Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
09/07/2024, 00:43
240709-a2wmlaxcpj 409/07/2024, 00:37
240709-ayql6szcja 309/07/2024, 00:35
240709-axsedazbnh 309/07/2024, 00:32
240709-avreaswhrp 505/07/2024, 08:57
240705-kwn1nsvhmq 1011/12/2023, 16:03
231211-thl4lachb3 10Analysis
-
max time kernel
108s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
09/07/2024, 00:32
General
-
Target
wncry_sample1.exe
-
Size
3.6MB
-
MD5
db349b97c37d22f5ea1d1841e3c89eb4
-
SHA1
e889544aff85ffaf8b0d0da705105dee7c97fe26
-
SHA256
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
-
SHA512
d6c60b8f22f89cbd1262c0aa7ae240577a82002fb149e9127d4edf775a25abcda4e585b6113e79ab4a24bb65f4280532529c2f06f7ffe4d5db45c0caf74fea38
-
SSDEEP
98304:wDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3R:wDqPe1Cxcxk3ZAEUadzR8yc4gB
Malware Config
Signatures
-
Drops file in System32 directory 11 IoCs
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\wncry_sample1.exe"C:\Users\Admin\AppData\Local\Temp\wncry_sample1.exe"1⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RestartSplit.jpe" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1476.0.2012012404\210922854" -parentBuildID 20230214051806 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3d5b3a0-7564-4a26-9ec6-298b8902d93b} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" 1900 244e0526b58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1476.1.1081956463\425331163" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87d91891-62ad-4f33-8746-b3251e48dbef} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" 2468 244d3787b58 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1476.2.1744054060\1675349793" -childID 1 -isForBrowser -prefsHandle 2816 -prefMapHandle 2804 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b36e8df-18e1-4d27-a6df-283ef8cf3d2b} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" 3132 244e2dead58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1476.3.309625606\1159023063" -childID 2 -isForBrowser -prefsHandle 4148 -prefMapHandle 4144 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f544ce8-d703-4c8c-94fa-b32de2ad2d0a} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" 4156 244d373ee58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1476.4.2119009465\445628563" -childID 3 -isForBrowser -prefsHandle 4796 -prefMapHandle 4056 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {665dadb6-4970-4293-8577-477754149674} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" 4808 244e6374558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1476.5.219091569\788686116" -childID 4 -isForBrowser -prefsHandle 5004 -prefMapHandle 5008 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43711d62-abba-499f-b223-9616b4658f1f} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" 4056 244e6d70258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1476.6.1602878958\1767978248" -childID 5 -isForBrowser -prefsHandle 5052 -prefMapHandle 4792 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3288d9a-6e13-4f6d-a64b-57d04c449b7d} 1476 "\\.\pipe\gecko-crash-server-pipe.1476" 5168 244e6d6e758 tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD55171624a83f481b3fab5ba4d7e0b8a1b
SHA1adbb3c30b2964752605d1a16202695ae01d3413f
SHA256789e1f66ab83b94274eec0aa8bcb98e092bf15464f21f367f247a07ee06143cc
SHA512b1da0a230c848723870d3b6d8e600cbed3ae1fceabba0a14cc9350e535a387aa8a8c8db61e63710c5ded6c0fad4809ddf0e449d3e57985e7bc9e3859a24a5a53
-
Filesize
23KB
MD5901a147592c08ae8f0a7d8f36245b27d
SHA1d000e98b765e145921b9104cf0a06340b6e4ef9b
SHA2561673012b9ef5e97b93ddc772f54ae1a313c9766200559d98eb5301d30837976b
SHA512b63f3fe6c5c431463e64132445ed32a537ef37e0039835c3c2690bc18bd862ac927844a6bf03efa2bbc2d45c3ec6174ab248c45c45fbc9ec80a6a6043d902a34
-
Filesize
7KB
MD58473486a170196bc1f96fec0f5bff92b
SHA1b66c02641f8e021cc676d9a2d7894a1e0acf91b9
SHA256564dfd83d8bfc1390bf6db954a0b9c84c0cb201bc0d0e4af05ae4a23e7c4d5a6
SHA5124d530faab2ad04ab140af230cbd73dd5146ddae01ee7483f807b76cc635b7cd2c7045134f0d821eaa659882d5d11acf7a2fbddb3064255689579248b8d0744f2
-
Filesize
1KB
MD51cba396ae6b2506abde61134d8cfc01e
SHA155a0d01aabbac7c887b4fc4d996aa408df251c12
SHA256efefa233452b88756074ff0acf75083cdf49e48f5f5f7a414173e17a5ff8600c
SHA51254e13ae27a57cac345b34695a793b7ef0dab7c10f549ced0491e81aebac654cfee212ec47c7248d73dac3f35fdba4d0a6ac096a1cd9eb8d6303dd552e695a8f2
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB