Overview

overview

10

Static

static

10

2024-04-29...ry.exe

windows7-x64

10

2024-04-29...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-04-29_29fa75458106f03a11560ca466363129_chaos_destroyer_wannacry

  • Size

    22KB

  • Sample

    240429-qprqwabf32

  • MD5

    29fa75458106f03a11560ca466363129

  • SHA1

    89db6502c8170f260b48d80ee0ece3380ba77eb5

  • SHA256

    3f5ade39f3658b6da93987f7ba7dba38d7d94096638ef9f3565790e6ab73eef7

  • SHA512

    28a58b096f560ac4cd03b96f77f7e0cbe7e96c4fb56fb6758c3e4ff7304e3ae4e0db35570f69070c676e45143dedb7be50556bc80f38364400ea2d43bec99188

  • SSDEEP

    384:j3Mg/bqo2uOv0tpDnqp+Ao4+X0Z/dJZr91C8OWh0et:Vqo2BDp+J4+kRrZr9hLyet

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
!!! ATTENTION !!! Your device has been locked by our ransomware. To regain access to your device and your files, you must pay a ransom of : $100 USD in Bitcoin. Bitcoin Address: bc1qgk07vhn53ws7khy3840gjjvlw7qgzftfjgweq2 Once payment is made, please send an email to [email protected] with the transaction ID as proof of payment. Upon confirmation of your payment, you will receive instructions on how to unlock your device. !!! ATTENTION !!!

Targets

    • Target

      2024-04-29_29fa75458106f03a11560ca466363129_chaos_destroyer_wannacry

    • Size

      22KB

    • MD5

      29fa75458106f03a11560ca466363129

    • SHA1

      89db6502c8170f260b48d80ee0ece3380ba77eb5

    • SHA256

      3f5ade39f3658b6da93987f7ba7dba38d7d94096638ef9f3565790e6ab73eef7

    • SHA512

      28a58b096f560ac4cd03b96f77f7e0cbe7e96c4fb56fb6758c3e4ff7304e3ae4e0db35570f69070c676e45143dedb7be50556bc80f38364400ea2d43bec99188

    • SSDEEP

      384:j3Mg/bqo2uOv0tpDnqp+Ao4+X0Z/dJZr91C8OWh0et:Vqo2BDp+J4+kRrZr9hLyet

    Score
    10/10
    chaosevasionransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Detects command variations typically used by ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks