Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/07/2024, 20:22

General

  • Target

    2024-07-28_0bc7112ee4755de56b7fb22758e47182_destroyer_wannacry.exe

  • Size

    24KB

  • MD5

    0bc7112ee4755de56b7fb22758e47182

  • SHA1

    bb2d11065ada048f80786deb072fbdbc265415a0

  • SHA256

    95eaf7092864e622c9bca0a5a3339480d03adaf19f069f5419de52c8f7f75a69

  • SHA512

    846a28920edae418648c09e24680d459b74f9a2a7ca02ddf06ee51bd6a7c34afb86b02b7aff615fda749acbdce0f4388801e4e25360737cad6bd05d320a9fed9

  • SSDEEP

    384:9YenjLLAvOGnLR1TYZdiI8YSxswOVp91kodUxDGg:MmGLHTYZ36c9zmxDb

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-28_0bc7112ee4755de56b7fb22758e47182_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-28_0bc7112ee4755de56b7fb22758e47182_destroyer_wannacry.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Users\Admin\AppData\Roaming\svc.exe
      "C:\Users\Admin\AppData\Roaming\svc.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3880
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3800
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:4116
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1612
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:536
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4860
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4048
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:880
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:3820
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2364
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3768
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3944
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2864
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4480

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2024-07-28_0bc7112ee4755de56b7fb22758e47182_destroyer_wannacry.exe.log

      Filesize

      226B

      MD5

      28d7fcc2b910da5e67ebb99451a5f598

      SHA1

      a5bf77a53eda1208f4f37d09d82da0b9915a6747

      SHA256

      2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

      SHA512

      2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

    • C:\Users\Admin\AppData\Local\read_it.txt

      Filesize

      39B

      MD5

      3b3e0dd3e4aacca142ceafe85ca241c4

      SHA1

      a1d3d848af04f434ea3e22b3d4162d2c123c66ff

      SHA256

      5974342e3165d7b59d045e226c7081d89f6695ec145b037172e6e562229079a3

      SHA512

      139c99ec632c9799355cf5972520a7a926b6349c6740a00c9a71b74da8659eaacc4bac6264c1bb3187a86893b97ae8a0e5d75522f2ad19e5108d6d69f10465e4

    • C:\Users\Admin\AppData\Roaming\ExitStart.contact

      Filesize

      1B

      MD5

      d1457b72c3fb323a2671125aef3eab5d

      SHA1

      5bab61eb53176449e25c2c82f172b82cb13ffb9d

      SHA256

      8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

      SHA512

      ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

    • C:\Users\Admin\AppData\Roaming\svc.exe

      Filesize

      24KB

      MD5

      0bc7112ee4755de56b7fb22758e47182

      SHA1

      bb2d11065ada048f80786deb072fbdbc265415a0

      SHA256

      95eaf7092864e622c9bca0a5a3339480d03adaf19f069f5419de52c8f7f75a69

      SHA512

      846a28920edae418648c09e24680d459b74f9a2a7ca02ddf06ee51bd6a7c34afb86b02b7aff615fda749acbdce0f4388801e4e25360737cad6bd05d320a9fed9

    • memory/364-0-0x00007FFA035B3000-0x00007FFA035B5000-memory.dmp

      Filesize

      8KB

    • memory/364-1-0x0000000000F80000-0x0000000000F8C000-memory.dmp

      Filesize

      48KB

    • memory/3880-14-0x00007FFA035B0000-0x00007FFA04071000-memory.dmp

      Filesize

      10.8MB

    • memory/3880-94-0x00007FFA035B0000-0x00007FFA04071000-memory.dmp

      Filesize

      10.8MB

    • memory/3880-1228-0x00007FFA035B0000-0x00007FFA04071000-memory.dmp

      Filesize

      10.8MB