Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2022, 15:20
Behavioral task
behavioral1
Sample
fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe
Resource
win7-20220901-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe
-
Size
22KB
-
MD5
f38910f1c71e210f710b0d2aed182f55
-
SHA1
b1ec33aafba903812914d2b8d90c5ee0c6055107
-
SHA256
fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9
-
SHA512
0c8e3315c062f41134df5ef534923b1ade7d7eaf804f789ced322638113c1e9e4228131cbd43fc2713d419e3ba12c5d43e43fdad1e04684998282e1f58b3391b
-
SSDEEP
384:63Mg/bqo2etUq4/fHapyj8ZOjPJNr91CaTb5geM:Aqo2jNSpjZOjhNr9ZTbeeM
Score
10/10
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
resource yara_rule behavioral2/memory/5000-132-0x00000000008A0000-0x00000000008AC000-memory.dmp family_chaos behavioral2/files/0x000a000000022e32-135.dat family_chaos behavioral2/files/0x000a000000022e32-136.dat family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4716 bcdedit.exe 4248 bcdedit.exe -
pid Process 5068 wbadmin.exe -
Executes dropped EXE 1 IoCs
pid Process 2204 svchost.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\InstallEnter.raw => C:\Users\Admin\Pictures\InstallEnter.raw.tutb svchost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_RECOVER_YOUR_FILES.txt svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 33 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2160 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3108 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2204 svchost.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe 2204 svchost.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe Token: SeDebugPrivilege 2204 svchost.exe Token: SeBackupPrivilege 1976 vssvc.exe Token: SeRestorePrivilege 1976 vssvc.exe Token: SeAuditPrivilege 1976 vssvc.exe Token: SeIncreaseQuotaPrivilege 4032 WMIC.exe Token: SeSecurityPrivilege 4032 WMIC.exe Token: SeTakeOwnershipPrivilege 4032 WMIC.exe Token: SeLoadDriverPrivilege 4032 WMIC.exe Token: SeSystemProfilePrivilege 4032 WMIC.exe Token: SeSystemtimePrivilege 4032 WMIC.exe Token: SeProfSingleProcessPrivilege 4032 WMIC.exe Token: SeIncBasePriorityPrivilege 4032 WMIC.exe Token: SeCreatePagefilePrivilege 4032 WMIC.exe Token: SeBackupPrivilege 4032 WMIC.exe Token: SeRestorePrivilege 4032 WMIC.exe Token: SeShutdownPrivilege 4032 WMIC.exe Token: SeDebugPrivilege 4032 WMIC.exe Token: SeSystemEnvironmentPrivilege 4032 WMIC.exe Token: SeRemoteShutdownPrivilege 4032 WMIC.exe Token: SeUndockPrivilege 4032 WMIC.exe Token: SeManageVolumePrivilege 4032 WMIC.exe Token: 33 4032 WMIC.exe Token: 34 4032 WMIC.exe Token: 35 4032 WMIC.exe Token: 36 4032 WMIC.exe Token: SeIncreaseQuotaPrivilege 4032 WMIC.exe Token: SeSecurityPrivilege 4032 WMIC.exe Token: SeTakeOwnershipPrivilege 4032 WMIC.exe Token: SeLoadDriverPrivilege 4032 WMIC.exe Token: SeSystemProfilePrivilege 4032 WMIC.exe Token: SeSystemtimePrivilege 4032 WMIC.exe Token: SeProfSingleProcessPrivilege 4032 WMIC.exe Token: SeIncBasePriorityPrivilege 4032 WMIC.exe Token: SeCreatePagefilePrivilege 4032 WMIC.exe Token: SeBackupPrivilege 4032 WMIC.exe Token: SeRestorePrivilege 4032 WMIC.exe Token: SeShutdownPrivilege 4032 WMIC.exe Token: SeDebugPrivilege 4032 WMIC.exe Token: SeSystemEnvironmentPrivilege 4032 WMIC.exe Token: SeRemoteShutdownPrivilege 4032 WMIC.exe Token: SeUndockPrivilege 4032 WMIC.exe Token: SeManageVolumePrivilege 4032 WMIC.exe Token: 33 4032 WMIC.exe Token: 34 4032 WMIC.exe Token: 35 4032 WMIC.exe Token: 36 4032 WMIC.exe Token: SeBackupPrivilege 3952 wbengine.exe Token: SeRestorePrivilege 3952 wbengine.exe Token: SeSecurityPrivilege 3952 wbengine.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 5000 wrote to memory of 2204 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 82 PID 5000 wrote to memory of 2204 5000 fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe 82 PID 2204 wrote to memory of 4932 2204 svchost.exe 84 PID 2204 wrote to memory of 4932 2204 svchost.exe 84 PID 4932 wrote to memory of 2160 4932 cmd.exe 86 PID 4932 wrote to memory of 2160 4932 cmd.exe 86 PID 4932 wrote to memory of 4032 4932 cmd.exe 89 PID 4932 wrote to memory of 4032 4932 cmd.exe 89 PID 2204 wrote to memory of 1232 2204 svchost.exe 90 PID 2204 wrote to memory of 1232 2204 svchost.exe 90 PID 1232 wrote to memory of 4716 1232 cmd.exe 92 PID 1232 wrote to memory of 4716 1232 cmd.exe 92 PID 1232 wrote to memory of 4248 1232 cmd.exe 93 PID 1232 wrote to memory of 4248 1232 cmd.exe 93 PID 2204 wrote to memory of 5092 2204 svchost.exe 94 PID 2204 wrote to memory of 5092 2204 svchost.exe 94 PID 5092 wrote to memory of 5068 5092 cmd.exe 96 PID 5092 wrote to memory of 5068 5092 cmd.exe 96 PID 2204 wrote to memory of 3108 2204 svchost.exe 100 PID 2204 wrote to memory of 3108 2204 svchost.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe"C:\Users\Admin\AppData\Local\Temp\fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2160
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:4716
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:5068
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\HOW_RECOVER_YOUR_FILES.txt3⤵
- Opens file in notepad (likely ransom note)
PID:3108
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1268
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3624
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
441B
MD5180013822f8487c7f749f1423e684a27
SHA1f0af6a838153d4cdf6ea46995e30efa3011b59a0
SHA25602a7e924ce27a9e4b3599f15534e7dceb7d40bf304afe8aa15df9aa221d16ca5
SHA512bfb24b8b9e7f501e3bae47bfef3ef21df247d1e34a9876b4e186430c2a2bd25cba32ca14ec42746fa07e31ffa0149119cd58c0c93dcf635c41a027cf7a754116
-
Filesize
22KB
MD5f38910f1c71e210f710b0d2aed182f55
SHA1b1ec33aafba903812914d2b8d90c5ee0c6055107
SHA256fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9
SHA5120c8e3315c062f41134df5ef534923b1ade7d7eaf804f789ced322638113c1e9e4228131cbd43fc2713d419e3ba12c5d43e43fdad1e04684998282e1f58b3391b
-
Filesize
22KB
MD5f38910f1c71e210f710b0d2aed182f55
SHA1b1ec33aafba903812914d2b8d90c5ee0c6055107
SHA256fc68c5aab307cd0da6476a150562f9fdfbbd768b2b5fa3bf4b912219209c8cf9
SHA5120c8e3315c062f41134df5ef534923b1ade7d7eaf804f789ced322638113c1e9e4228131cbd43fc2713d419e3ba12c5d43e43fdad1e04684998282e1f58b3391b