Overview

overview

10

Static

static

10

2024-04-14...ry.exe

windows7-x64

10

2024-04-14...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-04-14_042af9c511552255aed26954d500543c_chaos_destroyer_wannacry

  • Size

    23KB

  • Sample

    240414-kbyz5shh8x

  • MD5

    042af9c511552255aed26954d500543c

  • SHA1

    e478b331aec1166f16a714e2a4320fcb04d54b16

  • SHA256

    b69bb28aa423914139a3edcf9fdb617f3105d971e628c4cd82bbd62b9fc32b85

  • SHA512

    5729179cce14e135b9e9d79d1acf4e518f2eadff604e5094e9f1eaf9e8c2ef9a3ada18905c55143fe2bbeaf020f3cff3b7e7e9b0845475353fff286a0cefa664

  • SSDEEP

    384:R3Mg/bqo2i5rMfpz0qjuwzUrJXmr91C221gYei:Tqo2Ir8pzRjKd2r9t2xei

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\READ_IT.txt

Ransom Note
[ Oops, Your files have been encrypted! ] WHAT HAPPENED TO MY COMPUTER? Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption key. The ransomware also spread in your Network or USB, You cannot kill or remove the ransomware You can recover your files unless you pay ₱2000 in our GCASH provider and after you send to the designated number with a receipt. You can send it to our email GCASH - https://ibb.co/RHs43WH Email - anonprixorph@proton.me
Emails

anonprixorph@proton.me

URLs

https://ibb.co/RHs43WH

Targets

    • Target

      2024-04-14_042af9c511552255aed26954d500543c_chaos_destroyer_wannacry

    • Size

      23KB

    • MD5

      042af9c511552255aed26954d500543c

    • SHA1

      e478b331aec1166f16a714e2a4320fcb04d54b16

    • SHA256

      b69bb28aa423914139a3edcf9fdb617f3105d971e628c4cd82bbd62b9fc32b85

    • SHA512

      5729179cce14e135b9e9d79d1acf4e518f2eadff604e5094e9f1eaf9e8c2ef9a3ada18905c55143fe2bbeaf020f3cff3b7e7e9b0845475353fff286a0cefa664

    • SSDEEP

      384:R3Mg/bqo2i5rMfpz0qjuwzUrJXmr91C221gYei:Tqo2Ir8pzRjKd2r9t2xei

    Score
    10/10
    chaosevasionransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Detects command variations typically used by ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Resource Development

Reconnaissance

Tasks