Extracted

• • Target

    2024-03-20_6f014d20774a7ec9869e54fe3d977f11_wannacry

  • Size

    127KB

  • MD5

    6f014d20774a7ec9869e54fe3d977f11

  • SHA1

    2f05737ded3e8f2a6c7468482a6d500ec32d7d30

  • SHA256

    3688345fc9eaee1073bfb24872d397a180a784e263b7a3b0ef91a8cd2bdad747

  • SHA512

    c67358c788beab21c192032fd157dbfaa81398c719a4d4091d49bef2d02c364760f1fac23721e433d7d10a7f25779db143a5f4f68cc07a500e14cb6b544852a8

  • SSDEEP

    1536:KNboAHq9CTesdi+y1WAPoRD9AuH7x9Z2eVGjzfnvI7BpxZe2WyKlsEX7xuTI3:ulHq9CliXWAPEV9Ue4znvqg2WVrxua

  Score

  10^/10

  chaosevasionpersistenceransomwarespywarestealer

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos

  • Chaos Ransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Detects command variations typically used by ransomware

  • Detects executables containing many references to VEEAM. Observed in ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Disables Task Manager via registry modification

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1behavioral2