Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28/05/2024, 23:24
Behavioral task
behavioral1
Sample
2024-05-28_3d92a5ba0510fa666565200a3d7f8c4f_destroyer_wannacry.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-05-28_3d92a5ba0510fa666565200a3d7f8c4f_destroyer_wannacry.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-28_3d92a5ba0510fa666565200a3d7f8c4f_destroyer_wannacry.exe
-
Size
37KB
-
MD5
3d92a5ba0510fa666565200a3d7f8c4f
-
SHA1
a1003312ef89abe43028f4c466e3017a461fe7eb
-
SHA256
a73988ddd7012dbea460e6afe763dfc87fa788784301db187b6bc832a1b90b3e
-
SHA512
b79b58048f019bcfee19c36d3368deba30d8088f22b107bd69f107e8647fc6db1a7174cfdb4c6cd4f16c2dee1a0c879ba8b7b675dfcd97afbb38276c17053787
-
SSDEEP
768:3qo2ZK/hpktD8Hr92rda445lTtG/lpuBYXf3oZQEqj3mIgTeM:6o2Ze8D8Hr96da445xYlwBYgqEq7mqM
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
resource yara_rule behavioral1/memory/1860-1-0x00000000001A0000-0x00000000001B0000-memory.dmp family_chaos behavioral1/files/0x000700000001211e-5.dat family_chaos behavioral1/memory/2548-7-0x0000000000DE0000-0x0000000000DF0000-memory.dmp family_chaos -
Detects command variations typically used by ransomware 3 IoCs
resource yara_rule behavioral1/memory/1860-1-0x00000000001A0000-0x00000000001B0000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral1/files/0x000700000001211e-5.dat INDICATOR_SUSPICIOUS_GENRansomware behavioral1/memory/2548-7-0x0000000000DE0000-0x0000000000DF0000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2548 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lprzoe0bm.jpg" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2376 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2548 svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1860 2024-05-28_3d92a5ba0510fa666565200a3d7f8c4f_destroyer_wannacry.exe 1860 2024-05-28_3d92a5ba0510fa666565200a3d7f8c4f_destroyer_wannacry.exe 2548 svchost.exe 2548 svchost.exe 2548 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1860 2024-05-28_3d92a5ba0510fa666565200a3d7f8c4f_destroyer_wannacry.exe Token: SeDebugPrivilege 2548 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1860 wrote to memory of 2548 1860 2024-05-28_3d92a5ba0510fa666565200a3d7f8c4f_destroyer_wannacry.exe 28 PID 1860 wrote to memory of 2548 1860 2024-05-28_3d92a5ba0510fa666565200a3d7f8c4f_destroyer_wannacry.exe 28 PID 1860 wrote to memory of 2548 1860 2024-05-28_3d92a5ba0510fa666565200a3d7f8c4f_destroyer_wannacry.exe 28 PID 2548 wrote to memory of 2376 2548 svchost.exe 30 PID 2548 wrote to memory of 2376 2548 svchost.exe 30 PID 2548 wrote to memory of 2376 2548 svchost.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-28_3d92a5ba0510fa666565200a3d7f8c4f_destroyer_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-28_3d92a5ba0510fa666565200a3d7f8c4f_destroyer_wannacry.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2376
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD53d92a5ba0510fa666565200a3d7f8c4f
SHA1a1003312ef89abe43028f4c466e3017a461fe7eb
SHA256a73988ddd7012dbea460e6afe763dfc87fa788784301db187b6bc832a1b90b3e
SHA512b79b58048f019bcfee19c36d3368deba30d8088f22b107bd69f107e8647fc6db1a7174cfdb4c6cd4f16c2dee1a0c879ba8b7b675dfcd97afbb38276c17053787
-
Filesize
55B
MD59e386839f70884f23dcd6136d874936c
SHA1d826c660bee396d0f57de94ec64b1987410a430a
SHA25694b9c14b329bb25f9b3a334434de85668f8e520fa4d2955be6d534ee7c7d05f0
SHA512c907b78f4ee4b07f7e712913e160cdd6b2da6dc63666cc12a416b85a67df194f1b9f20253edc88701f36d9198db34e4c25fb74369666e3fa532de3e92cf5668f