chaos

Target

82e34351115b01948c0ed5ba16337e6ddd3f519a0b6f681061fd5f50f95fda46.zip
Size

18.8MB
Sample

231205-kt32taae27
MD5

50a69641fb73dc6549a2e17264957498
SHA1

ff7be443900880939f13c60574239f287e15a9d7
SHA256

1d3c2088b2d712f8006279db8acb9a1c6dc3037886a655d37bf75ea5fa6b9518
SHA512

554ee59adc664c0e25b77302bcd5a92727cf11cbcb216f08ae1cbaca9372a5e26c9579036ca079b64c059f1899be150548d9a18f179f0ee31b8d7e391e873715
SSDEEP

393216:t58rCjhNeSpNWYVYU2oY+NAxLGPi1XNLTcNRVciCS4XYLZ28:t5YCDlZY0vqLGGvcAXYLQ8

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Malware-database-main\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

- Target
  
  Malware-database-main/000.exe
- Size
  
  6.7MB
- MD5
  
  f2b7074e1543720a9a98fda660e02688
- SHA1
  
  1029492c1a12789d8af78d54adcb921e24b9e5ca
- SHA256
  
  4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
- SHA512
  
  73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
- SSDEEP
  
  3072:eaLA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuz1o9Y:fLJlC6j0CX4XmvWHVcd62uO9
Score

8^/10

evasion persistence ransomware
- Disables Task Manager via registry modification
  evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies WinLogon
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1
- Target
  
  Malware-database-main/ChilledWindows.exe
- Size
  
  4.4MB
- MD5
  
  6a4853cd0584dc90067e15afb43c4962
- SHA1
  
  ae59bbb123e98dc8379d08887f83d7e52b1b47fc
- SHA256
  
  ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec
- SHA512
  
  feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996
- SSDEEP
  
  98304:XyDt6K4MJVnjOobt/JN1LA5elHc+S4fRp5UvluKo:XyDtK8bbxn+IHcBEV/F
Score

6^/10
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral2
- Target
  
  Malware-database-main/Christmas.exe
- Size
  
  482KB
- MD5
  
  c35aa97962c4132ef87768d6e7e4faea
- SHA1
  
  bb696ec7709f94067bc0cea5d53432f7f60667e3
- SHA256
  
  cb7c01aa6b8d1f7fa7131d6444a220cedf0c51102c127a13a4313e4249b1f88e
- SHA512
  
  21d838c035b958f1e92aef0c6591d9631215f088bd96653a9d15b4293fdaab2d1b404c0f0e38f14eba3d69099dc07fc5191caa89f49aba956674e7f9b461450c
- SSDEEP
  
  6144:s68WiSoFDCIIH9rTmoSoaTxxsVW9rmdA1h3UeJsFtusIP3q7bNB+Xrge138ahLWk:CWiSoF2dN0KcPJsJ0ObNB+rKaVW+Is9
Score

1^/10
behavioral3
- Target
  
  Malware-database-main/CookieClickerHack.exe
- Size
  
  68KB
- MD5
  
  bc1e7d033a999c4fd006109c24599f4d
- SHA1
  
  b927f0fc4a4232a023312198b33272e1a6d79cec
- SHA256
  
  13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401
- SHA512
  
  f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276
- SSDEEP
  
  768:bhU+D/no2u+6JaAcNRFJ67Pn975JqiG6BwUqdVBF+G2JOnCC6G2JOtCCm:bhjDIrU0h5Jqi7qzb2ICCb26CCm
Score

1^/10
behavioral4
- Target
  
  Malware-database-main/Electron V2.exe
- Size
  
  39KB
- MD5
  
  b1228ba24ca5f75f8df9d5d177e5bb2b
- SHA1
  
  1895758de51ccfefa40239aa11055540c8c5deb7
- SHA256
  
  04b106b179c202c67361aa4debad5d82f79a1927ab0ab8abc2ef350d18894b08
- SHA512
  
  7abc1df0089a1a00aadc11c33eecffb5d85258acc4eac0b261ceaea77e814eaf671506383fe0074fd5779b8bc58e0f48f0d15309aa81aecf27ecc6633da4c5a4
- SSDEEP
  
  768:hqo2khp1DlNjwQr9KWO4TOpkx7u/LraCvpbMC2mkek:ko2kFpNjwQr9KWODkx74L2CNf5k
Score

10^/10

chaos evasion ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral5
- Target
  
  Malware-database-main/Flasher.exe
- Size
  
  246KB
- MD5
  
  9254ca1da9ff8ad492ca5fa06ca181c6
- SHA1
  
  70fa62e6232eae52467d29cf1c1dacb8a7aeab90
- SHA256
  
  30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
- SHA512
  
  a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a
- SSDEEP
  
  6144:/85Z+Y97t0Kc0Nd5bHzvvj/R87Z3BxonZ:/8vd2KxNPjs3gZ
Score

1^/10
behavioral6
- Target
  
  Malware-database-main/MEMZ Trojan.exe
- Size
  
  12KB
- MD5
  
  9c642c5b111ee85a6bccffc7af896a51
- SHA1
  
  eca8571b994fd40e2018f48c214fab6472a98bab
- SHA256
  
  4bbf7589615ebdb6c769d6d2e7bdcb26072bac0cda6e225a4133ba8819e688d5
- SHA512
  
  23cc74b5a7bdf70ba789d1730a0009414cfb9c780544e3d8d841be58782b9a9a089969c4295a0da25d07285505992386486d6ff0524e75605b96bb99cd3aaa1c
- SSDEEP
  
  192:BCMfc/GinpRBueYDw4+kEeN4FRrfMFFp3+f2dvGhT59uay:AMfceinpOeRENYhfOj+eGdKa
Score

1^/10
behavioral7
- Target
  
  Malware-database-main/Popup.exe
- Size
  
  373KB
- MD5
  
  9c3e9e30d51489a891513e8a14d931e4
- SHA1
  
  4e5a5898389eef8f464dee04a74f3b5c217b7176
- SHA256
  
  f8f7b5f20ca57c61df6dc8ff49f2f5f90276a378ec17397249fdc099a6e1dcd8
- SHA512
  
  bf45677b7dd6c67ad350ec6ecad5bc3f04dea179fae0ff0a695c69f7de919476dd7a69c25b04c8530a35119e4933f4a8c327ed6dcef892b1114dfd7e494a19a7
- SSDEEP
  
  6144:yN6MLNACl/+9EhE/jIxlOaNpA7tRzXBWRiB6nlbKsgP5o24a4pF0ghqbjY:Kh29IEUxhiHWRIglbKsgRokTghf
Score

1^/10
behavioral8
- Target
  
  Malware-database-main/PowerPoint.exe
- Size
  
  136KB
- MD5
  
  70108103a53123201ceb2e921fcfe83c
- SHA1
  
  c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
- SHA256
  
  9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
- SHA512
  
  996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b
- SSDEEP
  
  1536:3VrdxBvcGdDHHtWv8udA1JYREgJ/qEOpsChnU4V1lyqHv4vAmOG9HSDKRppppp5B:1H5D0dSgo7ppTV1lyqPOAmOG9HSOD
Score

7^/10

bootkit persistence
- Deletes itself
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral9
- Target
  
  Malware-database-main/RedEye.exe
- Size
  
  10.6MB
- MD5
  
  e9e5596b42f209cc058b55edc2737a80
- SHA1
  
  f30232697b3f54e58af08421da697262c99ec48b
- SHA256
  
  9ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305
- SHA512
  
  e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7
- SSDEEP
  
  196608:+ahZ5qN3wvdJBiAv1hXx7jeeDt9/wGoyIu+sTvDmQONhL/LslAVyq8rZyA+TXtT4:+w6NAvPAA/Xx3eeDtTD+GDONhL/AlAV8
Score

10^/10

evasion persistence ransomware trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Modifies Windows Firewall
  evasion
- Sets file execution options in registry
  persistence
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Sets desktop wallpaper using registry
  ransomware
behavioral10
- Target
  
  Malware-database-main/WannaCry.exe
- Size
  
  224KB
- MD5
  
  5c7fb0927db37372da25f270708103a2
- SHA1
  
  120ed9279d85cbfa56e5b7779ffa7162074f7a29
- SHA256
  
  be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
- SHA512
  
  a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
- SSDEEP
  
  3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ
Score

10^/10

wannacry persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral11
- Target
  
  Malware-database-main/butterflyondesktop.exe
- Size
  
  2.8MB
- MD5
  
  1535aa21451192109b86be9bcc7c4345
- SHA1
  
  1af211c686c4d4bf0239ed6620358a19691cf88c
- SHA256
  
  4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
- SHA512
  
  1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
- SSDEEP
  
  49152:5aA7f7tlVmdqK23H2bpHI4Qs5ABV9WRHZRsgI82lcHGAaKLinXBgJ:Q+VMkX224QsWBq5SfARGRgJ
Score

7^/10
- Executes dropped EXE
behavioral12