Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 13:55
Static task
static1
Behavioral task
behavioral1
Sample
WannaCry.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
WannaCry.exe
Resource
win10v2004-20241007-en
General
-
Target
WannaCry.exe
-
Size
224KB
-
MD5
5c7fb0927db37372da25f270708103a2
-
SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29
-
SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
-
SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
SSDEEP
3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ
Malware Config
Extracted
C:\Users\Admin\Documents\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDCC3D.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDCC41.tmp WannaCry.exe -
Executes dropped EXE 4 IoCs
pid Process 2300 !WannaDecryptor!.exe 760 !WannaDecryptor!.exe 2096 !WannaDecryptor!.exe 2460 !WannaDecryptor!.exe -
Loads dropped DLL 9 IoCs
pid Process 1032 cscript.exe 1836 WannaCry.exe 1836 WannaCry.exe 1836 WannaCry.exe 1836 WannaCry.exe 1488 cmd.exe 1488 cmd.exe 1836 WannaCry.exe 1836 WannaCry.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" WannaCry.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" !WannaDecryptor!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2312 vssadmin.exe -
Kills process with taskkill 4 IoCs
pid Process 2464 taskkill.exe 1784 taskkill.exe 1096 taskkill.exe 1128 taskkill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2460 !WannaDecryptor!.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 1128 taskkill.exe Token: SeDebugPrivilege 1096 taskkill.exe Token: SeDebugPrivilege 2464 taskkill.exe Token: SeDebugPrivilege 1784 taskkill.exe Token: SeBackupPrivilege 2524 vssvc.exe Token: SeRestorePrivilege 2524 vssvc.exe Token: SeAuditPrivilege 2524 vssvc.exe Token: SeIncreaseQuotaPrivilege 2720 WMIC.exe Token: SeSecurityPrivilege 2720 WMIC.exe Token: SeTakeOwnershipPrivilege 2720 WMIC.exe Token: SeLoadDriverPrivilege 2720 WMIC.exe Token: SeSystemProfilePrivilege 2720 WMIC.exe Token: SeSystemtimePrivilege 2720 WMIC.exe Token: SeProfSingleProcessPrivilege 2720 WMIC.exe Token: SeIncBasePriorityPrivilege 2720 WMIC.exe Token: SeCreatePagefilePrivilege 2720 WMIC.exe Token: SeBackupPrivilege 2720 WMIC.exe Token: SeRestorePrivilege 2720 WMIC.exe Token: SeShutdownPrivilege 2720 WMIC.exe Token: SeDebugPrivilege 2720 WMIC.exe Token: SeSystemEnvironmentPrivilege 2720 WMIC.exe Token: SeRemoteShutdownPrivilege 2720 WMIC.exe Token: SeUndockPrivilege 2720 WMIC.exe Token: SeManageVolumePrivilege 2720 WMIC.exe Token: 33 2720 WMIC.exe Token: 34 2720 WMIC.exe Token: 35 2720 WMIC.exe Token: SeIncreaseQuotaPrivilege 2720 WMIC.exe Token: SeSecurityPrivilege 2720 WMIC.exe Token: SeTakeOwnershipPrivilege 2720 WMIC.exe Token: SeLoadDriverPrivilege 2720 WMIC.exe Token: SeSystemProfilePrivilege 2720 WMIC.exe Token: SeSystemtimePrivilege 2720 WMIC.exe Token: SeProfSingleProcessPrivilege 2720 WMIC.exe Token: SeIncBasePriorityPrivilege 2720 WMIC.exe Token: SeCreatePagefilePrivilege 2720 WMIC.exe Token: SeBackupPrivilege 2720 WMIC.exe Token: SeRestorePrivilege 2720 WMIC.exe Token: SeShutdownPrivilege 2720 WMIC.exe Token: SeDebugPrivilege 2720 WMIC.exe Token: SeSystemEnvironmentPrivilege 2720 WMIC.exe Token: SeRemoteShutdownPrivilege 2720 WMIC.exe Token: SeUndockPrivilege 2720 WMIC.exe Token: SeManageVolumePrivilege 2720 WMIC.exe Token: 33 2720 WMIC.exe Token: 34 2720 WMIC.exe Token: 35 2720 WMIC.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2300 !WannaDecryptor!.exe 2300 !WannaDecryptor!.exe 760 !WannaDecryptor!.exe 760 !WannaDecryptor!.exe 2096 !WannaDecryptor!.exe 2096 !WannaDecryptor!.exe 2460 !WannaDecryptor!.exe 2460 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 1836 wrote to memory of 2128 1836 WannaCry.exe 30 PID 1836 wrote to memory of 2128 1836 WannaCry.exe 30 PID 1836 wrote to memory of 2128 1836 WannaCry.exe 30 PID 1836 wrote to memory of 2128 1836 WannaCry.exe 30 PID 2128 wrote to memory of 1032 2128 cmd.exe 32 PID 2128 wrote to memory of 1032 2128 cmd.exe 32 PID 2128 wrote to memory of 1032 2128 cmd.exe 32 PID 2128 wrote to memory of 1032 2128 cmd.exe 32 PID 1836 wrote to memory of 2300 1836 WannaCry.exe 33 PID 1836 wrote to memory of 2300 1836 WannaCry.exe 33 PID 1836 wrote to memory of 2300 1836 WannaCry.exe 33 PID 1836 wrote to memory of 2300 1836 WannaCry.exe 33 PID 1836 wrote to memory of 1096 1836 WannaCry.exe 34 PID 1836 wrote to memory of 1096 1836 WannaCry.exe 34 PID 1836 wrote to memory of 1096 1836 WannaCry.exe 34 PID 1836 wrote to memory of 1096 1836 WannaCry.exe 34 PID 1836 wrote to memory of 1128 1836 WannaCry.exe 35 PID 1836 wrote to memory of 1128 1836 WannaCry.exe 35 PID 1836 wrote to memory of 1128 1836 WannaCry.exe 35 PID 1836 wrote to memory of 1128 1836 WannaCry.exe 35 PID 1836 wrote to memory of 2464 1836 WannaCry.exe 37 PID 1836 wrote to memory of 2464 1836 WannaCry.exe 37 PID 1836 wrote to memory of 2464 1836 WannaCry.exe 37 PID 1836 wrote to memory of 2464 1836 WannaCry.exe 37 PID 1836 wrote to memory of 1784 1836 WannaCry.exe 39 PID 1836 wrote to memory of 1784 1836 WannaCry.exe 39 PID 1836 wrote to memory of 1784 1836 WannaCry.exe 39 PID 1836 wrote to memory of 1784 1836 WannaCry.exe 39 PID 1836 wrote to memory of 760 1836 WannaCry.exe 45 PID 1836 wrote to memory of 760 1836 WannaCry.exe 45 PID 1836 wrote to memory of 760 1836 WannaCry.exe 45 PID 1836 wrote to memory of 760 1836 WannaCry.exe 45 PID 1836 wrote to memory of 1488 1836 WannaCry.exe 46 PID 1836 wrote to memory of 1488 1836 WannaCry.exe 46 PID 1836 wrote to memory of 1488 1836 WannaCry.exe 46 PID 1836 wrote to memory of 1488 1836 WannaCry.exe 46 PID 1488 wrote to memory of 2096 1488 cmd.exe 48 PID 1488 wrote to memory of 2096 1488 cmd.exe 48 PID 1488 wrote to memory of 2096 1488 cmd.exe 48 PID 1488 wrote to memory of 2096 1488 cmd.exe 48 PID 1836 wrote to memory of 2460 1836 WannaCry.exe 49 PID 1836 wrote to memory of 2460 1836 WannaCry.exe 49 PID 1836 wrote to memory of 2460 1836 WannaCry.exe 49 PID 1836 wrote to memory of 2460 1836 WannaCry.exe 49 PID 2096 wrote to memory of 2120 2096 !WannaDecryptor!.exe 50 PID 2096 wrote to memory of 2120 2096 !WannaDecryptor!.exe 50 PID 2096 wrote to memory of 2120 2096 !WannaDecryptor!.exe 50 PID 2096 wrote to memory of 2120 2096 !WannaDecryptor!.exe 50 PID 2120 wrote to memory of 2312 2120 cmd.exe 52 PID 2120 wrote to memory of 2312 2120 cmd.exe 52 PID 2120 wrote to memory of 2312 2120 cmd.exe 52 PID 2120 wrote to memory of 2312 2120 cmd.exe 52 PID 2120 wrote to memory of 2720 2120 cmd.exe 54 PID 2120 wrote to memory of 2720 2120 cmd.exe 54 PID 2120 wrote to memory of 2720 2120 cmd.exe 54 PID 2120 wrote to memory of 2720 2120 cmd.exe 54 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\cmd.execmd /c 100761737294934.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1032
-
-
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2300
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:760
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2312
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2460
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
925B
MD5864d536052c2855aa7939d3bae723532
SHA12b43c5b43bd18629897f4680380b2e2884761865
SHA256ce175174863e635795877074513df115faa3e7ae047dcf173a83a878a97614e1
SHA51296d3319301a754e1735559e39d3f76e16af040b3fce792ce6925f11b7b1b6e0db3afc56c81f6e6b774070e53c2f37f34cdb5be5b179e0a858a75193b2d8a55a1
-
Filesize
136B
MD5b2f013dd6f47a5310e6332a0d9932831
SHA1b8a5e60d8adef6aa0103320bf1a4e4c4690c482f
SHA2568fed752019d97c753ea05aa2729492fb59bb995e50a38c603b49cbe917131038
SHA512afb958599855621b58f00bf7eea5f24d7d01a66f4eedf89d8806757d139ad60de9b14f954085c63e3912962b2a764e7d38f7d945dc204662bde83c25039d2aab
-
Filesize
136B
MD5a73f9a11bf14035d9755541cc1428a48
SHA1452d197209cdcbc56bfea411ab6c2e4c9c86714c
SHA256bd1f57e443772354f677c98f42df402b8b6231096e124fc2b24ebaa555ebd8d0
SHA512355517ba548aacb69c605beb05a51859b28b56a7d923d7f2e3d9583b4ca0bc1a66bf732b90a8964473d9011c31f08e3234a44441fc87f86ef54b0a3a53998ae3
-
Filesize
136B
MD5a732fa7d98097f790f7139f183de468d
SHA137c350c5c49d15142bf8de3ba758a8aa1cea85cd
SHA2562ef120dd6ed3e728ee93d6eb5c1a9f74df874590a7594a1dc6103c11d57b40f9
SHA512a2ce44ea7f5cef10f0f28f6443d418b8ab4f39b4b4452a9e85339a3eba784765398a851334f9f8cd8b0fc9c3c7a8d5c8731a87b4ac149c7aaa36bd5d037427fc
-
Filesize
336B
MD53540e056349c6972905dc9706cd49418
SHA1492c20442d34d45a6d6790c720349b11ec591cde
SHA25673872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c
-
Filesize
219B
MD55f6d40ca3c34b470113ed04d06a88ff4
SHA150629e7211ae43e32060686d6be17ebd492fd7aa
SHA2560fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA5124d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35
-
Filesize
628B
MD5c7c3fdd4586e63ca7663454a1a77e4ca
SHA1fddaad23b64553c452430071196b233ba4cef018
SHA256ca73ee914f18e71806f2d0103d086756c8c61f7348f1945661ca9b5a38e09abf
SHA51246de45f03ae2f7172323c3db56c286571c86e8b8506cb3c689ff66e19a88c3d9d89e71d7f67a60a978d0b89cf0099a9095b064c1892841e236b4b0644989b500
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b