General

  • Target

    2023-08-22_bc0d6579c96bf9d21625b1ee497b7039_wannacry_JC.exe

  • Size

    953KB

  • Sample

    230903-pkjn2ahf9v

  • MD5

    bc0d6579c96bf9d21625b1ee497b7039

  • SHA1

    c6c12323c3d70c0b3eb9aa1d99a13348053dd43d

  • SHA256

    f912cd2a6cd21e828dc32b97eac0ce9b2c4e8d5a7944deaa4bd61f41ab8e1997

  • SHA512

    887f8fb143b11eed07e76ccfac74a81fea8f3d6906b18f6ff3b7eb0b968d12b5fba22f2385231cba9fb82473018eebe1426d03e05a4bfac66bc0a0a134d360d5

  • SSDEEP

    12288:vEPMLC814R2hig4tHkg2W+AU+R2TjsPvEpv8LpgUO4EP3SL98l0zmWHQuTwYzzjr:/ztQE1ov2AZ9HjkftWy3PG

Malware Config

Extracted

Path

C:\Users\Admin\Documents\PLEASEREAD.txt

Ransom Note
WELCOME, DODO has returned AGAIN. Your files have been encrypted and you won't be able to decrypt them. You can buy decryption software from us, this software will allow you to recover all of your data and remove the ransomware from your computer. The price of the software is $15. Payment can be made in Bitcoin or XMR. How do I pay, where do I get Bitcoin or XMR? Purchasing cryptocurrency varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin or XMR. Payment information: send $15, to one of our addresses, then send us email with payment confirmation and you'll get the decryption software in email. Email Address : [email protected] BTC address: bc1qsht77cpgw7kv420r4secmu88g34wvn96dsyc5s XMR address: 44GUTQ7WqysSjLDCXfTnsYLCVJNGp67AECA9kTrAvjYCNz3ScZkYXZKP2EbR3DfbXPUYw6bMkaBuYCd6PdJCYngr4WtCeFt

Targets

    • Target

      2023-08-22_bc0d6579c96bf9d21625b1ee497b7039_wannacry_JC.exe

    • Size

      953KB

    • MD5

      bc0d6579c96bf9d21625b1ee497b7039

    • SHA1

      c6c12323c3d70c0b3eb9aa1d99a13348053dd43d

    • SHA256

      f912cd2a6cd21e828dc32b97eac0ce9b2c4e8d5a7944deaa4bd61f41ab8e1997

    • SHA512

      887f8fb143b11eed07e76ccfac74a81fea8f3d6906b18f6ff3b7eb0b968d12b5fba22f2385231cba9fb82473018eebe1426d03e05a4bfac66bc0a0a134d360d5

    • SSDEEP

      12288:vEPMLC814R2hig4tHkg2W+AU+R2TjsPvEpv8LpgUO4EP3SL98l0zmWHQuTwYzzjr:/ztQE1ov2AZ9HjkftWy3PG

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (172) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (211) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks