Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 16:30
Behavioral task
behavioral1
Sample
2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe
-
Size
23KB
-
MD5
3ed020bc2731ffa944c786ac70026733
-
SHA1
598b4ae87879bc68cba7a73fb7e6b4cca2b39375
-
SHA256
b7e4587f99764ac6f52f26a06a6aca5bb9041c7f5501114ab10ba1f1fa8afbda
-
SHA512
fcd846fab1ee2c1cbb28f23aa93b884a483c6638fed607e5c0a1bed76d6bcde79e3248a7e29b9f463e9792ab796e5a8609daabeed3341ce8fcae8fba58cd93e9
-
SSDEEP
384:r3Mg/bqo2mcxtivp1AN4+X0Z/NJjr91C+xb52ew:Nqo2ptMp1g4+kR7jr9Nxbkew
Malware Config
Extracted
C:\Users\Admin\Documents\read_it.txt
chaos
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral2/memory/808-0-0x0000000000EC0000-0x0000000000ECC000-memory.dmp family_chaos behavioral2/files/0x000b000000023b7e-6.dat family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detects command variations typically used by ransomware 2 IoCs
resource yara_rule behavioral2/memory/808-0-0x0000000000EC0000-0x0000000000ECC000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/files/0x000b000000023b7e-6.dat INDICATOR_SUSPICIOUS_GENRansomware -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3580 bcdedit.exe 912 bcdedit.exe -
pid Process 3444 wbadmin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4016 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3726321484-1950364574-433157660-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2616 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2704 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4016 svchost.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe 4016 svchost.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe Token: SeDebugPrivilege 4016 svchost.exe Token: SeBackupPrivilege 2728 vssvc.exe Token: SeRestorePrivilege 2728 vssvc.exe Token: SeAuditPrivilege 2728 vssvc.exe Token: SeIncreaseQuotaPrivilege 836 WMIC.exe Token: SeSecurityPrivilege 836 WMIC.exe Token: SeTakeOwnershipPrivilege 836 WMIC.exe Token: SeLoadDriverPrivilege 836 WMIC.exe Token: SeSystemProfilePrivilege 836 WMIC.exe Token: SeSystemtimePrivilege 836 WMIC.exe Token: SeProfSingleProcessPrivilege 836 WMIC.exe Token: SeIncBasePriorityPrivilege 836 WMIC.exe Token: SeCreatePagefilePrivilege 836 WMIC.exe Token: SeBackupPrivilege 836 WMIC.exe Token: SeRestorePrivilege 836 WMIC.exe Token: SeShutdownPrivilege 836 WMIC.exe Token: SeDebugPrivilege 836 WMIC.exe Token: SeSystemEnvironmentPrivilege 836 WMIC.exe Token: SeRemoteShutdownPrivilege 836 WMIC.exe Token: SeUndockPrivilege 836 WMIC.exe Token: SeManageVolumePrivilege 836 WMIC.exe Token: 33 836 WMIC.exe Token: 34 836 WMIC.exe Token: 35 836 WMIC.exe Token: 36 836 WMIC.exe Token: SeIncreaseQuotaPrivilege 836 WMIC.exe Token: SeSecurityPrivilege 836 WMIC.exe Token: SeTakeOwnershipPrivilege 836 WMIC.exe Token: SeLoadDriverPrivilege 836 WMIC.exe Token: SeSystemProfilePrivilege 836 WMIC.exe Token: SeSystemtimePrivilege 836 WMIC.exe Token: SeProfSingleProcessPrivilege 836 WMIC.exe Token: SeIncBasePriorityPrivilege 836 WMIC.exe Token: SeCreatePagefilePrivilege 836 WMIC.exe Token: SeBackupPrivilege 836 WMIC.exe Token: SeRestorePrivilege 836 WMIC.exe Token: SeShutdownPrivilege 836 WMIC.exe Token: SeDebugPrivilege 836 WMIC.exe Token: SeSystemEnvironmentPrivilege 836 WMIC.exe Token: SeRemoteShutdownPrivilege 836 WMIC.exe Token: SeUndockPrivilege 836 WMIC.exe Token: SeManageVolumePrivilege 836 WMIC.exe Token: 33 836 WMIC.exe Token: 34 836 WMIC.exe Token: 35 836 WMIC.exe Token: 36 836 WMIC.exe Token: SeBackupPrivilege 5076 wbengine.exe Token: SeRestorePrivilege 5076 wbengine.exe Token: SeSecurityPrivilege 5076 wbengine.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 808 wrote to memory of 4016 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 86 PID 808 wrote to memory of 4016 808 2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe 86 PID 4016 wrote to memory of 1708 4016 svchost.exe 88 PID 4016 wrote to memory of 1708 4016 svchost.exe 88 PID 1708 wrote to memory of 2616 1708 cmd.exe 90 PID 1708 wrote to memory of 2616 1708 cmd.exe 90 PID 1708 wrote to memory of 836 1708 cmd.exe 93 PID 1708 wrote to memory of 836 1708 cmd.exe 93 PID 4016 wrote to memory of 2836 4016 svchost.exe 95 PID 4016 wrote to memory of 2836 4016 svchost.exe 95 PID 2836 wrote to memory of 3580 2836 cmd.exe 97 PID 2836 wrote to memory of 3580 2836 cmd.exe 97 PID 2836 wrote to memory of 912 2836 cmd.exe 98 PID 2836 wrote to memory of 912 2836 cmd.exe 98 PID 4016 wrote to memory of 3880 4016 svchost.exe 99 PID 4016 wrote to memory of 3880 4016 svchost.exe 99 PID 3880 wrote to memory of 3444 3880 cmd.exe 101 PID 3880 wrote to memory of 3444 3880 cmd.exe 101 PID 4016 wrote to memory of 2704 4016 svchost.exe 105 PID 4016 wrote to memory of 2704 4016 svchost.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_3ed020bc2731ffa944c786ac70026733_chaos_destroyer_wannacry.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2616
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3580
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:3444
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2704
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3012
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD53ed020bc2731ffa944c786ac70026733
SHA1598b4ae87879bc68cba7a73fb7e6b4cca2b39375
SHA256b7e4587f99764ac6f52f26a06a6aca5bb9041c7f5501114ab10ba1f1fa8afbda
SHA512fcd846fab1ee2c1cbb28f23aa93b884a483c6638fed607e5c0a1bed76d6bcde79e3248a7e29b9f463e9792ab796e5a8609daabeed3341ce8fcae8fba58cd93e9
-
Filesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740