Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28/05/2024, 05:10
Behavioral task
behavioral1
Sample
Chaos.exe
Resource
win7-20240508-en
General
-
Target
Chaos.exe
-
Size
14.1MB
-
MD5
0f2af0b53a994fd35b805fc145d75d7f
-
SHA1
605eaa911754fa8f52af25d292b7230bb5cde454
-
SHA256
8468e629d2bd9b14889e565066bcaf369b53738eb01d05714e99bb16c59d0c07
-
SHA512
448ab9b91f082050b290b4c21be98ed3c89697f501cc4e7e33686fff9b75ab6ca48900b947d1da5337acb30f554beb96b95ef020e6157101d17eca2879a72b9c
-
SSDEEP
393216:jazOUkLXiKcjFVA87ODedSSCnomX/+MX36fqc4GXRF:6AKFVT7dSSTOPXUqcB
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Chaos.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Chaos.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Chaos.exe -
Executes dropped EXE 1 IoCs
pid Process 2748 Chaos.exe -
Loads dropped DLL 2 IoCs
pid Process 2988 Chaos.exe 2748 Chaos.exe -
resource yara_rule behavioral1/memory/2988-1-0x000000013F580000-0x000000014096B000-memory.dmp themida behavioral1/memory/2988-2-0x000000013F580000-0x000000014096B000-memory.dmp themida behavioral1/memory/2988-3-0x000000013F580000-0x000000014096B000-memory.dmp themida behavioral1/memory/2988-63-0x000000013F580000-0x000000014096B000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chaos.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2988 Chaos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2748 2988 Chaos.exe 29 PID 2988 wrote to memory of 2748 2988 Chaos.exe 29 PID 2988 wrote to memory of 2748 2988 Chaos.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chaos.exe"C:\Users\Admin\AppData\Local\Temp\Chaos.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\onefile_2988_133613466583584000\Chaos.exe"C:\Users\Admin\AppData\Local\Temp\Chaos.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD59a24c8c35e4ac4b1597124c1dcbebe0f
SHA1f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA5129d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b
-
Filesize
18.9MB
MD53e46741808811d8f1c8207e6e84bbdfa
SHA1c866be7bdd05ee858562c2689c2c653040faf546
SHA256a16b7f0b39f178f1bc66ad6a103265bd5f283b0484ae137f3de035b808e1c51d
SHA5124b224768992170399b5e442c724460ac67d5f2758b2add7329b79b65be22e414361eb92e3ebe0dcb1b1dcd0e80547688eab67bf36e0779a663191c0189663a30