Overview

overview

10

Static

static

10

2024-04-29...ry.exe

windows7-x64

10

2024-04-29...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-04-29_af51c1a91ec1249730d7b22979cc7c42_chaos_destroyer_wannacry

  • Size

    22KB

  • Sample

    240429-qz7j3scc71

  • MD5

    af51c1a91ec1249730d7b22979cc7c42

  • SHA1

    5285d86451c719a0b0c0eb833ac227772488436d

  • SHA256

    4710fb0bd1a6beb6f5b9cbb88a3141fbaffc54341f146570a7aac42df2938588

  • SHA512

    b2fcd6dcefb8b672b5c9d27fcd08f0858fc46e58b2f73511d4aaa2fea63d68fb3ac0b5e8a0ea6375227fc5a26a8dfc48b116225397aea6b7b9165a348c3a55e0

  • SSDEEP

    384:U3Mg/bqo2pOv0tpDnqp+Ao4+X0Z/zJHr91C8OWhneK:qqo2EDp+J4+kRVHr9hLJeK

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
!!! ATTENTION !!! Your device has been locked by our ransomware. To regain access to your device and your files, you must pay a ransom of : $100 USD in Bitcoin. Bitcoin Address: bc1qgk07vhn53ws7khy3840gjjvlw7qgzftfjgweq2 Once payment is made, please send an email to [email protected] with the transaction ID as proof of payment. Upon confirmation of your payment, you will receive instructions on how to unlock your device. !!! ATTENTION !!!

Targets

    • Target

      2024-04-29_af51c1a91ec1249730d7b22979cc7c42_chaos_destroyer_wannacry

    • Size

      22KB

    • MD5

      af51c1a91ec1249730d7b22979cc7c42

    • SHA1

      5285d86451c719a0b0c0eb833ac227772488436d

    • SHA256

      4710fb0bd1a6beb6f5b9cbb88a3141fbaffc54341f146570a7aac42df2938588

    • SHA512

      b2fcd6dcefb8b672b5c9d27fcd08f0858fc46e58b2f73511d4aaa2fea63d68fb3ac0b5e8a0ea6375227fc5a26a8dfc48b116225397aea6b7b9165a348c3a55e0

    • SSDEEP

      384:U3Mg/bqo2pOv0tpDnqp+Ao4+X0Z/zJHr91C8OWhneK:qqo2EDp+J4+kRVHr9hLJeK

    Score
    10/10
    chaosevasionransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Detects command variations typically used by ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks