Analysis
-
max time kernel
93s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
13-04-2024 18:45
Behavioral task
behavioral1
Sample
2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe
Resource
win7-20240221-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe
-
Size
36KB
-
MD5
0d0ec10adf72d3c4f9f4d8aa2d28b84b
-
SHA1
2f22d5b19caa97c914a10c47c75ddde5cec0a417
-
SHA256
2acb33d8616a027487308629ee9271d2602065341f74ea0be18b526dff62d3cf
-
SHA512
d3480179ea8681a3a06f60bce1c769ec0bd8d7e3a170d3a7783b42330168c0c0978a7ed16174e4a3938822d1a573c4667e16aa2326194e2043bffcedb85c6658
-
SSDEEP
768:kqo2Vc72OYpkdcE6r94t2W+bcf8EAndDyjweg:zo2+qpE6r94d+YZJg
Score
10/10
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral2/memory/1864-0-0x00000000005B0000-0x00000000005C0000-memory.dmp family_chaos behavioral2/files/0x0009000000023367-6.dat family_chaos -
Detects command variations typically used by ransomware 2 IoCs
resource yara_rule behavioral2/memory/1864-0-0x00000000005B0000-0x00000000005C0000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/files/0x0009000000023367-6.dat INDICATOR_SUSPICIOUS_GENRansomware -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation WINDAH.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini WINDAH.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WINDAH WINDAH.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WINDAH.url WINDAH.exe -
Executes dropped EXE 2 IoCs
pid Process 3728 WINDAH.exe 2660 WINDAH.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini WINDAH.exe File opened for modification C:\Users\Public\Pictures\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\Music\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\Videos\desktop.ini WINDAH.exe File opened for modification C:\Users\Public\Music\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini WINDAH.exe File opened for modification C:\Users\Public\Documents\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini WINDAH.exe File opened for modification C:\Users\Public\Videos\desktop.ini WINDAH.exe File opened for modification C:\Users\Public\Desktop\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\Links\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\Documents\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\Searches\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini WINDAH.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1132431369-515282257-1998160155-1000\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini WINDAH.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini WINDAH.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\disz6kjwk.jpg" WINDAH.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3728 WINDAH.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 3728 WINDAH.exe 2660 WINDAH.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe Token: SeDebugPrivilege 3728 WINDAH.exe Token: SeDebugPrivilege 2660 WINDAH.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1864 wrote to memory of 3728 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 89 PID 1864 wrote to memory of 3728 1864 2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe 89 PID 3728 wrote to memory of 2660 3728 WINDAH.exe 93 PID 3728 wrote to memory of 2660 3728 WINDAH.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-13_0d0ec10adf72d3c4f9f4d8aa2d28b84b_destroyer_wannacry.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Roaming\WINDAH.exe"C:\Users\Admin\AppData\Roaming\WINDAH.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Roaming\WINDAH.exe"C:\Users\Admin\AppData\Roaming\WINDAH.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD50d0ec10adf72d3c4f9f4d8aa2d28b84b
SHA12f22d5b19caa97c914a10c47c75ddde5cec0a417
SHA2562acb33d8616a027487308629ee9271d2602065341f74ea0be18b526dff62d3cf
SHA512d3480179ea8681a3a06f60bce1c769ec0bd8d7e3a170d3a7783b42330168c0c0978a7ed16174e4a3938822d1a573c4667e16aa2326194e2043bffcedb85c6658
-
Filesize
55B
MD588db48406143c6f8fcded18777d0df9e
SHA12fd5814c4fb4fe0599430893fef810741c0ebcb0
SHA256db212078927fc8c1c43969b8bd9b1b5be47e28af5c6428919c982980fd4f1f87
SHA5121ffc4069e2593206418fea2a395b00a75de51744f8698f6d827021aaa661efebf82a827b44b31bbfbc6e4447150abbc290b765b70b599f3a5685ff3db07f1352