
win10v2004-20250314-en
Max time kernel
30s
Max time network
30s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Chaos family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2520 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | C:\Windows\system32\cmd.exe |
| PID 2520 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | C:\Windows\system32\cmd.exe |
| PID 3064 wrote to memory of 5716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\msg.exe |
| PID 3064 wrote to memory of 5716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\msg.exe |
| PID 3064 wrote to memory of 5576 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe |
| PID 3064 wrote to memory of 5576 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe |
| PID 3064 wrote to memory of 5576 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.bat" "
C:\Windows\system32\msg.exe
msg * If you see a admin prompt for stub.exe, accept it. It is the installer
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe
7zr x stub.wim
Network
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.bat
| MD5 | a51991cfbe5f3c4f5b971e88664b182f |
| SHA1 | a760e7177d6b7d3219b4fa96904411578798ac20 |
| SHA256 | 1c8c26ce57cb19be5aabae40b9051b6ee694f872c09296c7eb803c6574e4284a |
| SHA512 | 7c7d58687180fa6b4688459786e90376409323c9b255756636d4bf81b8f9e4b8ac485b7308d4fd94ac95a36c1f0014dd0c8ef07659b004f8d6c7445a8303c883 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe
| MD5 | 9f018e5feb96aae0e893a739c83a8b1f |
| SHA1 | ec3b89ef381fd44deaf386b49223857a47b66bd8 |
| SHA256 | d2c0045523cf053a6b43f9315e9672fc2535f06aeadd4ffa53c729cd8b2b6dfe |
| SHA512 | 44d8504a693ad4d6b79631b653fc19b572de6bbe38713b53c45d9c9d5d3710aa8df93ee867a2a24419ebe883b8255fd18f30f8cf374b2242145fd6acb2189659 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\stub.wim
| MD5 | ca9e55c46ef083cc7d041ca0e73cf40b |
| SHA1 | 61bc48a6b6d5dc6686ab55dff330bdaf2c7d3dfb |
| SHA256 | ff8f3124fc3990644d9f509b33e109992d081ccbfac24cba880680f58587a6ff |
| SHA512 | e772ae58c00af74d6f3e47e22f969e52a46da9aecc16ad5bf5315cea1979ab0d110bb95baa8d6e650bec60c9d7e2a70373b9d5178b2b311a6e5946ee9e157a36 |