Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 04:28
Behavioral task
behavioral1
Sample
2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe
-
Size
80KB
-
MD5
cc08c839f91c6c4e2f91bc28de762eeb
-
SHA1
f8cd5d7d3364eee8ab971006dcbc215039d7d252
-
SHA256
00b93b6037537b7119361ca2a4a9641abc8d8f9fd182c6804859e12c2e391e88
-
SHA512
983c1975056c17918e6e352d71bebc39e1fb0a6717ab06b8ea306ae8a955104beabaf0bc1dc3c71abf4dcf8f058353cea60a11371dcd7736277a111544c25e10
-
SSDEEP
1536:TYlzqm0YbKgKVXbiQYRe5NCcbSoZ6va/ms4GS5a/O:TYl7t6NbhYIWcm+6va/6Gyp
Malware Config
Extracted
C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\SkynetData.txt
imhere.ru@protonmail.com
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1548-0-0x00000169DB080000-0x00000169DB09A000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detects command variations typically used by ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1548-0-0x00000169DB080000-0x00000169DB09A000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware C:\Users\Admin\AppData\Roaming\svchost.exe INDICATOR_SUSPICIOUS_GENRansomware -
Detects executables containing many references to VEEAM. Observed in ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1548-0-0x00000169DB080000-0x00000169DB09A000-memory.dmp INDICATOR_SUSPICOUS_EXE_References_VEEAM C:\Users\Admin\AppData\Roaming\svchost.exe INDICATOR_SUSPICOUS_EXE_References_VEEAM -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2520 bcdedit.exe 2004 bcdedit.exe -
Renames multiple (526) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exepid process 4584 wbadmin.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 3292 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3292 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3888 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1588 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exesvchost.exepid process 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 3292 svchost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exesvchost.exepid process 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe 3292 svchost.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exesvchost.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe Token: SeDebugPrivilege 3292 svchost.exe Token: SeBackupPrivilege 772 vssvc.exe Token: SeRestorePrivilege 772 vssvc.exe Token: SeAuditPrivilege 772 vssvc.exe Token: SeIncreaseQuotaPrivilege 3304 WMIC.exe Token: SeSecurityPrivilege 3304 WMIC.exe Token: SeTakeOwnershipPrivilege 3304 WMIC.exe Token: SeLoadDriverPrivilege 3304 WMIC.exe Token: SeSystemProfilePrivilege 3304 WMIC.exe Token: SeSystemtimePrivilege 3304 WMIC.exe Token: SeProfSingleProcessPrivilege 3304 WMIC.exe Token: SeIncBasePriorityPrivilege 3304 WMIC.exe Token: SeCreatePagefilePrivilege 3304 WMIC.exe Token: SeBackupPrivilege 3304 WMIC.exe Token: SeRestorePrivilege 3304 WMIC.exe Token: SeShutdownPrivilege 3304 WMIC.exe Token: SeDebugPrivilege 3304 WMIC.exe Token: SeSystemEnvironmentPrivilege 3304 WMIC.exe Token: SeRemoteShutdownPrivilege 3304 WMIC.exe Token: SeUndockPrivilege 3304 WMIC.exe Token: SeManageVolumePrivilege 3304 WMIC.exe Token: 33 3304 WMIC.exe Token: 34 3304 WMIC.exe Token: 35 3304 WMIC.exe Token: 36 3304 WMIC.exe Token: SeIncreaseQuotaPrivilege 3304 WMIC.exe Token: SeSecurityPrivilege 3304 WMIC.exe Token: SeTakeOwnershipPrivilege 3304 WMIC.exe Token: SeLoadDriverPrivilege 3304 WMIC.exe Token: SeSystemProfilePrivilege 3304 WMIC.exe Token: SeSystemtimePrivilege 3304 WMIC.exe Token: SeProfSingleProcessPrivilege 3304 WMIC.exe Token: SeIncBasePriorityPrivilege 3304 WMIC.exe Token: SeCreatePagefilePrivilege 3304 WMIC.exe Token: SeBackupPrivilege 3304 WMIC.exe Token: SeRestorePrivilege 3304 WMIC.exe Token: SeShutdownPrivilege 3304 WMIC.exe Token: SeDebugPrivilege 3304 WMIC.exe Token: SeSystemEnvironmentPrivilege 3304 WMIC.exe Token: SeRemoteShutdownPrivilege 3304 WMIC.exe Token: SeUndockPrivilege 3304 WMIC.exe Token: SeManageVolumePrivilege 3304 WMIC.exe Token: 33 3304 WMIC.exe Token: 34 3304 WMIC.exe Token: 35 3304 WMIC.exe Token: 36 3304 WMIC.exe Token: SeBackupPrivilege 3496 wbengine.exe Token: SeRestorePrivilege 3496 wbengine.exe Token: SeSecurityPrivilege 3496 wbengine.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 1548 wrote to memory of 3292 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe svchost.exe PID 1548 wrote to memory of 3292 1548 2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe svchost.exe PID 3292 wrote to memory of 1316 3292 svchost.exe cmd.exe PID 3292 wrote to memory of 1316 3292 svchost.exe cmd.exe PID 1316 wrote to memory of 3888 1316 cmd.exe vssadmin.exe PID 1316 wrote to memory of 3888 1316 cmd.exe vssadmin.exe PID 1316 wrote to memory of 3304 1316 cmd.exe WMIC.exe PID 1316 wrote to memory of 3304 1316 cmd.exe WMIC.exe PID 3292 wrote to memory of 3244 3292 svchost.exe cmd.exe PID 3292 wrote to memory of 3244 3292 svchost.exe cmd.exe PID 3244 wrote to memory of 2520 3244 cmd.exe bcdedit.exe PID 3244 wrote to memory of 2520 3244 cmd.exe bcdedit.exe PID 3244 wrote to memory of 2004 3244 cmd.exe bcdedit.exe PID 3244 wrote to memory of 2004 3244 cmd.exe bcdedit.exe PID 3292 wrote to memory of 1804 3292 svchost.exe cmd.exe PID 3292 wrote to memory of 1804 3292 svchost.exe cmd.exe PID 1804 wrote to memory of 4584 1804 cmd.exe wbadmin.exe PID 1804 wrote to memory of 4584 1804 cmd.exe wbadmin.exe PID 3292 wrote to memory of 1588 3292 svchost.exe NOTEPAD.EXE PID 3292 wrote to memory of 1588 3292 svchost.exe NOTEPAD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_cc08c839f91c6c4e2f91bc28de762eeb_destroyer_wannacry.exe"1⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\SkynetData.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\IconCache.dbFilesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
80KB
MD5cc08c839f91c6c4e2f91bc28de762eeb
SHA1f8cd5d7d3364eee8ab971006dcbc215039d7d252
SHA25600b93b6037537b7119361ca2a4a9641abc8d8f9fd182c6804859e12c2e391e88
SHA512983c1975056c17918e6e352d71bebc39e1fb0a6717ab06b8ea306ae8a955104beabaf0bc1dc3c71abf4dcf8f058353cea60a11371dcd7736277a111544c25e10
-
C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\SkynetData.txtFilesize
4KB
MD584fd99d7568f4fd57566b5f9313f21d0
SHA17b4b4cfa203b7710a9a0001d6c18ff98ddd58371
SHA256936bec19a2a91faf09276b5527c2117a17dd6e1b02d934b5fa337fb3ae4aa3c6
SHA512643f8e2a754b682ab7a1856e410814c3a96e695c8f053c34f77cbc39f0d4267fc271980a1de1b8d9c3e5c5fdb73af88d1f1436066bba78a51bb456e53f22f7a5
-
memory/1548-0-0x00000169DB080000-0x00000169DB09A000-memory.dmpFilesize
104KB
-
memory/1548-1-0x00007FFB81160000-0x00007FFB81C21000-memory.dmpFilesize
10.8MB
-
memory/1548-2-0x00000169F5750000-0x00000169F5760000-memory.dmpFilesize
64KB
-
memory/1548-15-0x00007FFB81160000-0x00007FFB81C21000-memory.dmpFilesize
10.8MB
-
memory/3292-16-0x00007FFB81160000-0x00007FFB81C21000-memory.dmpFilesize
10.8MB
-
memory/3292-1443-0x00007FFB81160000-0x00007FFB81C21000-memory.dmpFilesize
10.8MB