chaos | c5471f41e0c89986dabada8d25452654d821864cce6d7f630031ac2f53230bc8

Resubmissions

01/04/2025, 18:11

250401-wssegawl13 10

01/04/2025, 18:09

250401-wrkm8sttcv 10

Analysis

max time kernel
63s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2025, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BuilderChaosRansomware.exe
Size

550KB
MD5

8b855e56e41a6e10d28522a20c1e0341
SHA1

17ea75272cfe3749c6727388fd444d2c970f9d01
SHA256

f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
SHA512

eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
SSDEEP

3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

Score

10^/10

chaos ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/2004-1-0x0000000000080000-0x000000000010E000-memory.dmp	family_chaos
behavioral1/files/0x000700000002429d-11.dat	family_chaos

Chaos family
chaos
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 33 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	BuilderChaosRansomware.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	BuilderChaosRansomware.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	BuilderChaosRansomware.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	BuilderChaosRansomware.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	BuilderChaosRansomware.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	BuilderChaosRansomware.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	BuilderChaosRansomware.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	BuilderChaosRansomware.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	BuilderChaosRansomware.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	BuilderChaosRansomware.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	BuilderChaosRansomware.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	BuilderChaosRansomware.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	BuilderChaosRansomware.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	BuilderChaosRansomware.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	BuilderChaosRansomware.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	BuilderChaosRansomware.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	BuilderChaosRansomware.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	BuilderChaosRansomware.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	BuilderChaosRansomware.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	BuilderChaosRansomware.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	BuilderChaosRansomware.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	BuilderChaosRansomware.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	BuilderChaosRansomware.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	BuilderChaosRansomware.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	BuilderChaosRansomware.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	BuilderChaosRansomware.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	BuilderChaosRansomware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	BuilderChaosRansomware.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	BuilderChaosRansomware.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	BuilderChaosRansomware.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	BuilderChaosRansomware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	BuilderChaosRansomware.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	BuilderChaosRansomware.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe
2004	BuilderChaosRansomware.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	BuilderChaosRansomware.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2004	BuilderChaosRansomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 4012	2004	BuilderChaosRansomware.exe	99
PID 2004 wrote to memory of 4012	2004	BuilderChaosRansomware.exe	99
PID 4012 wrote to memory of 5820	4012	csc.exe	101
PID 4012 wrote to memory of 5820	4012	csc.exe	101

C:\Users\Admin\AppData\Local\Temp\BuilderChaosRansomware.exe
"C:\Users\Admin\AppData\Local\Temp\BuilderChaosRansomware.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4xncq0hy\4xncq0hy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC60F.tmp" "c:\Users\Admin\Documents\CSCD285CAD8FC642BFA8619039B145A9E9.TMP"
    3⤵
    PID:5820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC60F.tmp

Filesize
1KB

MD5
92ff0d3cc3f3d81f998093d294d9f1b8

SHA1
6747148d7247f5a3b91fb058aec05c57d7eaff02

SHA256
cbd46035add5f991e78ca36ee31caa20cb6cd72cebc2e76eec5573795a9086b9

SHA512
6804a029a0a4a1eb787fb4f3b27bd7b5b55bbbd6d3fa6d40e7681d410d9462ea8aab0b699197195970524aede099bb96e3bd99e33620beb811e302308432dc50

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4xncq0hy\4xncq0hy.0.cs

Filesize
30KB

MD5
76e03563ee3ab915bce443d213332ee7

SHA1
145d7da3c060b50eec81085a8fd05fcc3d849e78

SHA256
4c83fba26f2af551ca9044aca13e24ee109228b0c06563ebe75e36a0d294c607

SHA512
d40bb7d1d1427557198332d7ccd82182179a5cf2d61d0674f16d1b80104d6a1b111473f32965bbdb48f9e98ac386be5bf0bff7a0f80121bed58e6a482731bc1f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4xncq0hy\4xncq0hy.cmdline

Filesize
332B

MD5
728243849a6e18f72ebdaf177aeaf7a5

SHA1
55f6ebd33ee18f9c5e29f56bf9cfa6c5114347ce

SHA256
b2be19adea117e4c023cc6c7070bfd524a8de1d4e509c0d235cfdb67fba1e9df

SHA512
175da01ce696c76f0ef29d3752a60f8290fccaef6fe27b0be0b2323ddcba939c59837b4695f70e375a9a7b5cc88439f8f529a392131a70d1323fc5d77d81ae9e

Download Submit
\??\c:\Users\Admin\Documents\CSCD285CAD8FC642BFA8619039B145A9E9.TMP

Filesize
1KB

MD5
4a8b69d1b2c8695736b8c2273da513dc

SHA1
6519bfd357318ebc69831e8c9a12626c5a34dc2e

SHA256
d9edfacf147f183b116c4ba680fe1087d13f04fa7dc92ca7e9bc9f2fdbca24b6

SHA512
e4bf306c4ff1b6be85fa7824ba7e9c50906e965553fcbcb9debd966220b0328134d99ceedc6d563296332056c243dd310e8fe36e2fee2c3864f7aa67fde225e5

Download Submit
memory/2004-0-0x00007FFEFE333000-0x00007FFEFE335000-memory.dmp

Filesize
8KB

Download
memory/2004-1-0x0000000000080000-0x000000000010E000-memory.dmp

Filesize
568KB

Download
memory/2004-2-0x00007FFEFE330000-0x00007FFEFEDF1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-3-0x00007FFEFE330000-0x00007FFEFEDF1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-4-0x00007FFEFE333000-0x00007FFEFE335000-memory.dmp

Filesize
8KB

Download
memory/2004-5-0x00007FFEFE330000-0x00007FFEFEDF1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-6-0x00007FFEFE330000-0x00007FFEFEDF1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-19-0x00007FFEFE330000-0x00007FFEFEDF1000-memory.dmp

Filesize
10.8MB

Download