Analysis
-
max time kernel
93s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
27-04-2024 05:36
General
-
Target
2024-04-27_d0cf727c46e2ee5dbf57063d3ae85dfd_destroyer_wannacry.exe
-
Size
22KB
-
MD5
d0cf727c46e2ee5dbf57063d3ae85dfd
-
SHA1
e5fab1e8a3954970331f415e5bcb7cdc2ad678d3
-
SHA256
93e27f3c219edee9e18c570fc1b36c0fae0e3b06cbbe85bd9afb4fe7d11d03ea
-
SHA512
da7b19ec144f69594d66b46c5e24adeccbd4bd2d13bc04be4030f4464978f2d8263dcfffe9392d684ecd5d918366d5c6236e39a9d47be18e4b166091448fc326
-
SSDEEP
384:p3MLWHn3kITf5o1CWpW23+rJVr91CrNveg:Jn3kIhWpW2CVr9Sxeg
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detects command variations typically used by ransomware 2 IoCs
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 39 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-27_d0cf727c46e2ee5dbf57063d3ae85dfd_destroyer_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-27_d0cf727c46e2ee5dbf57063d3ae85dfd_destroyer_wannacry.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
22KB
MD5d0cf727c46e2ee5dbf57063d3ae85dfd
SHA1e5fab1e8a3954970331f415e5bcb7cdc2ad678d3
SHA25693e27f3c219edee9e18c570fc1b36c0fae0e3b06cbbe85bd9afb4fe7d11d03ea
SHA512da7b19ec144f69594d66b46c5e24adeccbd4bd2d13bc04be4030f4464978f2d8263dcfffe9392d684ecd5d918366d5c6236e39a9d47be18e4b166091448fc326
-
C:\Users\Admin\Desktop\Wifi_pass_wireFilesize
605B
MD5a411951ff9b7937383e1b22fb21933a1
SHA177e1ecf2a0b716a8a662a9f51be8db019acc3130
SHA256669cdc2df83b48699813a1087c2662f0449f1a27d9a214e8a688435bfb3c4f93
SHA512cc04656f91185ec8be78479554fdc0f5de2e8302c0a5023aa80814c692e8d85b7ed969300ffe872be230391248e2ca756c6bf769a3f520b68826b4c1ca1e6754
-
memory/2972-15-0x00007FFF47190000-0x00007FFF47C51000-memory.dmpFilesize
10.8MB
-
memory/2972-76-0x00007FFF47190000-0x00007FFF47C51000-memory.dmpFilesize
10.8MB
-
memory/4364-0-0x0000000000560000-0x000000000056C000-memory.dmpFilesize
48KB
-
memory/4364-1-0x00007FFF47190000-0x00007FFF47C51000-memory.dmpFilesize
10.8MB
-
memory/4364-14-0x00007FFF47190000-0x00007FFF47C51000-memory.dmpFilesize
10.8MB