chaos | 8cd8555d975f61d90c4d5f03efc2d1dafd63deadcd63e8bb27b5e58d85232195

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-02-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-09_e6b1e60b0809191d81d1e34f9c5f7d36_destroyer_wannacry.exe
Size

45KB
MD5

e6b1e60b0809191d81d1e34f9c5f7d36
SHA1

18441ea54cc267047200ad99cea3232107353455
SHA256

8cd8555d975f61d90c4d5f03efc2d1dafd63deadcd63e8bb27b5e58d85232195
SHA512

805146c8503e9a336930248b4833b5098f78ea1fac1eb5a32f5e78e70c171e71065e1521607c4457f6bc54203ceb2079169f36ce18a3b2b0ee48e09626bb178d
SSDEEP

768:zn3kInKS5pVgU8qr9iIDOfB6uV2fvfeCIv4IRgW9UcbqJqSwlWAlbsLYeG:73kIhp98qr9iumnMsnRgsbqZ5AmNG

Score

10^/10

chaos evasion ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2876-0-0x0000000001100000-0x0000000001112000-memory.dmp	family_chaos
behavioral1/files/0x000a000000012243-6.dat	family_chaos
behavioral1/memory/2792-7-0x0000000000A20000-0x0000000000A32000-memory.dmp	family_chaos

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Detects command variations typically used by ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2876-0-0x0000000001100000-0x0000000001112000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/files/0x000a000000012243-6.dat	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/2792-7-0x0000000000A20000-0x0000000000A32000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2396	bcdedit.exe
1136	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1472	wbadmin.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Blamat7awlexe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9ra_oula_byelpc	Blamat7awlexe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blamat7awlexe.url	Blamat7awlexe.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	Blamat7awlexe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Blamat7awlexe.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-928733405-3780110381-2966456290-1000\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Blamat7awlexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Blamat7awlexe.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q1ucis9zn.jpg"	Blamat7awlexe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2988	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2792	Blamat7awlexe.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2876	2024-02-09_e6b1e60b0809191d81d1e34f9c5f7d36_destroyer_wannacry.exe
2876	2024-02-09_e6b1e60b0809191d81d1e34f9c5f7d36_destroyer_wannacry.exe
2876	2024-02-09_e6b1e60b0809191d81d1e34f9c5f7d36_destroyer_wannacry.exe
2792	Blamat7awlexe.exe
2792	Blamat7awlexe.exe
2792	Blamat7awlexe.exe
2792	Blamat7awlexe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1624	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	2024-02-09_e6b1e60b0809191d81d1e34f9c5f7d36_destroyer_wannacry.exe
Token: SeDebugPrivilege	2792	Blamat7awlexe.exe
Token: SeBackupPrivilege	2256	vssvc.exe
Token: SeRestorePrivilege	2256	vssvc.exe
Token: SeAuditPrivilege	2256	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe
Token: 35	1712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe
Token: 35	1712	WMIC.exe
Token: SeBackupPrivilege	3056	wbengine.exe
Token: SeRestorePrivilege	3056	wbengine.exe
Token: SeSecurityPrivilege	3056	wbengine.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1624	AcroRd32.exe
1624	AcroRd32.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2792	2876	2024-02-09_e6b1e60b0809191d81d1e34f9c5f7d36_destroyer_wannacry.exe	28
PID 2876 wrote to memory of 2792	2876	2024-02-09_e6b1e60b0809191d81d1e34f9c5f7d36_destroyer_wannacry.exe	28
PID 2876 wrote to memory of 2792	2876	2024-02-09_e6b1e60b0809191d81d1e34f9c5f7d36_destroyer_wannacry.exe	28
PID 2792 wrote to memory of 2904	2792	Blamat7awlexe.exe	30
PID 2792 wrote to memory of 2904	2792	Blamat7awlexe.exe	30
PID 2792 wrote to memory of 2904	2792	Blamat7awlexe.exe	30
PID 2904 wrote to memory of 2988	2904	cmd.exe	32
PID 2904 wrote to memory of 2988	2904	cmd.exe	32
PID 2904 wrote to memory of 2988	2904	cmd.exe	32
PID 2904 wrote to memory of 1712	2904	cmd.exe	35
PID 2904 wrote to memory of 1712	2904	cmd.exe	35
PID 2904 wrote to memory of 1712	2904	cmd.exe	35
PID 2792 wrote to memory of 1704	2792	Blamat7awlexe.exe	37
PID 2792 wrote to memory of 1704	2792	Blamat7awlexe.exe	37
PID 2792 wrote to memory of 1704	2792	Blamat7awlexe.exe	37
PID 1704 wrote to memory of 2396	1704	cmd.exe	39
PID 1704 wrote to memory of 2396	1704	cmd.exe	39
PID 1704 wrote to memory of 2396	1704	cmd.exe	39
PID 1704 wrote to memory of 1136	1704	cmd.exe	40
PID 1704 wrote to memory of 1136	1704	cmd.exe	40
PID 1704 wrote to memory of 1136	1704	cmd.exe	40
PID 2792 wrote to memory of 2984	2792	Blamat7awlexe.exe	41
PID 2792 wrote to memory of 2984	2792	Blamat7awlexe.exe	41
PID 2792 wrote to memory of 2984	2792	Blamat7awlexe.exe	41
PID 2984 wrote to memory of 1472	2984	cmd.exe	43
PID 2984 wrote to memory of 1472	2984	cmd.exe	43
PID 2984 wrote to memory of 1472	2984	cmd.exe	43
PID 2792 wrote to memory of 1388	2792	Blamat7awlexe.exe	47
PID 2792 wrote to memory of 1388	2792	Blamat7awlexe.exe	47
PID 2792 wrote to memory of 1388	2792	Blamat7awlexe.exe	47
PID 1388 wrote to memory of 1624	1388	rundll32.exe	49
PID 1388 wrote to memory of 1624	1388	rundll32.exe	49
PID 1388 wrote to memory of 1624	1388	rundll32.exe	49
PID 1388 wrote to memory of 1624	1388	rundll32.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-09_e6b1e60b0809191d81d1e34f9c5f7d36_destroyer_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-09_e6b1e60b0809191d81d1e34f9c5f7d36_destroyer_wannacry.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Roaming\Blamat7awlexe.exe
  "C:\Users\Admin\AppData\Roaming\Blamat7awlexe.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2988
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1712
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2396
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1136
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1472
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\9ra_oula_byelpc
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\9ra_oula_byelpc"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:1624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2528

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f773fe32ee53573b7a4c768c997f8661

SHA1
b38a249af95c15d4ab9363332635adaa45af76df

SHA256
b5e78cd077d66ce9cb0e99ec0ada8e926fa222b7c14ab540a3ffa365a239a405

SHA512
828f51d7d4678ba44f4d0baf221952f1456bc69cf7a304b6a6a8b7f5e0e7b5171c2868ee4755585c0831893d8bf456af20d7126232030f9f70a2d3f23013966c

Download Submit
C:\Users\Admin\AppData\Roaming\Blamat7awlexe.exe

Filesize
45KB

MD5
e6b1e60b0809191d81d1e34f9c5f7d36

SHA1
18441ea54cc267047200ad99cea3232107353455

SHA256
8cd8555d975f61d90c4d5f03efc2d1dafd63deadcd63e8bb27b5e58d85232195

SHA512
805146c8503e9a336930248b4833b5098f78ea1fac1eb5a32f5e78e70c171e71065e1521607c4457f6bc54203ceb2079169f36ce18a3b2b0ee48e09626bb178d

Download Submit
C:\Users\Admin\Desktop\9ra_oula_byelpc

Filesize
322B

MD5
1f11a3e713cb9a3fbde0f9c8faa5f022

SHA1
9d880f854f3dd058f0605163c14ca16bff91788a

SHA256
f32ee3ab729bfa0f8654d59bcb0da973579dff853b1fc26dfa71b4e01ac2c894

SHA512
91a60521dd4a234cfff61ddd8a6fd60e866198710d8eeb311a639f39ea046132a4cc95403fcda5c31bc0e22283fedba38fc70cfb370c454834abc80ddf7d5f4f

Download Submit
memory/2792-7-0x0000000000A20000-0x0000000000A32000-memory.dmp

Filesize
72KB

Download
memory/2792-8-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2792-72-0x000000001ADD0000-0x000000001AE50000-memory.dmp

Filesize
512KB

Download
memory/2792-92-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2792-93-0x000000001ADD0000-0x000000001AE50000-memory.dmp

Filesize
512KB

Download
memory/2876-0-0x0000000001100000-0x0000000001112000-memory.dmp

Filesize
72KB

Download
memory/2876-1-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-89-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download