Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
97s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01/05/2022, 18:25
Static task
static1
Behavioral task
behavioral1
Sample
illegal and unillegal/dead.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral2
Sample
decrypt-decrypters/Decrypter.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypt-decrypters/privateKey.xml
Resource
win10v2004-20220414-en
Behavioral task
behavioral4
Sample
decrypt-decrypters/publicKey.xml
Resource
win10v2004-20220414-en
General
-
Target
illegal and unillegal/dead.exe
-
Size
985KB
-
MD5
37a0d42671350931168039739cd65c4f
-
SHA1
e372320a7d1d073a913891e20468932a86c4a086
-
SHA256
8864d707d5e91e1c073e5d3bd4324793202449c647b1b1936df35fd734635d4a
-
SHA512
2f3828bd2525dd8b6cc8daae7e2bcff2ba508c2841eaaf8a0faa359ea9e07f7387bf503c309ece096e6899627d5e9a9c90abf7d197bb8199e4db28b83d03a93c
Malware Config
Extracted
C:\Users\Admin\Desktop\readme.txt
https://www.astolfo.lgbt/
https://absolllute.com/store/view_mega_hack_pro
https://x.synapse.to/
https://script-ware.com/
https://protosmasher.net/
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
resource yara_rule behavioral1/memory/8-130-0x00000000003C0000-0x00000000004BC000-memory.dmp family_chaos behavioral1/files/0x00060000000231d8-133.dat family_chaos behavioral1/files/0x00060000000231d8-134.dat family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3500 bcdedit.exe 2832 bcdedit.exe -
pid Process 4228 wbadmin.exe -
Executes dropped EXE 1 IoCs
pid Process 4460 chrome.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\FormatOpen.tif => C:\Users\Admin\Pictures\FormatOpen.tif.nzeb chrome.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation dead.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation chrome.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.url chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini chrome.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt chrome.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 33 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini chrome.exe File opened for modification C:\Users\Public\Videos\desktop.ini chrome.exe File opened for modification C:\Users\Admin\Music\desktop.ini chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini chrome.exe File opened for modification C:\Users\Public\Music\desktop.ini chrome.exe File opened for modification C:\Users\Public\Desktop\desktop.ini chrome.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini chrome.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini chrome.exe File opened for modification C:\Users\Admin\Links\desktop.ini chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini chrome.exe File opened for modification C:\Users\Public\Pictures\desktop.ini chrome.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini chrome.exe File opened for modification C:\Users\Admin\Searches\desktop.ini chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini chrome.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini chrome.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini chrome.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini chrome.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini chrome.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini chrome.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini chrome.exe File opened for modification C:\Users\Admin\Documents\desktop.ini chrome.exe File opened for modification C:\Users\Admin\Videos\desktop.ini chrome.exe File opened for modification C:\Users\Public\Documents\desktop.ini chrome.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwpzypqc9.jpg" chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1508 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings chrome.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1708 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4460 chrome.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 8 dead.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe 4460 chrome.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 8 dead.exe Token: SeDebugPrivilege 4460 chrome.exe Token: SeBackupPrivilege 4768 vssvc.exe Token: SeRestorePrivilege 4768 vssvc.exe Token: SeAuditPrivilege 4768 vssvc.exe Token: SeIncreaseQuotaPrivilege 3968 WMIC.exe Token: SeSecurityPrivilege 3968 WMIC.exe Token: SeTakeOwnershipPrivilege 3968 WMIC.exe Token: SeLoadDriverPrivilege 3968 WMIC.exe Token: SeSystemProfilePrivilege 3968 WMIC.exe Token: SeSystemtimePrivilege 3968 WMIC.exe Token: SeProfSingleProcessPrivilege 3968 WMIC.exe Token: SeIncBasePriorityPrivilege 3968 WMIC.exe Token: SeCreatePagefilePrivilege 3968 WMIC.exe Token: SeBackupPrivilege 3968 WMIC.exe Token: SeRestorePrivilege 3968 WMIC.exe Token: SeShutdownPrivilege 3968 WMIC.exe Token: SeDebugPrivilege 3968 WMIC.exe Token: SeSystemEnvironmentPrivilege 3968 WMIC.exe Token: SeRemoteShutdownPrivilege 3968 WMIC.exe Token: SeUndockPrivilege 3968 WMIC.exe Token: SeManageVolumePrivilege 3968 WMIC.exe Token: 33 3968 WMIC.exe Token: 34 3968 WMIC.exe Token: 35 3968 WMIC.exe Token: 36 3968 WMIC.exe Token: SeIncreaseQuotaPrivilege 3968 WMIC.exe Token: SeSecurityPrivilege 3968 WMIC.exe Token: SeTakeOwnershipPrivilege 3968 WMIC.exe Token: SeLoadDriverPrivilege 3968 WMIC.exe Token: SeSystemProfilePrivilege 3968 WMIC.exe Token: SeSystemtimePrivilege 3968 WMIC.exe Token: SeProfSingleProcessPrivilege 3968 WMIC.exe Token: SeIncBasePriorityPrivilege 3968 WMIC.exe Token: SeCreatePagefilePrivilege 3968 WMIC.exe Token: SeBackupPrivilege 3968 WMIC.exe Token: SeRestorePrivilege 3968 WMIC.exe Token: SeShutdownPrivilege 3968 WMIC.exe Token: SeDebugPrivilege 3968 WMIC.exe Token: SeSystemEnvironmentPrivilege 3968 WMIC.exe Token: SeRemoteShutdownPrivilege 3968 WMIC.exe Token: SeUndockPrivilege 3968 WMIC.exe Token: SeManageVolumePrivilege 3968 WMIC.exe Token: 33 3968 WMIC.exe Token: 34 3968 WMIC.exe Token: 35 3968 WMIC.exe Token: 36 3968 WMIC.exe Token: SeBackupPrivilege 4648 wbengine.exe Token: SeRestorePrivilege 4648 wbengine.exe Token: SeSecurityPrivilege 4648 wbengine.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 8 wrote to memory of 4460 8 dead.exe 80 PID 8 wrote to memory of 4460 8 dead.exe 80 PID 4460 wrote to memory of 616 4460 chrome.exe 87 PID 4460 wrote to memory of 616 4460 chrome.exe 87 PID 616 wrote to memory of 1508 616 cmd.exe 89 PID 616 wrote to memory of 1508 616 cmd.exe 89 PID 616 wrote to memory of 3968 616 cmd.exe 92 PID 616 wrote to memory of 3968 616 cmd.exe 92 PID 4460 wrote to memory of 3660 4460 chrome.exe 93 PID 4460 wrote to memory of 3660 4460 chrome.exe 93 PID 3660 wrote to memory of 3500 3660 cmd.exe 95 PID 3660 wrote to memory of 3500 3660 cmd.exe 95 PID 3660 wrote to memory of 2832 3660 cmd.exe 96 PID 3660 wrote to memory of 2832 3660 cmd.exe 96 PID 4460 wrote to memory of 4960 4460 chrome.exe 97 PID 4460 wrote to memory of 4960 4460 chrome.exe 97 PID 4960 wrote to memory of 4228 4960 cmd.exe 99 PID 4960 wrote to memory of 4228 4960 cmd.exe 99 PID 4460 wrote to memory of 1708 4460 chrome.exe 105 PID 4460 wrote to memory of 1708 4460 chrome.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\illegal and unillegal\dead.exe"C:\Users\Admin\AppData\Local\Temp\illegal and unillegal\dead.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1508
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3500
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:4228
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1708
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2380
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
985KB
MD537a0d42671350931168039739cd65c4f
SHA1e372320a7d1d073a913891e20468932a86c4a086
SHA2568864d707d5e91e1c073e5d3bd4324793202449c647b1b1936df35fd734635d4a
SHA5122f3828bd2525dd8b6cc8daae7e2bcff2ba508c2841eaaf8a0faa359ea9e07f7387bf503c309ece096e6899627d5e9a9c90abf7d197bb8199e4db28b83d03a93c
-
Filesize
985KB
MD537a0d42671350931168039739cd65c4f
SHA1e372320a7d1d073a913891e20468932a86c4a086
SHA2568864d707d5e91e1c073e5d3bd4324793202449c647b1b1936df35fd734635d4a
SHA5122f3828bd2525dd8b6cc8daae7e2bcff2ba508c2841eaaf8a0faa359ea9e07f7387bf503c309ece096e6899627d5e9a9c90abf7d197bb8199e4db28b83d03a93c
-
Filesize
1KB
MD512a0f95a46741c7e7ac4c13c50f5bf53
SHA1538852ccd570c26fd60e27d22f85a0052fe8abb4
SHA25632ce1bdf2a7acac6e7cbefd6c343e798f5238a520a3e7e4ee1e2e72a7ac1f590
SHA51213db34ebdfb9892e71dfe7ac1ebd42da29b4bcc26327ab50d04eb833cf29a43a302db5e450ccc31cdff0bf69e3b035900372c15843056685c855e591d1c95351