chaos | 87675dc68eac28c09af5658389267f7160d34865aaa4d2abaf4f127432333bcc

Resubmissions

28/03/2025, 15:11

250328-sktqsaxxdt 10

28/03/2025, 06:32

250328-han3favkx7 10

Analysis

max time kernel
230s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BloodEagle Ransomware Builder.exe
Size

683KB
MD5

bd74ac3a184b41087eaffe1c4e5575f1
SHA1

dcf0cc5cf9d633f398bda7821bb04b89ac60870d
SHA256

87675dc68eac28c09af5658389267f7160d34865aaa4d2abaf4f127432333bcc
SHA512

bed0db9ed78e0459b151849b6c04ed626a664b6779fdce3b5ccdced5dc06c2eea208b08dc1cf153a6781587c45fba3d92a8f5a27952c58fcace27330a75d9526
SSDEEP

3072:hL6xoPurnfsj7A0H7GMgXuD//bFLAkC3IGYWEyNakhm5Zt1HrTM/rFLjZkJ:8kj0aGMVFLQJPJUEFL2

Score

10^/10

chaos ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/4008-1-0x0000000000100000-0x00000000001B0000-memory.dmp	family_chaos

Chaos family
chaos

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1928	vlc.exe
5208	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe
4008	BloodEagle Ransomware Builder.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1928	vlc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4008	BloodEagle Ransomware Builder.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1928	vlc.exe
1928	vlc.exe
1928	vlc.exe
1928	vlc.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1928	vlc.exe
1928	vlc.exe
1928	vlc.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1928	vlc.exe
5208	EXCEL.EXE
5208	EXCEL.EXE
5208	EXCEL.EXE
5208	EXCEL.EXE
5208	EXCEL.EXE
5208	EXCEL.EXE
5208	EXCEL.EXE
5208	EXCEL.EXE
5208	EXCEL.EXE
5208	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\BloodEagle Ransomware Builder.exe
"C:\Users\Admin\AppData\Local\Temp\BloodEagle Ransomware Builder.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Desktop\RepairDebug.xml"
1⤵
PID:5304

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\TraceConfirm.3gp"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UndoSplit.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1928-32-0x00007FF67A3B0000-0x00007FF67A4A8000-memory.dmp

Filesize
992KB

Download
memory/1928-35-0x00007FF9617A0000-0x00007FF962850000-memory.dmp

Filesize
16.7MB

Download
memory/1928-34-0x00007FF963250000-0x00007FF963506000-memory.dmp

Filesize
2.7MB

Download
memory/1928-33-0x00007FF9755C0000-0x00007FF9755F4000-memory.dmp

Filesize
208KB

Download
memory/4008-63-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/4008-71-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/4008-6-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/4008-7-0x00007FF969C50000-0x00007FF96A711000-memory.dmp

Filesize
10.8MB

Download
memory/4008-8-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/4008-9-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/4008-11-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/4008-12-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/4008-13-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/4008-77-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/4008-76-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/4008-0-0x00007FF969C53000-0x00007FF969C55000-memory.dmp

Filesize
8KB

Download
memory/4008-70-0x00007FF987C30000-0x00007FF987E25000-memory.dmp

Filesize
2.0MB

Download
memory/4008-69-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/4008-68-0x00007FF987C30000-0x00007FF987E25000-memory.dmp

Filesize
2.0MB

Download
memory/4008-3-0x00007FF969C50000-0x00007FF96A711000-memory.dmp

Filesize
10.8MB

Download
memory/4008-2-0x00007FF969C50000-0x00007FF96A711000-memory.dmp

Filesize
10.8MB

Download
memory/4008-1-0x0000000000100000-0x00000000001B0000-memory.dmp

Filesize
704KB

Download
memory/4008-5-0x00007FF969C50000-0x00007FF96A711000-memory.dmp

Filesize
10.8MB

Download
memory/4008-4-0x00007FF969C53000-0x00007FF969C55000-memory.dmp

Filesize
8KB

Download
memory/4008-67-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/4008-66-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/4008-65-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/4008-64-0x000000001AFB0000-0x000000001B159000-memory.dmp

Filesize
1.7MB

Download
memory/5208-61-0x00007FF947CB0000-0x00007FF947CC0000-memory.dmp

Filesize
64KB

Download
memory/5208-37-0x00007FF947CB0000-0x00007FF947CC0000-memory.dmp

Filesize
64KB

Download
memory/5208-60-0x00007FF947CB0000-0x00007FF947CC0000-memory.dmp

Filesize
64KB

Download
memory/5208-58-0x00007FF947CB0000-0x00007FF947CC0000-memory.dmp

Filesize
64KB

Download
memory/5208-36-0x00007FF947CB0000-0x00007FF947CC0000-memory.dmp

Filesize
64KB

Download
memory/5208-42-0x00007FF945880000-0x00007FF945890000-memory.dmp

Filesize
64KB

Download
memory/5208-41-0x00007FF945880000-0x00007FF945890000-memory.dmp

Filesize
64KB

Download
memory/5208-40-0x00007FF947CB0000-0x00007FF947CC0000-memory.dmp

Filesize
64KB

Download
memory/5208-39-0x00007FF947CB0000-0x00007FF947CC0000-memory.dmp

Filesize
64KB

Download
memory/5208-59-0x00007FF947CB0000-0x00007FF947CC0000-memory.dmp

Filesize
64KB

Download
memory/5208-38-0x00007FF947CB0000-0x00007FF947CC0000-memory.dmp

Filesize
64KB

Download
memory/5304-18-0x00007FF987C30000-0x00007FF987E25000-memory.dmp

Filesize
2.0MB

Download
memory/5304-17-0x00007FF987C30000-0x00007FF987E25000-memory.dmp

Filesize
2.0MB

Download
memory/5304-16-0x00007FF987C30000-0x00007FF987E25000-memory.dmp

Filesize
2.0MB

Download
memory/5304-14-0x00007FF947CB0000-0x00007FF947CC0000-memory.dmp

Filesize
64KB

Download
memory/5304-15-0x00007FF987CCD000-0x00007FF987CCE000-memory.dmp

Filesize
4KB

Download