Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
31/03/2024, 09:16
240331-k8y2eahd2s 1031/03/2024, 09:07
240331-k3d42shh42 1020/03/2024, 19:30
240320-x7y18shg5v 10Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/03/2024, 19:30
Behavioral task
behavioral1
Sample
2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe
-
Size
372KB
-
MD5
1b2fdf47aaaccaf622e33cb4dd63e8e2
-
SHA1
1130c9d40bc5ab004918a509811f914605594961
-
SHA256
24266d8af5e54a179ca62fe8ba586a9bced5e39565ad05f33583a3fc8f509613
-
SHA512
f494e23997ba85df3fcdaaaeb1d6c056de6f7b6a22ecf8df4797b302016deafea0d2030058680baa521cae93cf5921b3bd58d1750274819f866a868beff2739c
-
SSDEEP
3072:doeNsCr9h4ca2aHBSCAb2+IPdG1UlcaVSptR4jiYFD:nNr9h4ca7SCdI12cTtRcf
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/memory/2240-0-0x00000000003A0000-0x0000000000402000-memory.dmp family_chaos behavioral1/files/0x0009000000012245-5.dat family_chaos behavioral1/memory/1956-7-0x00000000012B0000-0x0000000001312000-memory.dmp family_chaos behavioral1/memory/1956-11-0x0000000000AF0000-0x0000000000B70000-memory.dmp family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detects command variations typically used by ransomware 4 IoCs
resource yara_rule behavioral1/memory/2240-0-0x00000000003A0000-0x0000000000402000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral1/files/0x0009000000012245-5.dat INDICATOR_SUSPICIOUS_GENRansomware behavioral1/memory/1956-7-0x00000000012B0000-0x0000000001312000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral1/memory/1956-11-0x0000000000AF0000-0x0000000000B70000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1848 bcdedit.exe 3060 bcdedit.exe -
Renames multiple (199) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2264 wbadmin.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\meleaicara.txt svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1956 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\px0ifv6cz.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2736 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2040 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1956 svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2240 2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe 2240 2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe 1956 svchost.exe 1956 svchost.exe 1956 svchost.exe 1956 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2240 2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe Token: SeDebugPrivilege 1956 svchost.exe Token: SeBackupPrivilege 2644 vssvc.exe Token: SeRestorePrivilege 2644 vssvc.exe Token: SeAuditPrivilege 2644 vssvc.exe Token: SeIncreaseQuotaPrivilege 1080 WMIC.exe Token: SeSecurityPrivilege 1080 WMIC.exe Token: SeTakeOwnershipPrivilege 1080 WMIC.exe Token: SeLoadDriverPrivilege 1080 WMIC.exe Token: SeSystemProfilePrivilege 1080 WMIC.exe Token: SeSystemtimePrivilege 1080 WMIC.exe Token: SeProfSingleProcessPrivilege 1080 WMIC.exe Token: SeIncBasePriorityPrivilege 1080 WMIC.exe Token: SeCreatePagefilePrivilege 1080 WMIC.exe Token: SeBackupPrivilege 1080 WMIC.exe Token: SeRestorePrivilege 1080 WMIC.exe Token: SeShutdownPrivilege 1080 WMIC.exe Token: SeDebugPrivilege 1080 WMIC.exe Token: SeSystemEnvironmentPrivilege 1080 WMIC.exe Token: SeRemoteShutdownPrivilege 1080 WMIC.exe Token: SeUndockPrivilege 1080 WMIC.exe Token: SeManageVolumePrivilege 1080 WMIC.exe Token: 33 1080 WMIC.exe Token: 34 1080 WMIC.exe Token: 35 1080 WMIC.exe Token: SeIncreaseQuotaPrivilege 1080 WMIC.exe Token: SeSecurityPrivilege 1080 WMIC.exe Token: SeTakeOwnershipPrivilege 1080 WMIC.exe Token: SeLoadDriverPrivilege 1080 WMIC.exe Token: SeSystemProfilePrivilege 1080 WMIC.exe Token: SeSystemtimePrivilege 1080 WMIC.exe Token: SeProfSingleProcessPrivilege 1080 WMIC.exe Token: SeIncBasePriorityPrivilege 1080 WMIC.exe Token: SeCreatePagefilePrivilege 1080 WMIC.exe Token: SeBackupPrivilege 1080 WMIC.exe Token: SeRestorePrivilege 1080 WMIC.exe Token: SeShutdownPrivilege 1080 WMIC.exe Token: SeDebugPrivilege 1080 WMIC.exe Token: SeSystemEnvironmentPrivilege 1080 WMIC.exe Token: SeRemoteShutdownPrivilege 1080 WMIC.exe Token: SeUndockPrivilege 1080 WMIC.exe Token: SeManageVolumePrivilege 1080 WMIC.exe Token: 33 1080 WMIC.exe Token: 34 1080 WMIC.exe Token: 35 1080 WMIC.exe Token: SeBackupPrivilege 2716 wbengine.exe Token: SeRestorePrivilege 2716 wbengine.exe Token: SeSecurityPrivilege 2716 wbengine.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1956 2240 2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe 28 PID 2240 wrote to memory of 1956 2240 2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe 28 PID 2240 wrote to memory of 1956 2240 2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe 28 PID 1956 wrote to memory of 2500 1956 svchost.exe 30 PID 1956 wrote to memory of 2500 1956 svchost.exe 30 PID 1956 wrote to memory of 2500 1956 svchost.exe 30 PID 2500 wrote to memory of 2736 2500 cmd.exe 32 PID 2500 wrote to memory of 2736 2500 cmd.exe 32 PID 2500 wrote to memory of 2736 2500 cmd.exe 32 PID 2500 wrote to memory of 1080 2500 cmd.exe 36 PID 2500 wrote to memory of 1080 2500 cmd.exe 36 PID 2500 wrote to memory of 1080 2500 cmd.exe 36 PID 1956 wrote to memory of 1780 1956 svchost.exe 38 PID 1956 wrote to memory of 1780 1956 svchost.exe 38 PID 1956 wrote to memory of 1780 1956 svchost.exe 38 PID 1780 wrote to memory of 1848 1780 cmd.exe 40 PID 1780 wrote to memory of 1848 1780 cmd.exe 40 PID 1780 wrote to memory of 1848 1780 cmd.exe 40 PID 1780 wrote to memory of 3060 1780 cmd.exe 41 PID 1780 wrote to memory of 3060 1780 cmd.exe 41 PID 1780 wrote to memory of 3060 1780 cmd.exe 41 PID 1956 wrote to memory of 2812 1956 svchost.exe 42 PID 1956 wrote to memory of 2812 1956 svchost.exe 42 PID 1956 wrote to memory of 2812 1956 svchost.exe 42 PID 2812 wrote to memory of 2264 2812 cmd.exe 44 PID 2812 wrote to memory of 2264 2812 cmd.exe 44 PID 2812 wrote to memory of 2264 2812 cmd.exe 44 PID 1956 wrote to memory of 2040 1956 svchost.exe 50 PID 1956 wrote to memory of 2040 1956 svchost.exe 50 PID 1956 wrote to memory of 2040 1956 svchost.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2736
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1848
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:3060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2264
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\meleaicara.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2040
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1984
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD51b2fdf47aaaccaf622e33cb4dd63e8e2
SHA11130c9d40bc5ab004918a509811f914605594961
SHA25624266d8af5e54a179ca62fe8ba586a9bced5e39565ad05f33583a3fc8f509613
SHA512f494e23997ba85df3fcdaaaeb1d6c056de6f7b6a22ecf8df4797b302016deafea0d2030058680baa521cae93cf5921b3bd58d1750274819f866a868beff2739c
-
Filesize
337B
MD52453eac3dfe17fe5b3e88b03f449d805
SHA124c16cbbf4f2b8ea43d1cbea09a51eaa2c0d6b13
SHA2562464de8fc12e32477f09621b90d707ab9fcca3b9d8b1b1caf367f5496021091f
SHA512d5750b142533e1fab2deaae7563edb7da723ef69cc93f91c1e91659da92167d9f9d0b34a7ed828761563068a510857f62d893c0028cc826f3252fc993c420a0a