Overview

overview

10

Static

static

10

2024-02-24...ry.exe

windows7-x64

10

2024-02-24...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-02-24_baad3244b1b5663e0a7f121d90edd298_wannacry

  • Size

    335KB

  • Sample

    240224-1fy4psfh2s

  • MD5

    baad3244b1b5663e0a7f121d90edd298

  • SHA1

    22a518e2ab331a1eaff6069b722d627638fbfbef

  • SHA256

    e48138f16524da77e9d85ec11596e668664c116bcd3c995641af0d52c0526def

  • SHA512

    9a3d61ef1061528aa9ca7289aa50af1d5d5b755159dd231d4a1594354992719f3f29058411a1bac38fc97b2a73cf6159b181b55e416a002404f053d5140a58ca

  • SSDEEP

    6144:0D9c9kL94GeFdhL29TuuXglosdU4GjbKqBaQy/oOERKlJ6LaY8:0x54GeFddmpXg+sdUhjWsat/oOERKz6G

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\read_me.txt

Ransom Note
Внимание! Ваша ОС заражена вирусом XznShirkiCry, а все ваши файлы были зашифрованы. Для того чтобы расшифровать ваши файлы, необходимо заплатить выкуп 5$ на BitCoin-кошелек. После этого написать на нашу электронную почту. BitCoin-кошелек:33KahcFtpmK3kX3zXQ8fonKL5HNYrhWwy8 Электронная почта:[email protected] Важно! Зашифрованы файлы: Не удалять Не изменять расширение файлов В случаи если вы удалите наш вирус или ваш антивирус его удалит, то расшифровка станет невозможна!!! Ваш ID:17666. Данный ID понадобится для расшифровки. English: Attention! Your OS is infected with the XznShirkiCry virus, and all your files have been encrypted. In order to decrypt your files, you need to pay a $5 ransom to a BitCoin wallet. After that, write to our email address. BitCoin Wallet:33KahcFtpmK3kX3zXQ8fonKL5HNYrhWwy8 e-mail:[email protected] Important! Encrypted files: Do not delete Do not change the file extension If you delete our virus or your antivirus deletes it, then decryption will be impossible!!! Your ID:17666. You will need this ID for decryption.
Emails

почта:[email protected]

e-mail:[email protected]

Targets

    • Target

      2024-02-24_baad3244b1b5663e0a7f121d90edd298_wannacry

    • Size

      335KB

    • MD5

      baad3244b1b5663e0a7f121d90edd298

    • SHA1

      22a518e2ab331a1eaff6069b722d627638fbfbef

    • SHA256

      e48138f16524da77e9d85ec11596e668664c116bcd3c995641af0d52c0526def

    • SHA512

      9a3d61ef1061528aa9ca7289aa50af1d5d5b755159dd231d4a1594354992719f3f29058411a1bac38fc97b2a73cf6159b181b55e416a002404f053d5140a58ca

    • SSDEEP

      6144:0D9c9kL94GeFdhL29TuuXglosdU4GjbKqBaQy/oOERKlJ6LaY8:0x54GeFddmpXg+sdUhjWsat/oOERKz6G

    Score
    10/10
    chaosevasionransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Detects command variations typically used by ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (177) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks