Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-10-18...ry.exe

windows7-x64

10

2024-10-18...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 18:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-18_796e7bcc691f6c21d235ae0c301b1081_destroyer_wannacry.exe

  • Size

    23KB

  • MD5

    796e7bcc691f6c21d235ae0c301b1081

  • SHA1

    7ef3bf6e556cbe7261abe797a0a3bb588cd09067

  • SHA256

    ff231952158f7314a3e73e46b92843e98ceff8d396092873d02eb98d0705da49

  • SHA512

    e5e7848208ed1377de2af39aeedf1e40a684de52699faa0c4445f66037f7c7ee884d96fb2d159f7432dbb2794a651c0e9375e7bb6152c68a423b14c631d245eb

  • SSDEEP

    384:+3Mg/bqo2Y5FOieDopGSkobJJ3r91CvpIBVjqe0:8qo2+FOBopjH3r9KIB4e0

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
All of your files have been stolen and encrypted. in a nutshell you're Hacked You can try whatever you wanna try but don't modify the files, they'll be damaged and impossible to decrypt. it's nothing personal, it's all about money. have a great day. Payment information Non payment will result in your data being published. YOU HAVE 7 DAYS, AFTER 3 DAYS THE MONEY DOUBLES. Bitcoin Address: bc1qpn32q8a3jykzpfnrv6crqulk7wguaryhxzadqa You must contact us using Tox messenger, download it here> https://tox.chat/download.html. Invite us on Tox, Our Tox ID : EEC1A34EA55C1DBC63D8BCC4779D93BB64FC9036C82210467DEB1948A3ABC2248CE1CAB7A181 Or contact us via email on [email protected] You need to contact us and decrypt one file for free on TOX messenger with your personal DECRYPTION ID 102121515
URLs

https://tox.chat/download.html

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-18_796e7bcc691f6c21d235ae0c301b1081_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-18_796e7bcc691f6c21d235ae0c301b1081_destroyer_wannacry.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:768
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2184
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2656
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1092
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1540
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:968
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1868
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1696
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1552
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1536
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:916

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        23KB

        MD5

        796e7bcc691f6c21d235ae0c301b1081

        SHA1

        7ef3bf6e556cbe7261abe797a0a3bb588cd09067

        SHA256

        ff231952158f7314a3e73e46b92843e98ceff8d396092873d02eb98d0705da49

        SHA512

        e5e7848208ed1377de2af39aeedf1e40a684de52699faa0c4445f66037f7c7ee884d96fb2d159f7432dbb2794a651c0e9375e7bb6152c68a423b14c631d245eb

        Download Submit

      • C:\Users\Admin\Documents\read_it.txt
        Filesize

        815B

        MD5

        6ace40f2b0e2fa58f8a98bc1fadf70f2

        SHA1

        0e83b61f2a0a2b68fa9a530cf16a1bb40300d7f5

        SHA256

        bc4e8b349bbba233664452506649d78668edc1969f0bccb74991b04531cd4fa1

        SHA512

        96bc866ace3e07f02471090e85e2ebd2670ca627d5b2de3c73a4094bf7d5619c5b4358f867bcfd290235bc69e7ff880b614e34a5abeecf9f9b6970d4cce8a01c

        Download Submit

      • memory/2292-1-0x0000000000D60000-0x0000000000D6C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2292-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2752-21-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2752-7-0x0000000000D30000-0x0000000000D3C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2752-499-0x000007FEF5453000-0x000007FEF5454000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2752-500-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp

        Filesize

        9.9MB

        Download