| File name: | AstraLocker2.0.7z |
| Full analysis: | https://app.any.run/tasks/794d514f-121f-464f-96b7-0d84908a47bd |
| Verdict: | Malicious activity |
| Threats: | Chaos ransomware is a malware family known for its destructive capabilities and diverse variants. It first appeared in 2021 as a ransomware builder and later acted as a wiper. Unlike most ransomware strains that encrypt data to extort payment, early Chaos variants permanently corrupted files, while later versions adopted more conventional encryption techniques. |
| Analysis date: | May 16, 2025, 15:53:06 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | 143C12FE2D9D3E9734A6F4414FDA9B9C |
| SHA1: | 6FAC7320580129037F226306AC8FAD9CBB8B2E05 |
| SHA256: | CDB8DEED945F3DFF732FDBD85AD1DA65DE7D13754542982FB66CCF44F99C148F |
| SSDEEP: | 384:EZo9LQ87XlxtXuIcTnAVYfM2HA/4qOv0dZJSvoQ6UZs0M7/DN9:Ao9ZXDtXu5TnA4p6av0leoK2v/n |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 492)
CHAOS has been detected (YARA)
- Astralocker2.0.exe (PID: 1032)
- svchost.exe (PID: 988)
Deletes shadow copies
- cmd.exe (PID: 3664)
- cmd.exe (PID: 1380)
Disables task manager
- svchost.exe (PID: 988)
Changes the autorun value in the registry
- svchost.exe (PID: 988)
Using BCDEDIT.EXE to modify recovery options
- cmd.exe (PID: 3184)
Steals credentials from Web Browsers
- svchost.exe (PID: 988)
Create files in the Startup directory
- svchost.exe (PID: 988)
Actions looks like stealing of personal data
- svchost.exe (PID: 988)
Modifies files in the Chrome extension folder
- svchost.exe (PID: 988)
SUSPICIOUS
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 492)
- Astralocker2.0.exe (PID: 1032)
- svchost.exe (PID: 988)
Executable content was dropped or overwritten
- Astralocker2.0.exe (PID: 1032)
The process creates files with name similar to system file names
- Astralocker2.0.exe (PID: 1032)
Found regular expressions for crypto-addresses (YARA)
- Astralocker2.0.exe (PID: 1032)
- svchost.exe (PID: 988)
Reads the Internet Settings
- Astralocker2.0.exe (PID: 1032)
- WMIC.exe (PID: 3648)
- svchost.exe (PID: 988)
Starts itself from another location
- Astralocker2.0.exe (PID: 1032)
Executes as Windows Service
- VSSVC.exe (PID: 1276)
- wbengine.exe (PID: 3652)
- vds.exe (PID: 3100)
Starts CMD.EXE for commands execution
- svchost.exe (PID: 988)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 492)
Checks supported languages
- Astralocker2.0.exe (PID: 1032)
- svchost.exe (PID: 988)
Reads the computer name
- Astralocker2.0.exe (PID: 1032)
- svchost.exe (PID: 988)
Creates files or folders in the user directory
- Astralocker2.0.exe (PID: 1032)
- svchost.exe (PID: 988)
Reads the machine GUID from the registry
- Astralocker2.0.exe (PID: 1032)
- svchost.exe (PID: 988)
Creates files in the program directory
- svchost.exe (PID: 988)
Application launched itself
- msedge.exe (PID: 1072)
- msedge.exe (PID: 2132)
Manual execution by a user
- msedge.exe (PID: 2132)
Create files in a temporary directory
- svchost.exe (PID: 988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
EXIF
ZIP
| FileVersion: | 7z v0.04 |
|---|---|
| ModifyDate: | 2024:01:02 14:44:43+00:00 |
| ArchivedFileName: | Astralocker2.0.exe |
Total processes
75
Monitored processes
32
Malicious processes
5
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 492 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\AstraLocker2.0.7z | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 904 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6c93f598,0x6c93f5a8,0x6c93f5b4 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 952 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4236 --field-trial-handle=1240,i,17897760309312141406,16317361781956775563,131072 --enable-features=msMicrosoftRootStoreUsed /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 972 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3732 --field-trial-handle=1240,i,17897760309312141406,16317361781956775563,131072 --enable-features=msMicrosoftRootStoreUsed /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 988 | "C:\Users\admin\AppData\Roaming\svchost.exe" | C:\Users\admin\AppData\Roaming\svchost.exe | Astralocker2.0.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Version: 0.0.0.0 Modules
| |||||||||||||||
| 1032 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb492.10637\Astralocker2.0.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb492.10637\Astralocker2.0.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 1 Version: 0.0.0.0 Modules
| |||||||||||||||
| 1072 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\admin\AppData\Roaming\Restore_Files.html | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1276 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1372 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2220 --field-trial-handle=1240,i,17897760309312141406,16317361781956775563,131072 --enable-features=msMicrosoftRootStoreUsed /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1380 | "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete | C:\Windows\System32\cmd.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
11 090
Read events
10 999
Write events
84
Delete events
7
Modification events
| (PID) Process: | (492) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (492) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (492) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (492) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\AstraLocker2.0.7z | |||
| (PID) Process: | (492) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (492) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (492) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (492) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (492) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (492) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
Executable files
2
Suspicious files
677
Text files
488
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 988 | svchost.exe | C:\Users\admin\Desktop\AstraLocker2.0.7z..hacked | binary | |
MD5:BA978DF035575FB6796F68FBDFCA639F | SHA256:182598EC7C30288D1FDA0E9BD9DB40655337E48DC451B8BA82BDBE17BD687D17 | |||
| 492 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb492.10637\Astralocker2.0.exe | executable | |
MD5:8F033C07F57F8CE2E62E3A327F423D55 | SHA256:6BDA9FAF719BB7A55E822667D909086193D323D8FA06B1A3D62437FCF6A9E24B | |||
| 988 | svchost.exe | C:\Users\admin\Restore_Files.html | text | |
MD5:CF0CC6E9F7B71141A348D2F8A9CC800F | SHA256:5A78197D3CD89269832678D0A59244B21FB0D6A8A87C2A080F68975E9C2FEBB9 | |||
| 988 | svchost.exe | C:\Users\admin\Desktop\Restore_Files.html | text | |
MD5:CF0CC6E9F7B71141A348D2F8A9CC800F | SHA256:5A78197D3CD89269832678D0A59244B21FB0D6A8A87C2A080F68975E9C2FEBB9 | |||
| 988 | svchost.exe | C:\Users\Administrator\Restore_Files.html | text | |
MD5:CF0CC6E9F7B71141A348D2F8A9CC800F | SHA256:5A78197D3CD89269832678D0A59244B21FB0D6A8A87C2A080F68975E9C2FEBB9 | |||
| 988 | svchost.exe | C:\Users\Restore_Files.html | text | |
MD5:CF0CC6E9F7B71141A348D2F8A9CC800F | SHA256:5A78197D3CD89269832678D0A59244B21FB0D6A8A87C2A080F68975E9C2FEBB9 | |||
| 988 | svchost.exe | C:\Users\admin\Desktop\AstraLocker2.0.7z | binary | |
MD5:D1457B72C3FB323A2671125AEF3EAB5D | SHA256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1 | |||
| 988 | svchost.exe | C:\Users\Administrator\AppData\Local\Restore_Files.html | text | |
MD5:CF0CC6E9F7B71141A348D2F8A9CC800F | SHA256:5A78197D3CD89269832678D0A59244B21FB0D6A8A87C2A080F68975E9C2FEBB9 | |||
| 988 | svchost.exe | C:\Users\admin\Desktop\believeship.png | binary | |
MD5:D1457B72C3FB323A2671125AEF3EAB5D | SHA256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1 | |||
| 988 | svchost.exe | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Restore_Files.html | text | |
MD5:CF0CC6E9F7B71141A348D2F8A9CC800F | SHA256:5A78197D3CD89269832678D0A59244B21FB0D6A8A87C2A080F68975E9C2FEBB9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
18
DNS requests
15
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | whitelisted |
3592 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2132 | msedge.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3592 | msedge.exe | 150.171.27.11:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3592 | msedge.exe | 195.78.67.22:443 | odkrywcyplanet.pl | — | — | suspicious |
3592 | msedge.exe | 92.123.104.34:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
2132 | msedge.exe | 224.0.0.251:5353 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
odkrywcyplanet.pl |
| unknown |
www.bing.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |