Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
209s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 04:41
Behavioral task
behavioral1
Sample
ransomware.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
ransomware.exe
-
Size
15KB
-
MD5
ac6b23f341c93a5deb6692d8fed6f6a4
-
SHA1
6466c45b8c8dd60f03392614063d1c490231bf03
-
SHA256
cb84c85fb50de9ac3bc4763c504ca87067680bc129d44c256570f7e1449ab9c5
-
SHA512
d4483be2b241c12da57785d861018e88d75fbda736e51900872d105f11309474393c8381d654c4cf74242a7f138e070983ace9836806232afda9dee30e3dd29f
-
SSDEEP
192:1XiJtJHunl2T7IeLX/LnG8dcIbNbqiv8Fums5oglkr5i7amD2Ayqfiq1T5Fx/TAU:1Cul2nIePG2vVCZ87ThT1n
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Pictures\read_it.txt
Ransom Note
All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help. What can I do to get my files back? You can buy our special
decryption software, this software will allow you to recover all of your data and remove the
ransomware from your computer. The price for the software is $100. Payment can be made in Bitcoin only.
How do I pay, where do I get Bitcoin?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
https://bitpay.com/ https://www.exodus.com/ https://www.blockchain.com/wallet
Payment information Amount: 0.001638 BTC
Bitcoin Address: bc1qgknk4e4z2keyqjzlm4pxpgte9ltklry5x3jv6s
URLs
https://bitpay.com/
https://www.exodus.com/
https://www.blockchain.com/wallet
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/memory/3300-1-0x0000000000690000-0x000000000069A000-memory.dmp family_chaos behavioral1/files/0x00090000000233e2-6.dat family_chaos -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ransomware.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\svchost.url taskmgr.exe -
Executes dropped EXE 1 IoCs
pid Process 2328 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Drops desktop.ini file(s) 16 IoCs
description ioc Process File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File created C:\Users\Admin\Music\desktop.ini svchost.exe File created C:\Users\Admin\Searches\desktop.ini svchost.exe File created F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini svchost.exe File created C:\Users\Admin\Desktop\desktop.ini svchost.exe File created C:\Users\Admin\Links\desktop.ini svchost.exe File created C:\Users\Admin\Contacts\desktop.ini svchost.exe File created C:\Users\Admin\Documents\desktop.ini svchost.exe File created C:\Users\Admin\Downloads\desktop.ini svchost.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File created C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File created C:\Users\Admin\Videos\desktop.ini svchost.exe File created C:\Users\Admin\Pictures\desktop.ini svchost.exe File created C:\Users\Admin\OneDrive\desktop.ini svchost.exe File created C:\Users\Admin\Saved Games\desktop.ini svchost.exe File created C:\Users\Admin\Favorites\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 432 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2328 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 3300 ransomware.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4104 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3300 ransomware.exe Token: SeDebugPrivilege 2328 svchost.exe Token: SeDebugPrivilege 4104 taskmgr.exe Token: SeSystemProfilePrivilege 4104 taskmgr.exe Token: SeCreateGlobalPrivilege 4104 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 432 NOTEPAD.EXE 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3300 wrote to memory of 2328 3300 ransomware.exe 80 PID 3300 wrote to memory of 2328 3300 ransomware.exe 80 PID 2328 wrote to memory of 432 2328 svchost.exe 81 PID 2328 wrote to memory of 432 2328 svchost.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransomware.exe"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:432
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Drops startup file
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142B
MD51a09a38485cbf1d59c29d8e3213e1ab9
SHA19cbe6ebd07b13a0d4b2565dc15a273629aa97251
SHA2560a3bdc40dc0d243784bc5fa887b79110350b3d3200684f3ba99880fcea40e3b8
SHA512a33c228196a4b3f14e40ac6ccb6c43002de28063594c472db852bedac20a6725f4e7601b9f32516e2c6bea35f83746973b3f1d200d9e5d668bda7553b62ac616
-
Filesize
15KB
MD5ac6b23f341c93a5deb6692d8fed6f6a4
SHA16466c45b8c8dd60f03392614063d1c490231bf03
SHA256cb84c85fb50de9ac3bc4763c504ca87067680bc129d44c256570f7e1449ab9c5
SHA512d4483be2b241c12da57785d861018e88d75fbda736e51900872d105f11309474393c8381d654c4cf74242a7f138e070983ace9836806232afda9dee30e3dd29f
-
Filesize
884B
MD518e13fb949ed44a7a60c867626989b17
SHA1fa3766fa77f5353e34566f08980241da958a0526
SHA2566e042f64e2ca554ceff5983f1efad19d1d409c2be80be8c306f27afc57e97798
SHA5128cd750017c2d83c50fdfb7c52bde8c26b4d926e59d985dfe33c7be354142476a23993461144df987942af5d2e22f563f80b7bfcd8b30fa895fa4b7101fa0532c