Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    325s
  • max time network
    326s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250128-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    02/02/2025, 13:31

General

  • Target

    Chaos Ransomware Builder v4.exe

  • Size

    550KB

  • MD5

    8b855e56e41a6e10d28522a20c1e0341

  • SHA1

    17ea75272cfe3749c6727388fd444d2c970f9d01

  • SHA256

    f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

  • SHA512

    eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

  • SSDEEP

    3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 4 IoCs
  • Chaos family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (239) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 31 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 57 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe
    "C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dduatvzx\dduatvzx.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD58B.tmp" "c:\Users\Admin\Downloads\CSCEE4C269799F5442DAABD7BAA3B296324.TMP"
        3⤵
          PID:556
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1852
      • C:\Users\Admin\Downloads\o.exe
        "C:\Users\Admin\Downloads\o.exe"
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          2⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Drops desktop.ini file(s)
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4380
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1996
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:4704
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic shadowcopy delete
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4784
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4336
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} bootstatuspolicy ignoreallfailures
              4⤵
              • Modifies boot configuration data using bcdedit
              PID:988
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} recoveryenabled no
              4⤵
              • Modifies boot configuration data using bcdedit
              PID:1492
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4492
            • C:\Windows\system32\wbadmin.exe
              wbadmin delete catalog -quiet
              4⤵
              • Deletes backup catalog
              PID:4780
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
            3⤵
            • Opens file in notepad (likely ransom note)
            PID:1416
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1560
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2040
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:2288
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:3632

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RESD58B.tmp

          Filesize

          1KB

          MD5

          23b47f32ab5c6bfbe5e20d028d93b83b

          SHA1

          0958f7a763cc684aa54a3f01ee8806575056ad1a

          SHA256

          b34c8eb294f12cc76be5ad2b2bb79e174c869dd4140d1507d56faf32e75ac844

          SHA512

          b7c2cf013396dcf52ec488e71ab67d241459ab0eec3235ed0c3aec8c2fdf5a5c341a230cdeb47723868e2916d6f004ac83f1fced0f9be40785d05c9a974f0728

        • C:\Users\Admin\Documents\read_it.txt

          Filesize

          964B

          MD5

          4217b8b83ce3c3f70029a056546f8fd0

          SHA1

          487cdb5733d073a0427418888e8f7070fe782a03

          SHA256

          7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

          SHA512

          2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

        • C:\Users\Admin\Downloads\o.exe

          Filesize

          23KB

          MD5

          c8288b79e036bcbb8555ee9b9deb7ff2

          SHA1

          1e131f6ac8a91fa460fc27aaf89f3b1f0c2da11d

          SHA256

          2d41872578ca7429da171fbebe86da3197a3de9fa5e2c3682511f08c6d3d521b

          SHA512

          dab421a73692f8df2bb05e442af9893d86a6024881a5d6d173334d279c764f3ec57f5843cfc36c6eb6a103b057a40448d9da77556b3e3096b968843c4d9a4912

        • \??\c:\Users\Admin\AppData\Local\Temp\dduatvzx\dduatvzx.0.cs

          Filesize

          31KB

          MD5

          1917370b65214d864236a65d2c22c8c3

          SHA1

          18443893d637cc39e52e13e2e5b003d5cde17a28

          SHA256

          1b6033208e4827fb3657e253c2f74177ea2c17b65bce6b44fac95d0f2df7cc97

          SHA512

          72b90f4fe80942ad1367ad950631bf23068f7412fcada9bdb274bb546f172b073480e20d906fa535409e3378fa6f3e5ce3d6a414d2038664dab0e7da9ec8e4f2

        • \??\c:\Users\Admin\AppData\Local\Temp\dduatvzx\dduatvzx.cmdline

          Filesize

          329B

          MD5

          c743f7ab0a8091ee7563e450c6b05185

          SHA1

          945046db083c75ae9e6525c53ea6266c43a82d20

          SHA256

          e62410227a138ec257981b3a700a91784b41427aec40d67015015f9981e58d43

          SHA512

          179e9458f0fddf0f523069ac4dece96bafb01a013c4fb2455326250f1827660a0a561a603c82c8277e21c28789afc50b32d3a792ea576550fcd988842ea4e85e

        • \??\c:\Users\Admin\Downloads\CSCEE4C269799F5442DAABD7BAA3B296324.TMP

          Filesize

          1KB

          MD5

          e20d58e5e0918921d5a7b19766e2426f

          SHA1

          e87d86e4469186d80a606efe465dceb316d15bfb

          SHA256

          95dbbac78f45063b75b22df03b1bf31d4ec27bbb9dd488df36962eb3e75ba0a6

          SHA512

          7a3565bd4f3242d3a16612aab9a98f9dbf861407c5eee4afc236708f0e5e4043c78fcfe1c919b1950bd2e6479f40d4562d3295154420dbbeec883951cc68ae5a

        • memory/1308-37-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

          Filesize

          48KB

        • memory/2276-14-0x000000001BF80000-0x000000001C127000-memory.dmp

          Filesize

          1.7MB

        • memory/2276-6-0x00007FF9450D0000-0x00007FF945B92000-memory.dmp

          Filesize

          10.8MB

        • memory/2276-9-0x00007FF9450D0000-0x00007FF945B92000-memory.dmp

          Filesize

          10.8MB

        • memory/2276-10-0x000000001BF80000-0x000000001C127000-memory.dmp

          Filesize

          1.7MB

        • memory/2276-11-0x00007FF9450D0000-0x00007FF945B92000-memory.dmp

          Filesize

          10.8MB

        • memory/2276-12-0x000000001BF80000-0x000000001C127000-memory.dmp

          Filesize

          1.7MB

        • memory/2276-13-0x000000001BF80000-0x000000001C127000-memory.dmp

          Filesize

          1.7MB

        • memory/2276-0-0x00007FF9450D3000-0x00007FF9450D5000-memory.dmp

          Filesize

          8KB

        • memory/2276-20-0x000000001BF80000-0x000000001C127000-memory.dmp

          Filesize

          1.7MB

        • memory/2276-21-0x000000001BF80000-0x000000001C127000-memory.dmp

          Filesize

          1.7MB

        • memory/2276-7-0x000000001BF80000-0x000000001C127000-memory.dmp

          Filesize

          1.7MB

        • memory/2276-8-0x00007FF9450D0000-0x00007FF945B92000-memory.dmp

          Filesize

          10.8MB

        • memory/2276-5-0x00007FF9450D3000-0x00007FF9450D5000-memory.dmp

          Filesize

          8KB

        • memory/2276-4-0x00007FF9450D0000-0x00007FF945B92000-memory.dmp

          Filesize

          10.8MB

        • memory/2276-34-0x000000001BF80000-0x000000001C127000-memory.dmp

          Filesize

          1.7MB

        • memory/2276-3-0x00007FF9450D0000-0x00007FF945B92000-memory.dmp

          Filesize

          10.8MB

        • memory/2276-2-0x00007FF9450D0000-0x00007FF945B92000-memory.dmp

          Filesize

          10.8MB

        • memory/2276-38-0x000000001BF80000-0x000000001C127000-memory.dmp

          Filesize

          1.7MB

        • memory/2276-1-0x0000000000800000-0x000000000088E000-memory.dmp

          Filesize

          568KB

        • memory/2276-578-0x000000001BF80000-0x000000001C127000-memory.dmp

          Filesize

          1.7MB

        • memory/2276-596-0x000000001BF80000-0x000000001C127000-memory.dmp

          Filesize

          1.7MB