| File name: | chat.exe |
| Full analysis: | https://app.any.run/tasks/c6db249d-270b-45f1-a495-fb62dd4a7283 |
| Verdict: | Malicious activity |
| Threats: | Chaos ransomware is a malware family known for its destructive capabilities and diverse variants. It first appeared in 2021 as a ransomware builder and later acted as a wiper. Unlike most ransomware strains that encrypt data to extort payment, early Chaos variants permanently corrupted files, while later versions adopted more conventional encryption techniques. |
| Analysis date: | January 30, 2025, 01:15:28 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | BB45C811961C699E90D80CC770FD828B |
| SHA1: | BAB510CE8E9413BFCB907964E7F29C6F0AF740AC |
| SHA256: | E5C6C05C353D24BB71D61DE48EC945C4284DF2AC6AABD751405B7F9349973BAB |
| SSDEEP: | 384:7nixKotc/2fhl6Hby2d7kEoBsufPrQUBvglyOy5o91ROkt3OB328jl:7WLa2fhT2d6BsufPcUBDho9zOktE3 |
MALICIOUS
Changes the autorun value in the registry
- svchost.exe (PID: 3744)
Deletes shadow copies
- cmd.exe (PID: 1224)
- cmd.exe (PID: 3832)
Using BCDEDIT.EXE to modify recovery options
- cmd.exe (PID: 5316)
Actions looks like stealing of personal data
- svchost.exe (PID: 3744)
Steals credentials from Web Browsers
- svchost.exe (PID: 3744)
CHAOS has been detected (YARA)
- svchost.exe (PID: 3744)
Modifies files in the Chrome extension folder
- svchost.exe (PID: 3744)
RANSOMWARE has been detected
- svchost.exe (PID: 3744)
Create files in the Startup directory
- svchost.exe (PID: 3744)
SUSPICIOUS
Executable content was dropped or overwritten
- chat.exe (PID: 6072)
The process creates files with name similar to system file names
- chat.exe (PID: 6072)
Reads the date of Windows installation
- chat.exe (PID: 6072)
- svchost.exe (PID: 3744)
Starts itself from another location
- chat.exe (PID: 6072)
Reads security settings of Internet Explorer
- chat.exe (PID: 6072)
- svchost.exe (PID: 3744)
Starts CMD.EXE for commands execution
- svchost.exe (PID: 3744)
Executes as Windows Service
- VSSVC.exe (PID: 3812)
- vds.exe (PID: 352)
- wbengine.exe (PID: 1476)
Found regular expressions for crypto-addresses (YARA)
- svchost.exe (PID: 3744)
Start notepad (likely ransomware note)
- svchost.exe (PID: 3744)
INFO
Checks supported languages
- chat.exe (PID: 6072)
- svchost.exe (PID: 3744)
Reads the computer name
- chat.exe (PID: 6072)
- svchost.exe (PID: 3744)
Creates files or folders in the user directory
- chat.exe (PID: 6072)
- svchost.exe (PID: 3744)
Reads the machine GUID from the registry
- chat.exe (PID: 6072)
- svchost.exe (PID: 3744)
Process checks computer location settings
- chat.exe (PID: 6072)
- svchost.exe (PID: 3744)
Reads security settings of Internet Explorer
- WMIC.exe (PID: 5732)
- notepad.exe (PID: 3612)
Creates files in the program directory
- svchost.exe (PID: 3744)
Create files in a temporary directory
- svchost.exe (PID: 3744)
Reads Microsoft Office registry keys
- svchost.exe (PID: 3744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:01:30 01:10:37+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 25600 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x830e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | |
| FileVersion: | 0.0.0.0 |
| InternalName: | chat.exe |
| LegalCopyright: | |
| OriginalFileName: | chat.exe |
| ProductVersion: | 0.0.0.0 |
| AssemblyVersion: | 0.0.0.0 |
Total processes
135
Monitored processes
18
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 352 | C:\WINDOWS\System32\vds.exe | C:\Windows\System32\vds.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Virtual Disk Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1224 | "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete | C:\Windows\System32\cmd.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1476 | "C:\WINDOWS\system32\wbengine.exe" | C:\Windows\System32\wbengine.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Block Level Backup Engine Service EXE Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2424 | vssadmin delete shadows /all /quiet | C:\Windows\System32\vssadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3612 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Roaming\read_it.txt | C:\Windows\System32\notepad.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3640 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3652 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3744 | "C:\Users\admin\AppData\Roaming\svchost.exe" | C:\Users\admin\AppData\Roaming\svchost.exe | chat.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Version: 0.0.0.0 Modules
| |||||||||||||||
| 3812 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3832 | "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet | C:\Windows\System32\cmd.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
4 884
Read events
4 847
Write events
19
Delete events
18
Modification events
| (PID) Process: | (3744) svchost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | UpdateTask |
Value: C:\Users\admin\AppData\Roaming\svchost.exe | |||
| (PID) Process: | (4556) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4556) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001 |
| Operation: | write | Name: | Element |
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000 | |||
| (PID) Process: | (4556) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4556) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002 |
| Operation: | write | Name: | Element |
Value: \EFI\Microsoft\Boot\bootmgfw.efi | |||
| (PID) Process: | (4556) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4556) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001 |
| Operation: | write | Name: | Element |
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000 | |||
| (PID) Process: | (4556) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4556) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002 |
| Operation: | write | Name: | Element |
Value: \EFI\Boot\Loader.efi | |||
| (PID) Process: | (4556) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Description |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
1
Suspicious files
540
Text files
871
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3744 | svchost.exe | C:\$WinREAgent\RollbackInfo.ini.load | binary | |
MD5:3C9A577AD951B20E98846A69CFF9A378 | SHA256:B54E5CCB3D7BD61B2C7CB5232E250EF656B6B1B0B841F47D0312A6EECB46569B | |||
| 3744 | svchost.exe | C:\found.000\dir0001.chk\WmiApRpl.ini.h9a7 | binary | |
MD5:3F1AF35BE6019D67372BF659C4C882A5 | SHA256:BE6F6AD7CB3DDD2860AD734EFC0E59B8F2D83F8EE5A95B4A67F5231A35B613AC | |||
| 3744 | svchost.exe | C:\$WinREAgent\Backup\location.txt.sdwj | binary | |
MD5:E20D1934EBAF2FF88D4C28066B594EFA | SHA256:A73FD89577A5C3B762E6A94F964A17A014A7B5278849E2D6CCE3A65AC782E75A | |||
| 6072 | chat.exe | C:\Users\admin\AppData\Roaming\svchost.exe | executable | |
MD5:BB45C811961C699E90D80CC770FD828B | SHA256:E5C6C05C353D24BB71D61DE48EC945C4284DF2AC6AABD751405B7F9349973BAB | |||
| 3744 | svchost.exe | C:\$WinREAgent\read_it.txt | text | |
MD5:ED5CC52876DB869DE48A4783069C2A5E | SHA256:45726F2F29967EF016F8D556FB6468A577307D67388CC4530295A9CA10FDFA36 | |||
| 3744 | svchost.exe | C:\$WinREAgent\Rollback.xml | binary | |
MD5:D1457B72C3FB323A2671125AEF3EAB5D | SHA256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1 | |||
| 3744 | svchost.exe | C:\$WinREAgent\Rollback.xml.v7wn | binary | |
MD5:44A0F36B059864FDA6FD06E7C8FEAA64 | SHA256:97D17E9D4E4F8F53B23C79F8A68184DFF4A5E881635E0D88E4CD3FB9B9BEA1F9 | |||
| 3744 | svchost.exe | C:\$WinREAgent\Backup\read_it.txt | text | |
MD5:ED5CC52876DB869DE48A4783069C2A5E | SHA256:45726F2F29967EF016F8D556FB6468A577307D67388CC4530295A9CA10FDFA36 | |||
| 3744 | svchost.exe | C:\$WinREAgent\RollbackInfo.ini | binary | |
MD5:D1457B72C3FB323A2671125AEF3EAB5D | SHA256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1 | |||
| 3744 | svchost.exe | C:\$WinREAgent\Backup\location.txt | binary | |
MD5:D1457B72C3FB323A2671125AEF3EAB5D | SHA256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
7
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.72:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 204 | 104.126.37.131:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.164.72:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
3976 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5064 | SearchApp.exe | 104.126.37.128:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
wbadmin.exe | Invalid parameter passed to C runtime function.
|