Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    41s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 14:20

General

  • Target

    f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe

  • Size

    263KB

  • MD5

    9d016244b7f58fa5e974ef5f6e1ae54e

  • SHA1

    001bc943725ab768f8b8ecb2c9d3ae328f33c78b

  • SHA256

    f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f

  • SHA512

    292c222ca38e12c933769e128c9682a23719204214c1aca7e585eb1ef6c8c8b2090514298df16fe8b233482d8a7dedddd402c7db1d90aae8ea67915a2ff422d7

  • SSDEEP

    6144:iBr9fEjPswpzDFi2XFF47RpYlvP8kq/ac6:DjPskM2Xv47RGlvy/ac6

Score
10/10

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe
    "C:\Users\Admin\AppData\Local\Temp\f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 276 -s 564
        3⤵
        • Program crash
        PID:1544

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    263KB

    MD5

    9d016244b7f58fa5e974ef5f6e1ae54e

    SHA1

    001bc943725ab768f8b8ecb2c9d3ae328f33c78b

    SHA256

    f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f

    SHA512

    292c222ca38e12c933769e128c9682a23719204214c1aca7e585eb1ef6c8c8b2090514298df16fe8b233482d8a7dedddd402c7db1d90aae8ea67915a2ff422d7

  • C:\Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    263KB

    MD5

    9d016244b7f58fa5e974ef5f6e1ae54e

    SHA1

    001bc943725ab768f8b8ecb2c9d3ae328f33c78b

    SHA256

    f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f

    SHA512

    292c222ca38e12c933769e128c9682a23719204214c1aca7e585eb1ef6c8c8b2090514298df16fe8b233482d8a7dedddd402c7db1d90aae8ea67915a2ff422d7

  • memory/276-58-0x0000000001090000-0x00000000010D8000-memory.dmp

    Filesize

    288KB

  • memory/1492-54-0x0000000000AB0000-0x0000000000AF8000-memory.dmp

    Filesize

    288KB