Malware Analysis Report

2025-04-13 21:19

Sample ID 250322-wpfw9ssls4
Target stub.wim
SHA256 ff8f3124fc3990644d9f509b33e109992d081ccbfac24cba880680f58587a6ff
Tags
chaos discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff8f3124fc3990644d9f509b33e109992d081ccbfac24cba880680f58587a6ff

Threat Level: Known bad

The file stub.wim was found to be: Known bad.

Malicious Activity Summary

chaos discovery

Chaos family

Chaos Ransomware

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-22 18:05

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-22 18:05

Reported

2025-03-22 18:06

Platform

win7-20241010-en

Max time kernel

18s

Max time network

19s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\stub.wim

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\stub.wim

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\stub.wim

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\stub.wim"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 0273e48c662376ad5f3915787d8d6e85
SHA1 c0a229c789a2ffb0a8140940b7a12dc66ca73678
SHA256 7b8688c66b7a0b4d882f9502c24d6bfd4e70240224edbee13f4813697e7d1eb4
SHA512 5f09491e1a6a2fd31f12dfc22108b8253dc4aeec2fca68817c24db0543e3989c1548ee9e2009f9473fc374d2040990a1448e88ba8862a57b1aaeb77af58b2f10

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-22 18:05

Reported

2025-03-22 18:06

Platform

win10v2004-20250314-en

Max time kernel

30s

Max time network

31s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\stub.wim

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\stub.wim

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp

Files

N/A