Analysis
-
max time kernel
230s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 15:11
Behavioral task
behavioral1
Sample
BloodEagle Ransomware Builder.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
BloodEagle Ransomware Builder.exe
Resource
win10v2004-20250314-en
General
-
Target
BloodEagle Ransomware Builder.exe
-
Size
683KB
-
MD5
bd74ac3a184b41087eaffe1c4e5575f1
-
SHA1
dcf0cc5cf9d633f398bda7821bb04b89ac60870d
-
SHA256
87675dc68eac28c09af5658389267f7160d34865aaa4d2abaf4f127432333bcc
-
SHA512
bed0db9ed78e0459b151849b6c04ed626a664b6779fdce3b5ccdced5dc06c2eea208b08dc1cf153a6781587c45fba3d92a8f5a27952c58fcace27330a75d9526
-
SSDEEP
3072:hL6xoPurnfsj7A0H7GMgXuD//bFLAkC3IGYWEyNakhm5Zt1HrTM/rFLjZkJ:8kj0aGMVFLQJPJUEFL2
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 1 IoCs
resource yara_rule behavioral2/memory/4008-1-0x0000000000100000-0x00000000001B0000-memory.dmp family_chaos -
Chaos family
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1928 vlc.exe 5208 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe 4008 BloodEagle Ransomware Builder.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1928 vlc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4008 BloodEagle Ransomware Builder.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1928 vlc.exe 1928 vlc.exe 1928 vlc.exe 1928 vlc.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1928 vlc.exe 1928 vlc.exe 1928 vlc.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 1928 vlc.exe 5208 EXCEL.EXE 5208 EXCEL.EXE 5208 EXCEL.EXE 5208 EXCEL.EXE 5208 EXCEL.EXE 5208 EXCEL.EXE 5208 EXCEL.EXE 5208 EXCEL.EXE 5208 EXCEL.EXE 5208 EXCEL.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\BloodEagle Ransomware Builder.exe"C:\Users\Admin\AppData\Local\Temp\BloodEagle Ransomware Builder.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Desktop\RepairDebug.xml"1⤵PID:5304
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\TraceConfirm.3gp"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1928
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UndoSplit.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5208