Overview

overview

10

Static

static

10

2024-04-17...ry.exe

windows7-x64

10

2024-04-17...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-17_eef725304b796ed42e6b33915948a110_chaos_destroyer_wannacry.exe

  • Size

    23KB

  • MD5

    eef725304b796ed42e6b33915948a110

  • SHA1

    0f76177579a5348d2ce3c8ef2830ff7e6cd5c6a0

  • SHA256

    422a692ad2161387188bf81b0c39bc420b08c42f3c6481aa78b8f972696d9f45

  • SHA512

    70fb1dad949c176a5c34bd5112ab71ddcf48fe7fd1078123e305d1f3b5c590967c9ad4505394f40cfc3d4e5d47ed96edcc756297111db7583d080d6bb37a9bb1

  • SSDEEP

    384:OlrTrx6hQRf79BBkYUC0TFbj1YLoiqbVkYFB:crTrx6ho77BkY4bpEqb+YFB

Score
10/10
chaosransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\READMEEEEE.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: <insert_your_address>

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Detects command variations typically used by ransomware 2 IoCs
  • Renames multiple (199) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-17_eef725304b796ed42e6b33915948a110_chaos_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-17_eef725304b796ed42e6b33915948a110_chaos_destroyer_wannacry.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Users\Admin\AppData\Roaming\test.exe
      "C:\Users\Admin\AppData\Roaming\test.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\READMEEEEE.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\test.exe
    Filesize

    23KB

    MD5

    eef725304b796ed42e6b33915948a110

    SHA1

    0f76177579a5348d2ce3c8ef2830ff7e6cd5c6a0

    SHA256

    422a692ad2161387188bf81b0c39bc420b08c42f3c6481aa78b8f972696d9f45

    SHA512

    70fb1dad949c176a5c34bd5112ab71ddcf48fe7fd1078123e305d1f3b5c590967c9ad4505394f40cfc3d4e5d47ed96edcc756297111db7583d080d6bb37a9bb1

    Download Submit

  • C:\Users\Admin\Documents\READMEEEEE.txt
    Filesize

    943B

    MD5

    bc80da411ccb7cd8db9395473e50b126

    SHA1

    2fb96c64c36c49a595bb1a2892cfdaf5c9fbe2f0

    SHA256

    fc565168c79007dd271b607a2adc0dc91b66c2555b574b731d37a6b7bde072fc

    SHA512

    1975061edec3d68d8c0511c867c5b9106d1815ae6dd5702efd6ac7ef96b2ede6d0a79d6cd3a46873b4ae4e797ce0de11276eabd245154df86965c3c965329051

    Download Submit

  • memory/408-0-0x0000000000290000-0x000000000029C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/408-1-0x00007FFBB3740000-0x00007FFBB4201000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/408-15-0x00007FFBB3740000-0x00007FFBB4201000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3720-14-0x00007FFBB3740000-0x00007FFBB4201000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3720-17-0x000000001AE90000-0x000000001AEA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3720-466-0x00007FFBB3740000-0x00007FFBB4201000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3720-467-0x000000001AE90000-0x000000001AEA0000-memory.dmp

    Filesize

    64KB

    Download