Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
31/03/2024, 14:49
240331-r687xsec77 1029/03/2024, 09:29
240329-lf9swaeg87 1029/03/2024, 08:58
240329-kw8ebaed26 1029/03/2024, 08:57
240329-kwtadsed22 1029/03/2024, 08:49
240329-krew7sec34 10Analysis
-
max time kernel
1566s -
max time network
1569s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/03/2024, 09:29
Behavioral task
behavioral1
Sample
234.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
234.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
234.zip
Resource
win11-20240221-en
Behavioral task
behavioral4
Sample
antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
antivirus.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral6
Sample
antivirus.exe
Resource
win11-20240221-en
General
-
Target
antivirus.exe
-
Size
144KB
-
MD5
4016477fd044882c78f3c1a47d7322e1
-
SHA1
6c75ffa25ef2d1d6a658ff415b2e47964032fc6a
-
SHA256
fbbaef754d6dafaaf32ae5e7937135fe81075806e5e2b0db1d6f9441a1cd8633
-
SHA512
17706a8238817e135ffe378e60e1e52964a00aeee6c6b9bc7f288a0390ae97d958f053cf693a4d829a35acbe32e3ab9599c13150a3155c671490736e88d19df1
-
SSDEEP
3072:xokEUyr9ql5n3yU6S4M5Er8zwIMsoE0WNOBKHAHp+FBZ+:er9ql53y04QEwzh0FaAHQLZ
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral4/memory/1912-0-0x0000000001280000-0x00000000012AA000-memory.dmp family_chaos behavioral4/files/0x000800000001222c-6.dat family_chaos behavioral4/memory/2404-7-0x0000000000C80000-0x0000000000CAA000-memory.dmp family_chaos behavioral4/memory/2404-10-0x000000001AB70000-0x000000001ABF0000-memory.dmp family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1700 bcdedit.exe 2852 bcdedit.exe -
pid Process 2060 wbadmin.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hahaha.txt svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2404 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lr2tvgljg.jpg" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2668 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 984 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2404 svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1912 antivirus.exe 1912 antivirus.exe 2404 svchost.exe 2404 svchost.exe 2404 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 1912 antivirus.exe Token: SeDebugPrivilege 2404 svchost.exe Token: SeBackupPrivilege 2624 vssvc.exe Token: SeRestorePrivilege 2624 vssvc.exe Token: SeAuditPrivilege 2624 vssvc.exe Token: SeIncreaseQuotaPrivilege 988 WMIC.exe Token: SeSecurityPrivilege 988 WMIC.exe Token: SeTakeOwnershipPrivilege 988 WMIC.exe Token: SeLoadDriverPrivilege 988 WMIC.exe Token: SeSystemProfilePrivilege 988 WMIC.exe Token: SeSystemtimePrivilege 988 WMIC.exe Token: SeProfSingleProcessPrivilege 988 WMIC.exe Token: SeIncBasePriorityPrivilege 988 WMIC.exe Token: SeCreatePagefilePrivilege 988 WMIC.exe Token: SeBackupPrivilege 988 WMIC.exe Token: SeRestorePrivilege 988 WMIC.exe Token: SeShutdownPrivilege 988 WMIC.exe Token: SeDebugPrivilege 988 WMIC.exe Token: SeSystemEnvironmentPrivilege 988 WMIC.exe Token: SeRemoteShutdownPrivilege 988 WMIC.exe Token: SeUndockPrivilege 988 WMIC.exe Token: SeManageVolumePrivilege 988 WMIC.exe Token: 33 988 WMIC.exe Token: 34 988 WMIC.exe Token: 35 988 WMIC.exe Token: SeIncreaseQuotaPrivilege 988 WMIC.exe Token: SeSecurityPrivilege 988 WMIC.exe Token: SeTakeOwnershipPrivilege 988 WMIC.exe Token: SeLoadDriverPrivilege 988 WMIC.exe Token: SeSystemProfilePrivilege 988 WMIC.exe Token: SeSystemtimePrivilege 988 WMIC.exe Token: SeProfSingleProcessPrivilege 988 WMIC.exe Token: SeIncBasePriorityPrivilege 988 WMIC.exe Token: SeCreatePagefilePrivilege 988 WMIC.exe Token: SeBackupPrivilege 988 WMIC.exe Token: SeRestorePrivilege 988 WMIC.exe Token: SeShutdownPrivilege 988 WMIC.exe Token: SeDebugPrivilege 988 WMIC.exe Token: SeSystemEnvironmentPrivilege 988 WMIC.exe Token: SeRemoteShutdownPrivilege 988 WMIC.exe Token: SeUndockPrivilege 988 WMIC.exe Token: SeManageVolumePrivilege 988 WMIC.exe Token: 33 988 WMIC.exe Token: 34 988 WMIC.exe Token: 35 988 WMIC.exe Token: SeBackupPrivilege 2092 wbengine.exe Token: SeRestorePrivilege 2092 wbengine.exe Token: SeSecurityPrivilege 2092 wbengine.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1912 wrote to memory of 2404 1912 antivirus.exe 28 PID 1912 wrote to memory of 2404 1912 antivirus.exe 28 PID 1912 wrote to memory of 2404 1912 antivirus.exe 28 PID 2404 wrote to memory of 1636 2404 svchost.exe 30 PID 2404 wrote to memory of 1636 2404 svchost.exe 30 PID 2404 wrote to memory of 1636 2404 svchost.exe 30 PID 1636 wrote to memory of 2668 1636 cmd.exe 32 PID 1636 wrote to memory of 2668 1636 cmd.exe 32 PID 1636 wrote to memory of 2668 1636 cmd.exe 32 PID 1636 wrote to memory of 988 1636 cmd.exe 35 PID 1636 wrote to memory of 988 1636 cmd.exe 35 PID 1636 wrote to memory of 988 1636 cmd.exe 35 PID 2404 wrote to memory of 276 2404 svchost.exe 37 PID 2404 wrote to memory of 276 2404 svchost.exe 37 PID 2404 wrote to memory of 276 2404 svchost.exe 37 PID 276 wrote to memory of 1700 276 cmd.exe 39 PID 276 wrote to memory of 1700 276 cmd.exe 39 PID 276 wrote to memory of 1700 276 cmd.exe 39 PID 276 wrote to memory of 2852 276 cmd.exe 40 PID 276 wrote to memory of 2852 276 cmd.exe 40 PID 276 wrote to memory of 2852 276 cmd.exe 40 PID 2404 wrote to memory of 2840 2404 svchost.exe 41 PID 2404 wrote to memory of 2840 2404 svchost.exe 41 PID 2404 wrote to memory of 2840 2404 svchost.exe 41 PID 2840 wrote to memory of 2060 2840 cmd.exe 43 PID 2840 wrote to memory of 2060 2840 cmd.exe 43 PID 2840 wrote to memory of 2060 2840 cmd.exe 43 PID 2404 wrote to memory of 984 2404 svchost.exe 47 PID 2404 wrote to memory of 984 2404 svchost.exe 47 PID 2404 wrote to memory of 984 2404 svchost.exe 47 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\antivirus.exe"C:\Users\Admin\AppData\Local\Temp\antivirus.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2668
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1700
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2060
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\hahaha.txt3⤵
- Opens file in notepad (likely ransom note)
PID:984
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:828
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD54016477fd044882c78f3c1a47d7322e1
SHA16c75ffa25ef2d1d6a658ff415b2e47964032fc6a
SHA256fbbaef754d6dafaaf32ae5e7937135fe81075806e5e2b0db1d6f9441a1cd8633
SHA51217706a8238817e135ffe378e60e1e52964a00aeee6c6b9bc7f288a0390ae97d958f053cf693a4d829a35acbe32e3ab9599c13150a3155c671490736e88d19df1
-
Filesize
63B
MD545dfa78907ccd5154a672941b7fd7805
SHA1c96e039c5d260e3fc61d65da6718d3a832a182fd
SHA2567d6a89c0a71eb6607c0f9226cbdbc241a154a49e463e599ea8ff126c161ad6af
SHA51245b88dc885c14920f7e309566475c1c0d35b43dfade79ae951d41b422a4cba511f36b6305f0fde21af780399929f529661e1e9f1bcf0190e2b73472ed9950f2b