Overview

overview

10

Static

static

10

2024-04-03...ry.exe

windows7-x64

10

2024-04-03...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-04-03_d6ff005837ddd51800c690a4f3d2bb1c_wannacry

  • Size

    101KB

  • Sample

    240403-s9q17afc4s

  • MD5

    d6ff005837ddd51800c690a4f3d2bb1c

  • SHA1

    1e124e594c3dcaeb796870764c5058e7396b8979

  • SHA256

    3ef443961db229c2dd9b90ef7db82eaac674f6da81e43e1d70cad06a0b3a8173

  • SHA512

    8d68f941a0cfc8386f18b59e0123b0dc82a1673e4536f4e250c1be2c6fa732e2117183c1e60f860496e2d303ed97bdc12c8be9687d69a6e0d41a7c73bbf216cc

  • SSDEEP

    3072:Uh0Qq9r+U/AW8OguUhP+CpiB+BGN4E/TsmSXx:Uh0Qq9Xh8OgRmCpiYQe

Score
10/10
chaosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\read_it.txt

Ransom Note
All your files, such as documents, photos, databases, and other important files, are encrypted. But Don't worry, you can return all your files! You must follow these steps to decrypt your files Message us on tox download is below Toxid:D188F8E65CE16E832EA090D1628F531FD15F78CF751F8BEF0E0B3CBCCA4FD050F243343C2D5A Obtain 200 euros worth of Bitcoin or XMR (You have to pay for decryption in Bitcoins or Xmr. If you don't pay in the first 24 hours it will cost 400 euros and after 3 days it will cost 600 euros. If you don't pay the ransom we will leak or sell your data if it is interesting enough What guarantees do we give to you. You can send one of your encrypted files, and we will decrypt it for free. where you can install tox 'https://tox.chat/download.html' where you can buy bitcoin 'https://www.coinbase.com/'
URLs

https://tox.chat/download.html

Targets

    • Target

      2024-04-03_d6ff005837ddd51800c690a4f3d2bb1c_wannacry

    • Size

      101KB

    • MD5

      d6ff005837ddd51800c690a4f3d2bb1c

    • SHA1

      1e124e594c3dcaeb796870764c5058e7396b8979

    • SHA256

      3ef443961db229c2dd9b90ef7db82eaac674f6da81e43e1d70cad06a0b3a8173

    • SHA512

      8d68f941a0cfc8386f18b59e0123b0dc82a1673e4536f4e250c1be2c6fa732e2117183c1e60f860496e2d303ed97bdc12c8be9687d69a6e0d41a7c73bbf216cc

    • SSDEEP

      3072:Uh0Qq9r+U/AW8OguUhP+CpiB+BGN4E/TsmSXx:Uh0Qq9Xh8OgRmCpiYQe

    Score
    10/10
    chaosevasionpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Detects command variations typically used by ransomware

    • Detects executables containing many references to VEEAM. Observed in ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks