Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

WannaCry.exe

windows7-x64

10

WannaCry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WannaCry.exe

  • Size

    224KB

  • MD5

    5c7fb0927db37372da25f270708103a2

  • SHA1

    120ed9279d85cbfa56e5b7779ffa7162074f7a29

  • SHA256

    be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

  • SHA512

    a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

  • SSDEEP

    3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score
10/10
wannacrydefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerworm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Wannacry family
    wannacry
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 4 IoCs
    evasion
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
    "C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c 100761737294934.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\SysWOW64\cscript.exe
        cscript //nologo c.vbs
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1032
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe f
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2300
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im MSExchange*
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1096
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Microsoft.Exchange.*
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1128
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlserver.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2464
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlwriter.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1784
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe c
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:760
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b !WannaDecryptor!.exe v
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
        !WannaDecryptor!.exe v
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2120
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows /all /quiet
            5⤵
            • System Location Discovery: System Language Discovery
            • Interacts with shadow copies
            PID:2312
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2720
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2460
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    Filesize

    236KB

    MD5

    cf1416074cd7791ab80a18f9e7e219d9

    SHA1

    276d2ec82c518d887a8a3608e51c56fa28716ded

    SHA256

    78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

    SHA512

    0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk
    Filesize

    925B

    MD5

    864d536052c2855aa7939d3bae723532

    SHA1

    2b43c5b43bd18629897f4680380b2e2884761865

    SHA256

    ce175174863e635795877074513df115faa3e7ae047dcf173a83a878a97614e1

    SHA512

    96d3319301a754e1735559e39d3f76e16af040b3fce792ce6925f11b7b1b6e0db3afc56c81f6e6b774070e53c2f37f34cdb5be5b179e0a858a75193b2d8a55a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\00000000.res
    Filesize

    136B

    MD5

    b2f013dd6f47a5310e6332a0d9932831

    SHA1

    b8a5e60d8adef6aa0103320bf1a4e4c4690c482f

    SHA256

    8fed752019d97c753ea05aa2729492fb59bb995e50a38c603b49cbe917131038

    SHA512

    afb958599855621b58f00bf7eea5f24d7d01a66f4eedf89d8806757d139ad60de9b14f954085c63e3912962b2a764e7d38f7d945dc204662bde83c25039d2aab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\00000000.res
    Filesize

    136B

    MD5

    a73f9a11bf14035d9755541cc1428a48

    SHA1

    452d197209cdcbc56bfea411ab6c2e4c9c86714c

    SHA256

    bd1f57e443772354f677c98f42df402b8b6231096e124fc2b24ebaa555ebd8d0

    SHA512

    355517ba548aacb69c605beb05a51859b28b56a7d923d7f2e3d9583b4ca0bc1a66bf732b90a8964473d9011c31f08e3234a44441fc87f86ef54b0a3a53998ae3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\00000000.res
    Filesize

    136B

    MD5

    a732fa7d98097f790f7139f183de468d

    SHA1

    37c350c5c49d15142bf8de3ba758a8aa1cea85cd

    SHA256

    2ef120dd6ed3e728ee93d6eb5c1a9f74df874590a7594a1dc6103c11d57b40f9

    SHA512

    a2ce44ea7f5cef10f0f28f6443d418b8ab4f39b4b4452a9e85339a3eba784765398a851334f9f8cd8b0fc9c3c7a8d5c8731a87b4ac149c7aaa36bd5d037427fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\100761737294934.bat
    Filesize

    336B

    MD5

    3540e056349c6972905dc9706cd49418

    SHA1

    492c20442d34d45a6d6790c720349b11ec591cde

    SHA256

    73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

    SHA512

    c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\c.vbs
    Filesize

    219B

    MD5

    5f6d40ca3c34b470113ed04d06a88ff4

    SHA1

    50629e7211ae43e32060686d6be17ebd492fd7aa

    SHA256

    0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

    SHA512

    4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\c.wry
    Filesize

    628B

    MD5

    c7c3fdd4586e63ca7663454a1a77e4ca

    SHA1

    fddaad23b64553c452430071196b233ba4cef018

    SHA256

    ca73ee914f18e71806f2d0103d086756c8c61f7348f1945661ca9b5a38e09abf

    SHA512

    46de45f03ae2f7172323c3db56c286571c86e8b8506cb3c689ff66e19a88c3d9d89e71d7f67a60a978d0b89cf0099a9095b064c1892841e236b4b0644989b500

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\m.wry
    Filesize

    42KB

    MD5

    980b08bac152aff3f9b0136b616affa5

    SHA1

    2a9c9601ea038f790cc29379c79407356a3d25a3

    SHA256

    402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

    SHA512

    100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

    Download Submit

  • C:\Users\Admin\Documents\!Please Read Me!.txt
    Filesize

    797B

    MD5

    afa18cf4aa2660392111763fb93a8c3d

    SHA1

    c219a3654a5f41ce535a09f2a188a464c3f5baf5

    SHA256

    227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

    SHA512

    4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

    Download Submit

  • memory/1836-6-0x0000000010000000-0x0000000010012000-memory.dmp

    Filesize

    72KB

    Download