Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
41s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 14:20
Behavioral task
behavioral1
Sample
f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe
Resource
win10v2004-20220812-en
General
-
Target
f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe
-
Size
263KB
-
MD5
9d016244b7f58fa5e974ef5f6e1ae54e
-
SHA1
001bc943725ab768f8b8ecb2c9d3ae328f33c78b
-
SHA256
f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f
-
SHA512
292c222ca38e12c933769e128c9682a23719204214c1aca7e585eb1ef6c8c8b2090514298df16fe8b233482d8a7dedddd402c7db1d90aae8ea67915a2ff422d7
-
SSDEEP
6144:iBr9fEjPswpzDFi2XFF47RpYlvP8kq/ac6:DjPskM2Xv47RGlvy/ac6
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/memory/1492-54-0x0000000000AB0000-0x0000000000AF8000-memory.dmp family_chaos behavioral1/files/0x000500000000b2d2-56.dat family_chaos behavioral1/files/0x000500000000b2d2-57.dat family_chaos behavioral1/memory/276-58-0x0000000001090000-0x00000000010D8000-memory.dmp family_chaos -
Executes dropped EXE 1 IoCs
pid Process 276 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1544 276 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1492 f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe 276 svchost.exe 276 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1492 f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe Token: SeDebugPrivilege 276 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1492 wrote to memory of 276 1492 f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe 27 PID 1492 wrote to memory of 276 1492 f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe 27 PID 1492 wrote to memory of 276 1492 f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe 27 PID 276 wrote to memory of 1544 276 svchost.exe 28 PID 276 wrote to memory of 1544 276 svchost.exe 28 PID 276 wrote to memory of 1544 276 svchost.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe"C:\Users\Admin\AppData\Local\Temp\f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 276 -s 5643⤵
- Program crash
PID:1544
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD59d016244b7f58fa5e974ef5f6e1ae54e
SHA1001bc943725ab768f8b8ecb2c9d3ae328f33c78b
SHA256f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f
SHA512292c222ca38e12c933769e128c9682a23719204214c1aca7e585eb1ef6c8c8b2090514298df16fe8b233482d8a7dedddd402c7db1d90aae8ea67915a2ff422d7
-
Filesize
263KB
MD59d016244b7f58fa5e974ef5f6e1ae54e
SHA1001bc943725ab768f8b8ecb2c9d3ae328f33c78b
SHA256f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f
SHA512292c222ca38e12c933769e128c9682a23719204214c1aca7e585eb1ef6c8c8b2090514298df16fe8b233482d8a7dedddd402c7db1d90aae8ea67915a2ff422d7