Overview

overview

10

Static

static

10

2024-04-03...ry.exe

windows7-x64

10

2024-04-03...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2024, 22:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-03_35cd5196973ea268366e117948e3234e_wannacry.exe

  • Size

    138KB

  • MD5

    35cd5196973ea268366e117948e3234e

  • SHA1

    d3b0408dd73972b1228dbc6eedae887020069205

  • SHA256

    d487a3562cfb46a5992deac8a154f6b84b4b046fb98252e51b9c75310a8e4610

  • SHA512

    250080b16b12a3b36ea27a621ca1a9664aff0cbbd4e7c286ed030edad2a568d338c1f40817e9643b896ef23e5992372ee6866a972fdccac14005d02a1bff9f8e

  • SSDEEP

    3072:Too9Lr9+OjsHL8Czl4rPT5E6JHztz3M1j/20:9r9+Ow8frT66tFYj/2

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Detects command variations typically used by ransomware 2 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-03_35cd5196973ea268366e117948e3234e_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-03_35cd5196973ea268366e117948e3234e_wannacry.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4516
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3212
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:564
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4364
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4100
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4652
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3036
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
          PID:1924
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:2732
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1352
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2304
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:3448
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:4696
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2652

      Network

      • flag-us
        DNS
        210.108.222.173.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        210.108.222.173.in-addr.arpa
        IN PTR
        Response
        210.108.222.173.in-addr.arpa
        IN PTR
        a173-222-108-210deploystaticakamaitechnologiescom
      • flag-us
        DNS
        28.118.140.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        28.118.140.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        140.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        140.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        104.219.191.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        104.219.191.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        240.221.184.93.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.221.184.93.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        131.72.42.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        131.72.42.20.in-addr.arpa
        IN PTR
        Response
      • 52.111.227.14:443
        322 B
         7
      • 8.8.8.8:53
        210.108.222.173.in-addr.arpa
        dns
        74 B
         141 B
         1
        1

        DNS Request

        210.108.222.173.in-addr.arpa

      • 8.8.8.8:53
        28.118.140.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        28.118.140.52.in-addr.arpa

      • 8.8.8.8:53
        140.32.126.40.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        140.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        104.219.191.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        104.219.191.52.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        240.221.184.93.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        240.221.184.93.in-addr.arpa

      • 8.8.8.8:53
        131.72.42.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        131.72.42.20.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        138KB

        MD5

        35cd5196973ea268366e117948e3234e

        SHA1

        d3b0408dd73972b1228dbc6eedae887020069205

        SHA256

        d487a3562cfb46a5992deac8a154f6b84b4b046fb98252e51b9c75310a8e4610

        SHA512

        250080b16b12a3b36ea27a621ca1a9664aff0cbbd4e7c286ed030edad2a568d338c1f40817e9643b896ef23e5992372ee6866a972fdccac14005d02a1bff9f8e

        Download Submit

      • C:\Users\Admin\Documents\LEIA-ME txt
        Filesize

        555B

        MD5

        88e1775159b477cd84de858370a72243

        SHA1

        4ba54e4aff5187c036867b2c96c8ab7e75a7955c

        SHA256

        403de26691352cea37b29d2babc62f90c8995dff9a6a367be247ca388a8d1349

        SHA512

        76f9b5001f13488e66fee067140d68eba2082614f41e910d43c1f4b51c793db34b556aab3798714a18ad60e3c958da56d1414d8b74f799f0d72d09a89d03a521

        Download Submit

      • memory/4516-14-0x00007FF943FE0000-0x00007FF944AA1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4516-452-0x00007FF943FE0000-0x00007FF944AA1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4648-0-0x0000000000160000-0x0000000000188000-memory.dmp

        Filesize

        160KB

        Download

      • memory/4648-1-0x00007FF943FE0000-0x00007FF944AA1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4648-15-0x00007FF943FE0000-0x00007FF944AA1000-memory.dmp

        Filesize

        10.8MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.