General

  • Target

    2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry

  • Size

    1.1MB

  • Sample

    240308-mrr8msda36

  • MD5

    619fc98c120d10c8b5be2215153d4b46

  • SHA1

    72cec945d3e057ee27e9ff2b6ede6ac8ca127eb5

  • SHA256

    7267439752d21c7856257c4a766b10d9d49301ee7207390d57025d1071bb080f

  • SHA512

    c443c07685c63c2e9c2ef025e6ba6b4b49679acd8ee2c27fddc305e6d08182cd6647ae4b590b00d1f9c90792dcf8d5906ce3fcfa3aedb775559c29fb6e4728a9

  • SSDEEP

    12288:yBo9M904nKzuJpWissPWYkeRLSyXd8R84sZKIhwiGXIVmgf//9b31q3C/NwHGlLi:D9TaXk89Lgwd/RlNzS6XB

Malware Config

Targets

    • Target

      2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry

    • Size

      1.1MB

    • MD5

      619fc98c120d10c8b5be2215153d4b46

    • SHA1

      72cec945d3e057ee27e9ff2b6ede6ac8ca127eb5

    • SHA256

      7267439752d21c7856257c4a766b10d9d49301ee7207390d57025d1071bb080f

    • SHA512

      c443c07685c63c2e9c2ef025e6ba6b4b49679acd8ee2c27fddc305e6d08182cd6647ae4b590b00d1f9c90792dcf8d5906ce3fcfa3aedb775559c29fb6e4728a9

    • SSDEEP

      12288:yBo9M904nKzuJpWissPWYkeRLSyXd8R84sZKIhwiGXIVmgf//9b31q3C/NwHGlLi:D9TaXk89Lgwd/RlNzS6XB

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Detects command variations typically used by ransomware

    • Detects executables containing many references to VEEAM. Observed in ransomware

    • Modifies boot configuration data using bcdedit

    • Renames multiple (171) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks