Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2024, 18:29

General

  • Target

    2024-10-18_796e7bcc691f6c21d235ae0c301b1081_destroyer_wannacry.exe

  • Size

    23KB

  • MD5

    796e7bcc691f6c21d235ae0c301b1081

  • SHA1

    7ef3bf6e556cbe7261abe797a0a3bb588cd09067

  • SHA256

    ff231952158f7314a3e73e46b92843e98ceff8d396092873d02eb98d0705da49

  • SHA512

    e5e7848208ed1377de2af39aeedf1e40a684de52699faa0c4445f66037f7c7ee884d96fb2d159f7432dbb2794a651c0e9375e7bb6152c68a423b14c631d245eb

  • SSDEEP

    384:+3Mg/bqo2Y5FOieDopGSkobJJ3r91CvpIBVjqe0:8qo2+FOBopjH3r9KIB4e0

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
All of your files have been stolen and encrypted. in a nutshell you're Hacked You can try whatever you wanna try but don't modify the files, they'll be damaged and impossible to decrypt. it's nothing personal, it's all about money. have a great day. Payment information Non payment will result in your data being published. YOU HAVE 7 DAYS, AFTER 3 DAYS THE MONEY DOUBLES. Bitcoin Address: bc1qpn32q8a3jykzpfnrv6crqulk7wguaryhxzadqa You must contact us using Tox messenger, download it here> https://tox.chat/download.html. Invite us on Tox, Our Tox ID : EEC1A34EA55C1DBC63D8BCC4779D93BB64FC9036C82210467DEB1948A3ABC2248CE1CAB7A181 Or contact us via email on [email protected] You need to contact us and decrypt one file for free on TOX messenger with your personal DECRYPTION ID 102121515
URLs

https://tox.chat/download.html

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-18_796e7bcc691f6c21d235ae0c301b1081_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-18_796e7bcc691f6c21d235ae0c301b1081_destroyer_wannacry.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:976
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4512
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2380
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4280
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:436
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2384
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4936
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2668
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2996
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4480
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4944
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1268
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3148

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\svchost.exe

      Filesize

      23KB

      MD5

      796e7bcc691f6c21d235ae0c301b1081

      SHA1

      7ef3bf6e556cbe7261abe797a0a3bb588cd09067

      SHA256

      ff231952158f7314a3e73e46b92843e98ceff8d396092873d02eb98d0705da49

      SHA512

      e5e7848208ed1377de2af39aeedf1e40a684de52699faa0c4445f66037f7c7ee884d96fb2d159f7432dbb2794a651c0e9375e7bb6152c68a423b14c631d245eb

    • C:\Users\Admin\Documents\read_it.txt

      Filesize

      815B

      MD5

      6ace40f2b0e2fa58f8a98bc1fadf70f2

      SHA1

      0e83b61f2a0a2b68fa9a530cf16a1bb40300d7f5

      SHA256

      bc4e8b349bbba233664452506649d78668edc1969f0bccb74991b04531cd4fa1

      SHA512

      96bc866ace3e07f02471090e85e2ebd2670ca627d5b2de3c73a4094bf7d5619c5b4358f867bcfd290235bc69e7ff880b614e34a5abeecf9f9b6970d4cce8a01c

    • memory/976-14-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

      Filesize

      10.8MB

    • memory/976-443-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

      Filesize

      10.8MB

    • memory/3176-0-0x00007FFBB9E73000-0x00007FFBB9E75000-memory.dmp

      Filesize

      8KB

    • memory/3176-1-0x0000000000260000-0x000000000026C000-memory.dmp

      Filesize

      48KB