Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2024, 01:43

General

  • Target

    2024-05-18_f89dcaf691e6355ecff8faf4f2d66456_wannacry.exe

  • Size

    293KB

  • MD5

    f89dcaf691e6355ecff8faf4f2d66456

  • SHA1

    263c5f942b8f5787a466fd8c4a5a6cbee6dfb87b

  • SHA256

    aeeef616860df5ac0bcf37567fb1476d8d60ecc3d9eb6b82515ad5d5c3d5218d

  • SHA512

    b2c6e911c4c417354ca4857f5cbd85f8f8bd80afc3ae43fb3640013d1755f4e1235842617a993a98c253ba8690c328ce1c0b5b4bbc111f93ba5392124cc2bc9a

  • SSDEEP

    6144:H0eq9CkaffINH2da6Bi842ZwWoHa2ksBBk:U8kaffYH2dZBi83ZwWo62ksBB

Malware Config

Extracted

Path

C:\Users\Admin\3D Objects\readme.txt

Ransom Note
Hello, Congrats you have been hit by the Scrypt Ransomware so lets talk about recovering your files. First off don't even waste your time with free decrypters. Scrypt Ransomware uses 256 aes bit encryption which means its impossible to bruteforce or attempt to recover your files. So here are the steps to recovering your files. First off let me prefix this by saying reporting this malware or leaving a bad review on the product will instantly disqualify you from recovering your files, so if you wish to see your files in any shape or form I reccomend you keep quiet and follow these steps: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Download BitPay: https://bitpay.com/ This can also be downloaded from the microsoft store. 2. Purchase $500 in bitcoin using the buy crypto option 3. Send that $500 in bitcoin to this addr: {_BITCOIN_ADDR} 4. After you have sent the money send an email to {_EMAIL} saying that you have paid and please include your user id. 5. Wait roughly 6 hours, I will send you your decrypter and key which can be used to decrypt all files encrypted by the ransomware. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ YOU HAVE ONE WEEK, AFTER ONE WEEK DECRYPTING YOUR FILES WILL BECOME $5000 REPORTING THIS FILE TO ANYONE WILL RESULT IN A FULL LOSS OF FILES FAILING TO PAY WILL RESULT IN YOUR PERSONAL DETAILS SUCH AS: - IP - Address - Username - Emails and passwords - Discord Account BEEN SOLD ON THE DARKWEB
URLs

https://bitpay.com/

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Detects command variations typically used by ransomware 2 IoCs
  • Detects executables containing many references to VEEAM. Observed in ransomware 2 IoCs
  • Renames multiple (173) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-18_f89dcaf691e6355ecff8faf4f2d66456_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-18_f89dcaf691e6355ecff8faf4f2d66456_wannacry.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4924
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:4780
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4768

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\3D Objects\readme.txt

      Filesize

      1KB

      MD5

      9052a9be51af459b1bf70b44a1d2c680

      SHA1

      3e615ce42bb15e9a3ba28c870d6a30ec9cfb4474

      SHA256

      a0244b3cc76c033d586448e5fedff7035236c19fb048490a8a829157644d982d

      SHA512

      10042d3a127475049e14b58697036e3999c6c7f6bcd73b76fef1839e706c86601ccc43e0a9bf5341ef45fd438a4a760b55d48025aca5ee91c119adff7b3410f8

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2024-05-18_f89dcaf691e6355ecff8faf4f2d66456_wannacry.exe.log

      Filesize

      1KB

      MD5

      baf55b95da4a601229647f25dad12878

      SHA1

      abc16954ebfd213733c4493fc1910164d825cac8

      SHA256

      ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

      SHA512

      24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

    • C:\Users\Admin\AppData\Roaming\svchost.exe

      Filesize

      293KB

      MD5

      f89dcaf691e6355ecff8faf4f2d66456

      SHA1

      263c5f942b8f5787a466fd8c4a5a6cbee6dfb87b

      SHA256

      aeeef616860df5ac0bcf37567fb1476d8d60ecc3d9eb6b82515ad5d5c3d5218d

      SHA512

      b2c6e911c4c417354ca4857f5cbd85f8f8bd80afc3ae43fb3640013d1755f4e1235842617a993a98c253ba8690c328ce1c0b5b4bbc111f93ba5392124cc2bc9a

    • C:\Users\Admin\Desktop\GroupRepair.sql

      Filesize

      1B

      MD5

      d1457b72c3fb323a2671125aef3eab5d

      SHA1

      5bab61eb53176449e25c2c82f172b82cb13ffb9d

      SHA256

      8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

      SHA512

      ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

    • memory/4924-15-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmp

      Filesize

      10.8MB

    • memory/4924-1112-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmp

      Filesize

      10.8MB

    • memory/5040-0-0x00007FFE5FD43000-0x00007FFE5FD45000-memory.dmp

      Filesize

      8KB

    • memory/5040-1-0x0000000000EC0000-0x0000000000F0E000-memory.dmp

      Filesize

      312KB

    • memory/5040-2-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmp

      Filesize

      10.8MB

    • memory/5040-16-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmp

      Filesize

      10.8MB