Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/11/2024, 15:40

General

  • Target

    PepperX (1).exe

  • Size

    81KB

  • MD5

    b950502f66e5c9b058f340ab24b3b5ab

  • SHA1

    fad3abdf88ef351b25ef339a6d1a082d8516b9e9

  • SHA256

    d45f6608d6afc48189e0ef63e489f9034cd3e864a95d634640df53ad302b42b3

  • SHA512

    132235bf2ad67b8b22428e716a27d35b024c38ca09e770237688b4d4e88eb4f44a98b267c068f422aa75a6050bfff3db6073bc71619b5bb85fb76ddf9833a5f9

  • SSDEEP

    1536:w3kIZ4nmr9iW2wU3gUvpdO0J//E2dLEgtMRloDpU:w3kI4nmr9iY7MhdHMRl6pU

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Chaos family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 22 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\PepperX (1).exe
    "C:\Users\Admin\AppData\Local\Temp\PepperX (1).exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4740
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2972
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3852
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3832
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4512
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5092
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:5024
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:4472
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4792
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3948
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:712
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:1956
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4992
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9533bd16-8528-4f12-bf2c-5e99d2c46a3b} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" gpu
          3⤵
            PID:2160
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2388 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45d606ad-104e-4513-a7b0-92c6642ffede} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" socket
            3⤵
            • Checks processor information in registry
            PID:3412
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3124 -childID 1 -isForBrowser -prefsHandle 2932 -prefMapHandle 2912 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e347cf37-e150-4797-9f65-8e054bcf11d3} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab
            3⤵
              PID:3188
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3896 -childID 2 -isForBrowser -prefsHandle 3872 -prefMapHandle 3864 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae3782d8-9291-42b7-b537-552cc32a4abb} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab
              3⤵
                PID:4496
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4920 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4912 -prefMapHandle 4908 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22bc2874-8759-4d51-8ce0-9a5af198e903} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" utility
                3⤵
                • Checks processor information in registry
                PID:5588
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2724 -childID 3 -isForBrowser -prefsHandle 5160 -prefMapHandle 5196 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d40e63ac-6936-4897-b796-6ba8d2f53761} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab
                3⤵
                  PID:5996
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3791b12-f8de-45db-af07-76fe364d2748} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab
                  3⤵
                    PID:6008
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18938d67-1733-46c7-b59d-2e592c666d6d} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab
                    3⤵
                      PID:6020

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

                  Filesize

                  5KB

                  MD5

                  4ffe1fb4e26312bd0ce99b2e7b6720c6

                  SHA1

                  fa319cc2e76c05aa2b40f728577d34c13e411861

                  SHA256

                  e0bca2c218e2204e883d8232ce2d1392d610fb9ceea07c9bc9bc4d7ab757cd3f

                  SHA512

                  f8e48661b1921d3957d7c8fdf07ca5bbb53ef805dfbb3e00bf0afd1aaf5cd600cf54135328fbd5de21905beba7f3da4fd97534c51e71af14632f7e3586e5abb6

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

                  Filesize

                  6KB

                  MD5

                  169d842b16a50557746193f2db4e7475

                  SHA1

                  1736255e9470d8b7e43f904df30c3c14cef7a4fb

                  SHA256

                  0dd4795a33753306b4d69bc001e6a4895c66250ad36ea1f40c5bca7c8458c197

                  SHA512

                  b18e8823e921573dbe3307d8d56bbc4cb2a937df66397ec8de21ed51c69ba34c0ed0d9e6cc7d4fb1aad505cf8dd806bb716900be43aebe41b95edff6c9dfd697

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\2f4c8f81-83b6-48a8-b9fb-3ada0608030b

                  Filesize

                  25KB

                  MD5

                  abda9c3dd839139f86e7d3699add4070

                  SHA1

                  bf593809907358f3018de196b621ab629f7708fc

                  SHA256

                  34ad66ca260c44066b4591708ef2e3e2afb7c1465760c915ad112b9507c0e34a

                  SHA512

                  87a29b0fdde5d96e8d173db6aecab2a553b4f48dc35d1d0b7f7edbb00755f6bfa21b3c3e9f4ca0b7a1f60b202f1b0ee43c57c327ae0580818e8349dd4073c079

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\dba8ebb5-5148-477d-a466-648acb32f9f9

                  Filesize

                  671B

                  MD5

                  97c1c3f6ea212519e9608ecc26211b62

                  SHA1

                  0ddb90efd8652649d9e45545132efa59f284dbc3

                  SHA256

                  b0620ac12509667d14085baad2f4b68fd7829e65d231a6840872fe80e3a34b47

                  SHA512

                  0341e6681fa95cdc403782a6b4d87f422ee767f4ec981c75f30a8fbd9dc07141cc7c63098babb1f4b04ee35ea9f822e215f424577c822a7e92aa8c43d4c7715d

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\ee52691e-05cb-443e-8675-5a0ad1c3006f

                  Filesize

                  982B

                  MD5

                  01f63ddf8d042d87420e2add2a468fb7

                  SHA1

                  8af801b320dd04df6a1834ff2963396a0f2b3d12

                  SHA256

                  e3dcdb7bb6e4d830cc00bf59df0f857d875c74f11833f4782f50b858ef70773d

                  SHA512

                  5105d2b3ec88001040ca269e1b2ca705a19abb1dee889fe06eca694891e62f638ff90355dfe41661732528cd8b24a813b0175e8caa0203eb91f0ad8ddf323ef0

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js

                  Filesize

                  10KB

                  MD5

                  7424976c963967eb79cbe51da8c436c8

                  SHA1

                  57c2e8ce014e9436fc8006c609160506b637df8f

                  SHA256

                  1574b825abbc10c734d87a5130d40f1cdbca263bd68e5bf85de21a8145ed2cc5

                  SHA512

                  991f0545b1e9b8090b9bdc1bf8239d0cdf93de95a6ee2748df20981c8d0358167cfb0c307b3ddb953c4e876bf31a3691317de9e5efb8be4efdfd5e516862ddac

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js

                  Filesize

                  10KB

                  MD5

                  8ca44a9eaea292d47549565a4636aec9

                  SHA1

                  dce996897d57ed74e620a9f2e568e25d39c8d827

                  SHA256

                  308f5ba7233d3b9342cff498fbd55f2114d20d1c7888ad728eda1224b0f4edfb

                  SHA512

                  58f90411a9926cd825bf160f99deeba9032cb849ef4f487a5b6af8f6c847d2a233fddb4e6ed85c472be8ee97c29aa0b22037522b3b7859fa93a44671c37c34ae

                • C:\Users\Admin\AppData\Roaming\svchost.exe

                  Filesize

                  81KB

                  MD5

                  b950502f66e5c9b058f340ab24b3b5ab

                  SHA1

                  fad3abdf88ef351b25ef339a6d1a082d8516b9e9

                  SHA256

                  d45f6608d6afc48189e0ef63e489f9034cd3e864a95d634640df53ad302b42b3

                  SHA512

                  132235bf2ad67b8b22428e716a27d35b024c38ca09e770237688b4d4e88eb4f44a98b267c068f422aa75a6050bfff3db6073bc71619b5bb85fb76ddf9833a5f9

                • C:\Users\Admin\Desktop\read_it.txt

                  Filesize

                  778B

                  MD5

                  e476ae4628a4272384255b6003b1b5b3

                  SHA1

                  7bd05141ec08774a5c0ae500e0a5d9806be681f4

                  SHA256

                  c5f2d8ef689c1af8b9d9f9908beb8e9e16abe5338bc569f4998d6f5e45b95d0f

                  SHA512

                  a9ac31705fb99985f1b241c5d06447c6870dd5f203bfc43056c7d2c92e6f0af9711395e42707253ec98730f1e765966359ec061f1deee6529df69fe4354a5d8e

                • memory/1828-0-0x00007FF9F5A73000-0x00007FF9F5A75000-memory.dmp

                  Filesize

                  8KB

                • memory/1828-1-0x0000000000B40000-0x0000000000B5A000-memory.dmp

                  Filesize

                  104KB

                • memory/2164-69-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2164-14-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

                  Filesize

                  10.8MB