File name:	Echo-Scanner.exe
Full analysis:	https://app.any.run/tasks/eac26024-e98d-4692-be59-09a257bdaa31
Verdict:	Malicious activity
Threats:	Chaos ransomware is a malware family known for its destructive capabilities and diverse variants. It first appeared in 2021 as a ransomware builder and later acted as a wiper. Unlike most ransomware strains that encrypt data to extort payment, early Chaos variants permanently corrupted files, while later versions adopted more conventional encryption techniques. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 13, 2025, 01:44:42
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	chaos ransomware crypto-regex stealer
Indicators:
MD5:	818B2D4040E1CD5147936107AE00E2DE
SHA1:	0C0CECF79650B70548D521351821E3479C6CAB77
SHA256:	E888BD6A36D2B00EA8F2223E1FE8370CF3F0277F13B83FF57923834FC5608A66
SSDEEP:	12288:U5g97bqHS+cFjdCr7fY7ryQOyXbeB9DN1XPGAovqkdaRSTyZZdoYSJU/vHUemrHl:dj7+nyCTeavH2


(PID) Process:	(7768) svchost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	UpdateTask
Value: C:\Users\admin\AppData\Roaming\svchost.exe
(PID) Process:	(496) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(496) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(496) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:	write	Name:	Element
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:	(496) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(496) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:	write	Name:	Element
Value: \EFI\Boot\Loader.efi
(PID) Process:	(496) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Description
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(496) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Elements\24000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(496) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Elements\25000004
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(496) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Elements
Operation:	delete key	Name:	(default)
Value:

PID	Process	Filename		Type
7768	svchost.exe	C:\$WinREAgent\RollbackInfo.ini.vc8f		binary
		MD5:2B58B1AC0EA71580C5ABFDBE455C8764	SHA256:44AC32B44ECEBD36D0EA02143852912496B253370E81CEA39BA7A36F68569E27
7768	svchost.exe	C:\$WinREAgent\read_it.txt		text
		MD5:0FD983D1DEE552ACD643B519981367F0	SHA256:207DE2F7DB4CCB36D3B968D8EC22B851CCD1EC975F07AEFE0F2DB7F5995DFB78
7768	svchost.exe	C:\$WinREAgent\Rollback.xml.cqsv		binary
		MD5:EC0098FB7762C9F70B9F19831A6A7EA8	SHA256:F68503434F9FE18287143DFAF7CAAAFC9FB0F86F0D2A9D9FD87A0A3F38BE2204
7768	svchost.exe	C:\$WinREAgent\Backup\ReAgent.xml.lbpt		binary
		MD5:55A7E60D625A871F5E6E6D0B08A0D0F7	SHA256:F2AD08872B6D400240F7869B7445B29911CD104F5F47B3B5DAB11539238A1B0E
7444	Echo-Scanner.exe	C:\Users\admin\AppData\Roaming\svchost.exe		executable
		MD5:818B2D4040E1CD5147936107AE00E2DE	SHA256:E888BD6A36D2B00EA8F2223E1FE8370CF3F0277F13B83FF57923834FC5608A66
7768	svchost.exe	C:\$WinREAgent\Backup\location.txt.n26z		binary
		MD5:035A6EFD25F5FFE9028622F899248DAD	SHA256:AABD4445951387915E5F65CAF14F333A0150CD7263362B379B029BFC1A9F9F7A
7768	svchost.exe	C:\found.000\dir0001.chk\read_it.txt		text
		MD5:0FD983D1DEE552ACD643B519981367F0	SHA256:207DE2F7DB4CCB36D3B968D8EC22B851CCD1EC975F07AEFE0F2DB7F5995DFB78
7768	svchost.exe	C:\Recovery\ReAgentOld.xml		binary
		MD5:D1457B72C3FB323A2671125AEF3EAB5D	SHA256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
7768	svchost.exe	C:\Recovery\ReAgentOld.xml.z5qb		binary
		MD5:D055D3F5074ACA2AC59BEC1AEDA7E011	SHA256:5CC7936B35047A3BB3CCD3668E1F26F106CED5785E65B58427B2EB96CCCCCD18
7768	svchost.exe	C:\Recovery\OEM\ResetConfig.xml.343d		binary
		MD5:53601F92829F4B60177C2D19F9D27566	SHA256:0E0D853C3A5BFEA0C9F3FDBBD282D91F11F575DBAB224D487BA7272DFE586726

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6392	RUXIMICS.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6392	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
6392	RUXIMICS.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
7312	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6108	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

Echo-Scanner.exe

818B2D4040E1CD5147936107AE00E2DE

0C0CECF79650B70548D521351821E3479C6CAB77

E888BD6A36D2B00EA8F2223E1FE8370CF3F0277F13B83FF57923834FC5608A66

12288:U5g97bqHS+cFjdCr7fY7ryQOyXbeB9DN1XPGAovqkdaRSTyZZdoYSJU/vHUemrHl:dj7+nyCTeavH2

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

CHAOS has been detected (YARA)

Changes the autorun value in the registry

Using BCDEDIT.EXE to modify recovery options

Deletes shadow copies

Disables task manager

Steals credentials from Web Browsers

RANSOMWARE has been detected

Actions looks like stealing of personal data

Create files in the Startup directory

Modifies files in the Chrome extension folder

SUSPICIOUS

Reads the date of Windows installation

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Starts itself from another location

Starts CMD.EXE for commands execution

Found regular expressions for crypto-addresses (YARA)

Executes as Windows Service

Start notepad (likely ransomware note)

The process creates files with name similar to system file names

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Process checks computer location settings

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Creates files in the program directory

Manual execution by a user

Create files in a temporary directory

Reads Microsoft Office registry keys

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests