Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

CircusSpoofer.py

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CircusSpoofer.py

  • Size

    157KB

  • Sample

    250313-bgdfysyzfs

  • MD5

    3b4e4c0c5fc4553bfe8e0812cf0d6315

  • SHA1

    26bf91e03966cfe0ab142dcb865a41220cae269a

  • SHA256

    218bb2350579eb698341183f06cd53b0dbe42b6654a98f4d84ee423875d582a4

  • SHA512

    5d29169f221f53c53a9d809361bce8ee1b13da52be1c3480e3ee153d8f20fd32b7ba80799ba09264693302be3b28ca1dd53b547e5b23be6b6bd765ff1168a93c

  • SSDEEP

    1536:v9BcQj04+KYojiDqHQotp4FCC1ollo85GzCOrZr26TLdoac/lnlxIZ0:vPX04+SjiWazCCZr2YAJnIZ0

Score
10/10
badrabbitwannacrybootkitdefense_evasiondiscoveryexecutionimpactmacromacro_on_actionpersistenceransomwarespywarestealerworm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

    • Target

      CircusSpoofer.py

    • Size

      157KB

    • MD5

      3b4e4c0c5fc4553bfe8e0812cf0d6315

    • SHA1

      26bf91e03966cfe0ab142dcb865a41220cae269a

    • SHA256

      218bb2350579eb698341183f06cd53b0dbe42b6654a98f4d84ee423875d582a4

    • SHA512

      5d29169f221f53c53a9d809361bce8ee1b13da52be1c3480e3ee153d8f20fd32b7ba80799ba09264693302be3b28ca1dd53b547e5b23be6b6bd765ff1168a93c

    • SSDEEP

      1536:v9BcQj04+KYojiDqHQotp4FCC1ollo85GzCOrZr26TLdoac/lnlxIZ0:vPX04+SjiWazCCZr2YAJnIZ0

    Score
    10/10
    badrabbitwannacrybootkitdefense_evasiondiscoveryexecutionimpactmacromacro_on_actionpersistenceransomwarespywarestealerworm

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

      ransomwarebadrabbit

    • Badrabbit family

      badrabbit

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Wannacry family

      wannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Disables Task Manager via registry modification

      defense_evasion

    • Downloads MZ/PE file

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks