Analysis

  • max time kernel
    104s
  • max time network
    105s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250610-en
  • resource tags

    arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/06/2025, 18:19

General

  • Target

    PREDATOR V0.0.9 PRO EDITION.exe

  • Size

    64KB

  • MD5

    6521941002a027eda11ddfb5e0bfd070

  • SHA1

    c74546be184bae0db27155335ef2b6b8cc1bad0b

  • SHA256

    6ffc11d1318fb26a30fed9b77d0b1d44d26c3ad204bccc12828de5952c00ef4e

  • SHA512

    b634f1af63e80009a6c4ad012930e68dd9f7c3a743dd8072c491c134ea5f22771534656f0c977edfa88b8a3115299f72af33a3eac38a5e2beba990eb46525f25

  • SSDEEP

    768:Aqo213mnplnmjQIr9q+wH/RScoWFqnr64NdUwDD/4SArl/TOGWwePKc:no212DAQIr9qb//oWInrZ3fb187iP

Malware Config

Extracted

Path

C:\Users\Admin\Documents\PREDATOR V0.0.9 PRO EDITION

Ransom Note
███▓▒░☠ CHAOS RANSOMWARE ☠░▒▓███ >>> DO NOT TRY TO RECOVER FILES YOURSELF <<< YOUR ENTIRE SYSTEM HAS BEEN COMPROMISED. All your files – documents, databases, personal photos – HAVE BEEN ENCRYPTED with military-grade algorithms. This is not a joke. We have full access to your system. Backups are either encrypted or already destroyed. ❗️YOU HAVE 72 HOURS TO PAY OR LOSE EVERYTHING❗️ After this time: – Your files will be permanently unrecoverable – A copy of your data will be **leaked publicly** – You will lose access to this message and your system may be **destroyed remotely** To recover your files, you must pay: 📌 AMOUNT: $500 in Bitcoin 📌 BTC ADDRESS: 1PUoQp1FWW8Yv6AXdrd7sLN6rcnUmJG1Q4 💡 Send payment and then contact us on Telegram to get your decryption key. We are the only ones who can help you. Antivirus cannot remove Chaos. Do not waste time. Every second counts. 🕒 Time remaining: [72:00:00] Once the timer hits ZERO — your fate is sealed. Telegram: [https://t.me/Whitefoxxx] 💀 YOU HAVE BEEN WARNED 💀
Wallets

1PUoQp1FWW8Yv6AXdrd7sLN6rcnUmJG1Q4

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Chaos family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\PREDATOR V0.0.9 PRO EDITION.exe
    "C:\Users\Admin\AppData\Local\Temp\PREDATOR V0.0.9 PRO EDITION.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:124
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3220
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1420
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4988
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:6004
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:5160
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4080
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5368
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:3500
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2376
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5668
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1356
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4056
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:6096

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\svchost.exe

            Filesize

            64KB

            MD5

            6521941002a027eda11ddfb5e0bfd070

            SHA1

            c74546be184bae0db27155335ef2b6b8cc1bad0b

            SHA256

            6ffc11d1318fb26a30fed9b77d0b1d44d26c3ad204bccc12828de5952c00ef4e

            SHA512

            b634f1af63e80009a6c4ad012930e68dd9f7c3a743dd8072c491c134ea5f22771534656f0c977edfa88b8a3115299f72af33a3eac38a5e2beba990eb46525f25

          • C:\Users\Admin\Documents\PREDATOR V0.0.9 PRO EDITION

            Filesize

            1KB

            MD5

            60f0b4aba46f453268210fdc8d96914c

            SHA1

            6106bdb7971a37be8ee467572263b5579a7f736c

            SHA256

            9ea5762ae0c000802105e1bea6cf753f61e67e7ffccbdfee0d287e89b005cfac

            SHA512

            94e7624ab8a39e23add615997bc35c094a4dd2c4f7590eac4fa727ed92b1ea867e0af9bbeba3759703433e8a19f826ba4951475f9ff6e48528ad7e92e1188bbb

          • memory/124-0-0x00000000003F0000-0x0000000000406000-memory.dmp

            Filesize

            88KB