Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2024, 18:06
Behavioral task
behavioral1
Sample
dumbhumans.exe
Resource
win7-20241010-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
dumbhumans.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
dumbhumans.exe
-
Size
23KB
-
MD5
c6eb3aad7a5ba437d2e39c44d645aed2
-
SHA1
87b24045539b8db9ead35e462aef513602743ded
-
SHA256
78529452630857c2edc60a55dd41771617d0c9e99d2cf276e39a5288f55160c8
-
SHA512
cede2ff722843666b0f8cfcc3aa12f1f946b430d0db813afff326a1b4d9df9568e6843913bd9ee8497f312b3cad67f21e538786196e443239d2b8eb5efe92127
-
SSDEEP
384:Q3Mg/bqo2ucVzt2eaWCzpgDKF+98uJEr91CKxb+uteA:uqo2F52eanpgDKNyEr9xxb5eA
Malware Config
Extracted
Path
C:\Users\Admin\Documents\read_it.txt
Family
chaos
Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <----
All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help.What can I do to get my files back?You can buy our special
decryption software, this software will allow you to recover all of your data and remove the
ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.
How do I pay, where do I get Bitcoin?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
Payment informationAmount: 0.00138959 BTC
Bitcoin Address: bc1q7njx7z489vx9444agzf759u4q46vfgtydzwyll
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral2/memory/2480-1-0x00000000009F0000-0x00000000009FC000-memory.dmp family_chaos behavioral2/files/0x000b000000023ad0-6.dat family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation dumbhumans.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3000 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1316 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3260 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 2480 dumbhumans.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 2480 dumbhumans.exe Token: SeDebugPrivilege 3000 svchost.exe Token: SeBackupPrivilege 3324 vssvc.exe Token: SeRestorePrivilege 3324 vssvc.exe Token: SeAuditPrivilege 3324 vssvc.exe Token: SeIncreaseQuotaPrivilege 1324 WMIC.exe Token: SeSecurityPrivilege 1324 WMIC.exe Token: SeTakeOwnershipPrivilege 1324 WMIC.exe Token: SeLoadDriverPrivilege 1324 WMIC.exe Token: SeSystemProfilePrivilege 1324 WMIC.exe Token: SeSystemtimePrivilege 1324 WMIC.exe Token: SeProfSingleProcessPrivilege 1324 WMIC.exe Token: SeIncBasePriorityPrivilege 1324 WMIC.exe Token: SeCreatePagefilePrivilege 1324 WMIC.exe Token: SeBackupPrivilege 1324 WMIC.exe Token: SeRestorePrivilege 1324 WMIC.exe Token: SeShutdownPrivilege 1324 WMIC.exe Token: SeDebugPrivilege 1324 WMIC.exe Token: SeSystemEnvironmentPrivilege 1324 WMIC.exe Token: SeRemoteShutdownPrivilege 1324 WMIC.exe Token: SeUndockPrivilege 1324 WMIC.exe Token: SeManageVolumePrivilege 1324 WMIC.exe Token: 33 1324 WMIC.exe Token: 34 1324 WMIC.exe Token: 35 1324 WMIC.exe Token: 36 1324 WMIC.exe Token: SeIncreaseQuotaPrivilege 1324 WMIC.exe Token: SeSecurityPrivilege 1324 WMIC.exe Token: SeTakeOwnershipPrivilege 1324 WMIC.exe Token: SeLoadDriverPrivilege 1324 WMIC.exe Token: SeSystemProfilePrivilege 1324 WMIC.exe Token: SeSystemtimePrivilege 1324 WMIC.exe Token: SeProfSingleProcessPrivilege 1324 WMIC.exe Token: SeIncBasePriorityPrivilege 1324 WMIC.exe Token: SeCreatePagefilePrivilege 1324 WMIC.exe Token: SeBackupPrivilege 1324 WMIC.exe Token: SeRestorePrivilege 1324 WMIC.exe Token: SeShutdownPrivilege 1324 WMIC.exe Token: SeDebugPrivilege 1324 WMIC.exe Token: SeSystemEnvironmentPrivilege 1324 WMIC.exe Token: SeRemoteShutdownPrivilege 1324 WMIC.exe Token: SeUndockPrivilege 1324 WMIC.exe Token: SeManageVolumePrivilege 1324 WMIC.exe Token: 33 1324 WMIC.exe Token: 34 1324 WMIC.exe Token: 35 1324 WMIC.exe Token: 36 1324 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2480 wrote to memory of 3000 2480 dumbhumans.exe 87 PID 2480 wrote to memory of 3000 2480 dumbhumans.exe 87 PID 3000 wrote to memory of 3560 3000 svchost.exe 95 PID 3000 wrote to memory of 3560 3000 svchost.exe 95 PID 3560 wrote to memory of 1316 3560 cmd.exe 97 PID 3560 wrote to memory of 1316 3560 cmd.exe 97 PID 3560 wrote to memory of 1324 3560 cmd.exe 101 PID 3560 wrote to memory of 1324 3560 cmd.exe 101 PID 3000 wrote to memory of 3260 3000 svchost.exe 102 PID 3000 wrote to memory of 3260 3000 svchost.exe 102 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dumbhumans.exe"C:\Users\Admin\AppData\Local\Temp\dumbhumans.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1316
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:3260
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5c6eb3aad7a5ba437d2e39c44d645aed2
SHA187b24045539b8db9ead35e462aef513602743ded
SHA25678529452630857c2edc60a55dd41771617d0c9e99d2cf276e39a5288f55160c8
SHA512cede2ff722843666b0f8cfcc3aa12f1f946b430d0db813afff326a1b4d9df9568e6843913bd9ee8497f312b3cad67f21e538786196e443239d2b8eb5efe92127
-
Filesize
965B
MD58405ca5488c5d8321e070794dd06f485
SHA1104adc71cd3ca7924ccdc36a8d607eb8b45f0bf8
SHA256e4cf6fbdc212d4b92cf3503cc1c38dd72eed77221b28e1e43b0fa5e8128dc2bf
SHA512b24b0e14b09a1e7b796292b550b367e8e1bde7be9fcb4c7715f70bdb7b519d0fd6b2a8e780fdb71c219d2cb1818cc2856678c93f6e648e588236f4247ccd8e96