Analysis

  • max time kernel
    135s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-03-2024 04:46

General

  • Target

    2024-03-15_a32b23db12286223af4786eccf8f66d7_wannacry.exe

  • Size

    223KB

  • MD5

    a32b23db12286223af4786eccf8f66d7

  • SHA1

    fe19f59183dcf801749457140b4b3aeeb3e82598

  • SHA256

    5f161fe20eafa6de2ad791276d14bd1c28013a1dd7b83b8b20016ea3065eacbf

  • SHA512

    0395949d424e0898d25efa5713952c2e2df155f743c5d158003268256c4c541bd83c10bf2653e4fa31ed52bb1a044e4e19e9464f7d972313a5a8e2f1b4856aa0

  • SSDEEP

    6144:m4Er9iAYFCtntIVprUPvEefILCrSK3FK+x:m4GYFCtntIVqPvCLCrSK1K+x

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Ransom Note
All of your files have been encrypted! Warning Attempting to remove the software will corrupt your hard drives meaning no further use even when wiped. We simply charge $25 which is far cheaper than buying a new drive. Your computer was infected with a ransomware software. Your files have been encrypted and you won't be able to decrypt them without purchasing $25 BTC. What can I do to get my files back? You will send payment of $25 BTC to gain access to your files again, once payment is made after 3 confirmations on the blockchain (15 mins) your files will be restored and the software will un-install itself from your computer. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment will increase soon to double, be cooperative and your files will be released. Payment information Amount: 0.000385636 BTC Bitcoin Address: bc1qc76qr24pxnms9f93mytfg4dn7ztuvmje7g43dr

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Detects command variations typically used by ransomware 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-15_a32b23db12286223af4786eccf8f66d7_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-15_a32b23db12286223af4786eccf8f66d7_wannacry.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4704
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:4772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    223KB

    MD5

    a32b23db12286223af4786eccf8f66d7

    SHA1

    fe19f59183dcf801749457140b4b3aeeb3e82598

    SHA256

    5f161fe20eafa6de2ad791276d14bd1c28013a1dd7b83b8b20016ea3065eacbf

    SHA512

    0395949d424e0898d25efa5713952c2e2df155f743c5d158003268256c4c541bd83c10bf2653e4fa31ed52bb1a044e4e19e9464f7d972313a5a8e2f1b4856aa0

  • C:\Users\Admin\Desktop\read_it.txt

    Filesize

    1KB

    MD5

    ea03cbb2fdf2dc96252b579612602225

    SHA1

    ac9ceff3c368f7409b9a7201f62fa92eded4da51

    SHA256

    e4f0c335d1ffc3ed4a32ae4aee294c9652f67a765fbaaad1f90e0540d25ed565

    SHA512

    1388a3f740f84541f8a8c0298bfe8b71f03d86a71174f97a68edcb4bdca0f467d6823b94314fa54547451c3ec4f6bc2228d74bf7537acf7c2dfb9f5a2d398051

  • memory/2396-0-0x0000000000CC0000-0x0000000000CFE000-memory.dmp

    Filesize

    248KB

  • memory/2396-1-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

    Filesize

    10.8MB

  • memory/2396-14-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

    Filesize

    10.8MB

  • memory/4704-15-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

    Filesize

    10.8MB

  • memory/4704-71-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

    Filesize

    10.8MB