Malware Analysis Report

2025-04-13 21:19

Sample ID 250322-wejkeasjs6
Target setup.exe
SHA256 059eef9289b4c13d6e4f2128855f2f5a5e8710c254a9646c613ff1b905338b35
Tags
chaos discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

059eef9289b4c13d6e4f2128855f2f5a5e8710c254a9646c613ff1b905338b35

Threat Level: Known bad

The file setup.exe was found to be: Known bad.

Malicious Activity Summary

chaos discovery ransomware

Chaos

Chaos Ransomware

Chaos family

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-22 17:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-22 17:50

Reported

2025-03-22 17:50

Platform

win7-20240903-en

Max time kernel

18s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.bat" "

C:\Windows\system32\msg.exe

msg * If you see a admin prompt for stub.exe, accept it. It is the installer

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe

7zr x stub.wim

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.bat

MD5 a51991cfbe5f3c4f5b971e88664b182f
SHA1 a760e7177d6b7d3219b4fa96904411578798ac20
SHA256 1c8c26ce57cb19be5aabae40b9051b6ee694f872c09296c7eb803c6574e4284a
SHA512 7c7d58687180fa6b4688459786e90376409323c9b255756636d4bf81b8f9e4b8ac485b7308d4fd94ac95a36c1f0014dd0c8ef07659b004f8d6c7445a8303c883

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe

MD5 9f018e5feb96aae0e893a739c83a8b1f
SHA1 ec3b89ef381fd44deaf386b49223857a47b66bd8
SHA256 d2c0045523cf053a6b43f9315e9672fc2535f06aeadd4ffa53c729cd8b2b6dfe
SHA512 44d8504a693ad4d6b79631b653fc19b572de6bbe38713b53c45d9c9d5d3710aa8df93ee867a2a24419ebe883b8255fd18f30f8cf374b2242145fd6acb2189659

C:\Users\Admin\AppData\Local\Temp\RarSFX0\stub.wim

MD5 ca9e55c46ef083cc7d041ca0e73cf40b
SHA1 61bc48a6b6d5dc6686ab55dff330bdaf2c7d3dfb
SHA256 ff8f3124fc3990644d9f509b33e109992d081ccbfac24cba880680f58587a6ff
SHA512 e772ae58c00af74d6f3e47e22f969e52a46da9aecc16ad5bf5315cea1979ab0d110bb95baa8d6e650bec60c9d7e2a70373b9d5178b2b311a6e5946ee9e157a36

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-22 17:50

Reported

2025-03-22 17:50

Platform

win10v2004-20250314-en

Max time kernel

30s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.bat" "

C:\Windows\system32\msg.exe

msg * If you see a admin prompt for stub.exe, accept it. It is the installer

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe

7zr x stub.wim

Network

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.bat

MD5 a51991cfbe5f3c4f5b971e88664b182f
SHA1 a760e7177d6b7d3219b4fa96904411578798ac20
SHA256 1c8c26ce57cb19be5aabae40b9051b6ee694f872c09296c7eb803c6574e4284a
SHA512 7c7d58687180fa6b4688459786e90376409323c9b255756636d4bf81b8f9e4b8ac485b7308d4fd94ac95a36c1f0014dd0c8ef07659b004f8d6c7445a8303c883

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7zr.exe

MD5 9f018e5feb96aae0e893a739c83a8b1f
SHA1 ec3b89ef381fd44deaf386b49223857a47b66bd8
SHA256 d2c0045523cf053a6b43f9315e9672fc2535f06aeadd4ffa53c729cd8b2b6dfe
SHA512 44d8504a693ad4d6b79631b653fc19b572de6bbe38713b53c45d9c9d5d3710aa8df93ee867a2a24419ebe883b8255fd18f30f8cf374b2242145fd6acb2189659

C:\Users\Admin\AppData\Local\Temp\RarSFX0\stub.wim

MD5 ca9e55c46ef083cc7d041ca0e73cf40b
SHA1 61bc48a6b6d5dc6686ab55dff330bdaf2c7d3dfb
SHA256 ff8f3124fc3990644d9f509b33e109992d081ccbfac24cba880680f58587a6ff
SHA512 e772ae58c00af74d6f3e47e22f969e52a46da9aecc16ad5bf5315cea1979ab0d110bb95baa8d6e650bec60c9d7e2a70373b9d5178b2b311a6e5946ee9e157a36