Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-07-28...ry.exe

windows7-x64

10

2024-07-28...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/07/2024, 06:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-28_88995b9826e89236f12458e80ac31eea_chaos_destroyer_wannacry.exe

  • Size

    22KB

  • MD5

    88995b9826e89236f12458e80ac31eea

  • SHA1

    4b17782e920efd664c407dc1bd98674c24dab1de

  • SHA256

    ba947b4af068fab3547ef84d5c8c0a86dba6a85809d9583616cef32cb299572c

  • SHA512

    b74f766a90c54df54e00b75725f969f270cbbe08d6d8a18a3da23a700b901eeded3d0681aad526abc1ac13fdf6614aaef0673336039364d2d63674c5e2a35983

  • SSDEEP

    384:/3MLWHn3kIxSmbGiWWpWKg4+C/Jnr91Cz/web:rn3kIrSibpng4+2nr9iIeb

Score
10/10
chaosransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer. The price for the software is a measly £40/$50. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Payment informationAmount: 0.00076128 BTC Bitcoin Address: bc1qp2m999zuy746fjxevpynsyz6hlm4mqecx5mw02

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-28_88995b9826e89236f12458e80ac31eea_chaos_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-28_88995b9826e89236f12458e80ac31eea_chaos_destroyer_wannacry.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:428
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    22KB

    MD5

    88995b9826e89236f12458e80ac31eea

    SHA1

    4b17782e920efd664c407dc1bd98674c24dab1de

    SHA256

    ba947b4af068fab3547ef84d5c8c0a86dba6a85809d9583616cef32cb299572c

    SHA512

    b74f766a90c54df54e00b75725f969f270cbbe08d6d8a18a3da23a700b901eeded3d0681aad526abc1ac13fdf6614aaef0673336039364d2d63674c5e2a35983

    Download Submit

  • C:\Users\Admin\Desktop\read_it.txt
    Filesize

    829B

    MD5

    ebd471c8c90debc9f36eabaf98ec2fa2

    SHA1

    7b6d19dd2fe900297cf0eb31f444e54df1d4df6a

    SHA256

    23334e6d33db56c0d78294913500a61b0330fffb1338f2c22cafcaf7ff97b7e3

    SHA512

    44b84e086367a47a55a876100e11612531c76dd0413a1496c533ddfefbf3825e2dbd4f53a1e5241bbbba5f189f24f2cdbd4b33f2d69b2903e86e5e9247986fb7

    Download Submit

  • memory/428-0-0x00007FFD1A153000-0x00007FFD1A155000-memory.dmp

    Filesize

    8KB

    Download

  • memory/428-1-0x00000000009A0000-0x00000000009AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1100-14-0x00007FFD1A150000-0x00007FFD1AC11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1100-67-0x00007FFD1A150000-0x00007FFD1AC11000-memory.dmp

    Filesize

    10.8MB

    Download