Overview

overview

10

Static

static

10

2023-05-16...ry.exe

windows7-x64

10

2023-05-16...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2023-05-16_7065e2c6f1009253d3935003d5c6e943_destroyer_wannacry

  • Size

    23KB

  • Sample

    230517-c8skmade73

  • MD5

    7065e2c6f1009253d3935003d5c6e943

  • SHA1

    82a26a541bf36d36c102b7a15a07af244c922fab

  • SHA256

    33cbda8c783370956e24485cc4917da0b133715992828cdef6ad67769b46b44a

  • SHA512

    eaf547a15e5f9e706f8c2b0535b6af661d35cd7a5f4d52bf4a2780e8017f6ca01ef25bc4f164212d303b1c74f870286d9e0ae0b5791fde110029b8b2638336a9

  • SSDEEP

    384:A3Mg/bqo2xQDcqhmQpadVxcJsr91C+JNbgQeUl:+qo292pgx0sr97JNbZeUl

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\read_it.txt

Ransom Note
OH NOOOOO! The voices in your head are talking to you! All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qgqm4r2zlracfvtwdcy7d73e6m6r9rllpc6s67h

Targets

    • Target

      2023-05-16_7065e2c6f1009253d3935003d5c6e943_destroyer_wannacry

    • Size

      23KB

    • MD5

      7065e2c6f1009253d3935003d5c6e943

    • SHA1

      82a26a541bf36d36c102b7a15a07af244c922fab

    • SHA256

      33cbda8c783370956e24485cc4917da0b133715992828cdef6ad67769b46b44a

    • SHA512

      eaf547a15e5f9e706f8c2b0535b6af661d35cd7a5f4d52bf4a2780e8017f6ca01ef25bc4f164212d303b1c74f870286d9e0ae0b5791fde110029b8b2638336a9

    • SSDEEP

      384:A3Mg/bqo2xQDcqhmQpadVxcJsr91C+JNbgQeUl:+qo292pgx0sr97JNbZeUl

    Score
    10/10
    chaosevasionransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks