Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/03/2024, 20:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe
-
Size
294KB
-
MD5
5de3be7387ae4c84f1c3931f8f4a4bdb
-
SHA1
a291b128d79e06bc35a3d7103b6e17aeefe1bfa9
-
SHA256
a9abad54fc0edbec207aa78275dde697b408f64ec15593982dd1db743c1a82ff
-
SHA512
57267d315dd75771a7711bf04d8289380e7608f553d03d5e1b0e4918a912c579b50ff01c401aae9fb1de67802ad28e66b82559cf3e0783bff3a9b7ab3f0fc766
-
SSDEEP
1536:ixDkHJ/b+BgGt+ilZ7K1CM0yt9z6+yMdhvkod5jbuvSf7:FVb+BhMEXUOwdhvNvjbxf7
Malware Config
Extracted
C:\Users\Admin\Desktop\read_it.txt
chaos
https://t.me/DecrypteKey
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Detects command variations typically used by ransomware 3 IoCs
resource yara_rule behavioral1/memory/2992-0-0x0000000000D80000-0x0000000000DD0000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral1/files/0x0009000000012251-5.dat INDICATOR_SUSPICIOUS_GENRansomware behavioral1/memory/1156-7-0x0000000000F90000-0x0000000000FE0000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1156 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2608 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1156 svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2992 2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe 2992 2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2992 2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe Token: SeDebugPrivilege 1156 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2992 wrote to memory of 1156 2992 2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe 28 PID 2992 wrote to memory of 1156 2992 2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe 28 PID 2992 wrote to memory of 1156 2992 2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe 28 PID 1156 wrote to memory of 2608 1156 svchost.exe 30 PID 1156 wrote to memory of 2608 1156 svchost.exe 30 PID 1156 wrote to memory of 2608 1156 svchost.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-27_5de3be7387ae4c84f1c3931f8f4a4bdb_wannacry.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2608
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294KB
MD55de3be7387ae4c84f1c3931f8f4a4bdb
SHA1a291b128d79e06bc35a3d7103b6e17aeefe1bfa9
SHA256a9abad54fc0edbec207aa78275dde697b408f64ec15593982dd1db743c1a82ff
SHA51257267d315dd75771a7711bf04d8289380e7608f553d03d5e1b0e4918a912c579b50ff01c401aae9fb1de67802ad28e66b82559cf3e0783bff3a9b7ab3f0fc766
-
Filesize
1KB
MD5033c70e11bd9d61f2132307be4740963
SHA19db63c9f7873de81235c63ffa52477ab3c7e844d
SHA256e2e467b32be5706cc6d660cfa23d5b1e53f66a7d5017265e7f0b3b37596fbacd
SHA512484b47d0a064d5d7a724ac5d4d1a264513da158e881d0c74c43546243fe504a9c830626a1fb085a232943881833f8b61e76ddc5ac4a4c78ee1e109cc0433bc44