Overview

overview

10

Static

static

10

2024-02-18...ry.exe

windows10-2004-x64

10

Resubmissions

18-02-2024 19:25

240218-x45dvadh4z 10

18-02-2024 04:36

240218-e8mqgsed37 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-02-18_3f953963692453828a4745f7d18f1fda_petya_wannacry

  • Size

    342KB

  • Sample

    240218-x45dvadh4z

  • MD5

    3f953963692453828a4745f7d18f1fda

  • SHA1

    5d017394e9ffc48675635ba7b006737c2ad35813

  • SHA256

    8af25c95b9ff713896e275ceeda46a9ad401e5af37d8b8d482c46efbecfe9829

  • SHA512

    15abbd883d892c7b35a4743e7068b87df2d39dd89c25b2599c232c9187b5703cfc1ff1ceefaa6ec890b7091bd8c7b2308518f86ed40a818a3472616f6675906e

  • SSDEEP

    6144:qMr97ebBr9u88ZcR4LOQtoN4Ywh4jw+IhNvZAB:SbBr9u88ZcR4SQtoN4Yw6jpIhNZAB

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\RECOVERFILES.txt

Ransom Note
you became a victim of the transcrypt ransomware! the harddisk of your computer have been encrypted with an military grade encryption algorithm. there is no way to restore your data without our help. perhaps you are busy looking for a way to recover your files,but don’t waste your time. nobody can recover your files without our decryption service. .....we garantee that you can recover all your files safely and easily........ .....all you need to do is submit the payment and purchase the decryption key... please follow the instructions: 1. buy 500 dollars worth of bitcoin 2. send the bitcoin to the following btc-adress: bc1qaew5e0p4fxe6zx27gwuguqvsnlyv2lqmdxshhx 3. send an email to [email protected] with proof of the transaction and your decryption key “vuyrecemqopdmw”.

Targets

    • Target

      2024-02-18_3f953963692453828a4745f7d18f1fda_petya_wannacry

    • Size

      342KB

    • MD5

      3f953963692453828a4745f7d18f1fda

    • SHA1

      5d017394e9ffc48675635ba7b006737c2ad35813

    • SHA256

      8af25c95b9ff713896e275ceeda46a9ad401e5af37d8b8d482c46efbecfe9829

    • SHA512

      15abbd883d892c7b35a4743e7068b87df2d39dd89c25b2599c232c9187b5703cfc1ff1ceefaa6ec890b7091bd8c7b2308518f86ed40a818a3472616f6675906e

    • SSDEEP

      6144:qMr97ebBr9u88ZcR4LOQtoN4Ywh4jw+IhNvZAB:SbBr9u88ZcR4SQtoN4Yw6jpIhNZAB

    Score
    10/10
    chaosevasionransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks