Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

24/03/2024, 02:10

240324-clsbcaah7w 10

Analysis

  • max time kernel
    2699s
  • max time network
    2617s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/03/2024, 14:14

General

  • Target

    5d4c5f3457c4487fe26df768ed8f3d2b.exe

  • Size

    120KB

  • MD5

    5d4c5f3457c4487fe26df768ed8f3d2b

  • SHA1

    f5f3df7d11e06dc158ac8183a8bde5895f8ea251

  • SHA256

    19c393a4787d325984d850d8f02db1f302819b808952f72c332251d5d95f7c32

  • SHA512

    793b8917ad068b77bcc7d771a28069ac432cfb441438e1a1f159fe94cbb2aa550fb2cc47d7354e30275ce2df402774902c987ad9b9be900f3748281f13a30e9a

  • SSDEEP

    3072:QoIcFr9LvJxaJ3e6ua0g0qcB2f/u80kcmU/C7eJBz4Jtu:dr9LvkbOqguxU6f4

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 7 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d4c5f3457c4487fe26df768ed8f3d2b.exe
    "C:\Users\Admin\AppData\Local\Temp\5d4c5f3457c4487fe26df768ed8f3d2b.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3828
    • C:\Users\Admin\AppData\Roaming\PrivateChat.exe
      "C:\Users\Admin\AppData\Roaming\PrivateChat.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3608
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4568
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2412
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5012
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4816
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3756
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4984
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:3424
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3716
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3828
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4664
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:4700
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:5112
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3472
    • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Windows\system32\mmc.exe
        "C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1436
      • C:\Windows\system32\tasklist.exe
        "C:\Windows\system32\tasklist.exe"
        2⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
      • C:\Windows\system32\Taskmgr.exe
        "C:\Windows\system32\Taskmgr.exe"
        2⤵
        • Drops startup file
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2200
    • C:\Windows\system32\werfault.exe
      werfault.exe /h /shared Global\b0f69fad7f304f5fae415dd9ad4e3689 /t 444 /p 1436
      1⤵
        PID:4560

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

        Filesize

        9KB

        MD5

        04ae99393d56cad2873b023e1b0bea9b

        SHA1

        b71e980122b44db1f70954ce7433aee384073931

        SHA256

        3d63b7009ea36d1110014086573bad5b805ecadde714062d084f56903d816643

        SHA512

        1d4c929bcd8b16d00dec95c296821a72013a158cf0e05c8aaca1122e730c0414bb88561b2a4982773e63bebb03e18885e1b7f063112e341d819c72756b5ac02c

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lzx05xvc.end.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PrivateChat.url

        Filesize

        150B

        MD5

        a20fdb4c03ee3e73c9d0b0659c6e1ee8

        SHA1

        cab42c1c187c3d5e440b181be78426e8c9d8d5f6

        SHA256

        f4a981301daecd9500e23fff4e7a5bff9657fb9566d958dbf04f59a46e47848b

        SHA512

        4d2775c17f077e92d4702143fe9d931bf2b4a1adc5cdbe4735d3e8d262bc93d9da691134a4dcc93afa08d2baebd576c476b2e49e0325a9934ba373c6f15f929c

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.zc6l

        Filesize

        436B

        MD5

        fb252ba7ea2d4bc1ff70145e163b5499

        SHA1

        12ec7ad0d84299617aca6bd9a20c625afd3e47c7

        SHA256

        9cd1cb23187412684ac372a804498c9c9090342935d368b9f8b5eba16c8121eb

        SHA512

        0ad48058b76d1f1a2b6fef11d5a826a7f3afa4a20228a21adf0e264ef9e02f9cc2c4096e921b2c2cd3eebbe02c80fafa73f4b115391eb3d809c45dbd1d372b9f

      • C:\Users\Admin\AppData\Roaming\PrivateChat.exe

        Filesize

        120KB

        MD5

        5d4c5f3457c4487fe26df768ed8f3d2b

        SHA1

        f5f3df7d11e06dc158ac8183a8bde5895f8ea251

        SHA256

        19c393a4787d325984d850d8f02db1f302819b808952f72c332251d5d95f7c32

        SHA512

        793b8917ad068b77bcc7d771a28069ac432cfb441438e1a1f159fe94cbb2aa550fb2cc47d7354e30275ce2df402774902c987ad9b9be900f3748281f13a30e9a

      • C:\Users\Admin\Documents\README.txt

        Filesize

        366B

        MD5

        a9739643e50a5d9ca0f162feb7846dd5

        SHA1

        d10c5feedd35fd2a24cd1266014ae8adaad22fd3

        SHA256

        e611bd6ae4702f7496dda7ae78a5df097d1e6858c7fa38b3b9b7140379f7d51c

        SHA512

        cb5e3943ccce39f10a899a4900952b702601840a2e6dd8e385ebed1e4e7b041f8440dd7dde229c5d28cf82f380b17f498a3e6cb8426d984b71a4115de3df9552

      • memory/1436-489-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

        Filesize

        10.8MB

      • memory/1436-484-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

        Filesize

        10.8MB

      • memory/2200-504-0x000001BE6C730000-0x000001BE6C731000-memory.dmp

        Filesize

        4KB

      • memory/2200-501-0x000001BE6C730000-0x000001BE6C731000-memory.dmp

        Filesize

        4KB

      • memory/2200-494-0x000001BE6C730000-0x000001BE6C731000-memory.dmp

        Filesize

        4KB

      • memory/2200-503-0x000001BE6C730000-0x000001BE6C731000-memory.dmp

        Filesize

        4KB

      • memory/2200-495-0x000001BE6C730000-0x000001BE6C731000-memory.dmp

        Filesize

        4KB

      • memory/2200-505-0x000001BE6C730000-0x000001BE6C731000-memory.dmp

        Filesize

        4KB

      • memory/2200-499-0x000001BE6C730000-0x000001BE6C731000-memory.dmp

        Filesize

        4KB

      • memory/2200-502-0x000001BE6C730000-0x000001BE6C731000-memory.dmp

        Filesize

        4KB

      • memory/2200-500-0x000001BE6C730000-0x000001BE6C731000-memory.dmp

        Filesize

        4KB

      • memory/2200-493-0x000001BE6C730000-0x000001BE6C731000-memory.dmp

        Filesize

        4KB

      • memory/3608-20-0x0000000000A50000-0x0000000000A60000-memory.dmp

        Filesize

        64KB

      • memory/3608-450-0x0000000000A50000-0x0000000000A60000-memory.dmp

        Filesize

        64KB

      • memory/3608-509-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

        Filesize

        10.8MB

      • memory/3608-449-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

        Filesize

        10.8MB

      • memory/3608-15-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

        Filesize

        10.8MB

      • memory/3828-14-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

        Filesize

        10.8MB

      • memory/3828-0-0x0000000000F80000-0x0000000000FA4000-memory.dmp

        Filesize

        144KB

      • memory/3828-1-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

        Filesize

        10.8MB

      • memory/5064-474-0x0000024B7D920000-0x0000024B7D930000-memory.dmp

        Filesize

        64KB

      • memory/5064-488-0x0000024B7D920000-0x0000024B7D930000-memory.dmp

        Filesize

        64KB

      • memory/5064-487-0x0000024B7D920000-0x0000024B7D930000-memory.dmp

        Filesize

        64KB

      • memory/5064-486-0x0000024B7D920000-0x0000024B7D930000-memory.dmp

        Filesize

        64KB

      • memory/5064-485-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

        Filesize

        10.8MB

      • memory/5064-471-0x0000024B7DD80000-0x0000024B7DDC6000-memory.dmp

        Filesize

        280KB

      • memory/5064-473-0x0000024B7D920000-0x0000024B7D930000-memory.dmp

        Filesize

        64KB

      • memory/5064-472-0x0000024B7D920000-0x0000024B7D930000-memory.dmp

        Filesize

        64KB

      • memory/5064-470-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

        Filesize

        10.8MB

      • memory/5064-461-0x0000024B7D840000-0x0000024B7D862000-memory.dmp

        Filesize

        136KB