Overview

overview

10

Static

static

10

2023-06-05...ry.exe

windows7-x64

10

2023-06-05...ry.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    2023-06-05_ce4d848ee4e9ee23e18e4626b25a7498_wannacry

  • Size

    149KB

  • Sample

    230606-jymd7acf98

  • MD5

    ce4d848ee4e9ee23e18e4626b25a7498

  • SHA1

    45b1256b93ab60ed3dde2bf1612071921904b225

  • SHA256

    35325664cfe08afe2a183b9b842f55ad3bc13012ea59f9a619095e820ae8e1d4

  • SHA512

    0e1a29de12de473b5b619480a4785ace44c056770034f93fa04182dc264330d795beaf7da9322bb21ef61c915da81a9e2a74e449c6be806b7518b79f09bc54f4

  • SSDEEP

    3072:qh6Eq91e4b8ITQljm0wiVT0LcdE6F01ydbNXmx3xIqpknFFbRQVqcoW5suIDc:+6Eq94cQ1YQbFw3+K8

Score
10/10
chaosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\read_it.txt

Ransom Note
---------------Attention--------------- Your All Files Have been Encrypted! Your personal files (documents, databases, jpeg, docx, doc, etc.) we re encrypted. But don't worry about your files,You can take back all of them, to decrypt your all files need to buy a software With your unique private key. Only our software well allow decrypt your files. Remember if you try to recovery your files through any third-party software, it's can cause premature damage to your files, and we can't help you either. -----------------Note!------------------ You have only 72 hours from the moment when an encryption was done to buy our software at $600 for the payment, your all files will get Automatic deleted after the lapse of 72 hours. BTC Address:33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP And if you Payment complete then Send me proof. Use the following ID as the title of your email: 07BE93F447C8DB132C49 Use these emails to contact us and receive instructions: Main email: [email protected] Also, you can send up to 2 test files to see if we can decrypt your files. After paying, the decryptor software and your private key will be given to you.

Targets

    • Target

      2023-06-05_ce4d848ee4e9ee23e18e4626b25a7498_wannacry

    • Size

      149KB

    • MD5

      ce4d848ee4e9ee23e18e4626b25a7498

    • SHA1

      45b1256b93ab60ed3dde2bf1612071921904b225

    • SHA256

      35325664cfe08afe2a183b9b842f55ad3bc13012ea59f9a619095e820ae8e1d4

    • SHA512

      0e1a29de12de473b5b619480a4785ace44c056770034f93fa04182dc264330d795beaf7da9322bb21ef61c915da81a9e2a74e449c6be806b7518b79f09bc54f4

    • SSDEEP

      3072:qh6Eq91e4b8ITQljm0wiVT0LcdE6F01ydbNXmx3xIqpknFFbRQVqcoW5suIDc:+6Eq94cQ1YQbFw3+K8

    Score
    10/10
    chaosevasionpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks