Overview

overview

10

Static

static

10

2024-04-30...ry.exe

windows7-x64

10

2024-04-30...ry.exe

windows10-2004-x64

10

Resubmissions

30-04-2024 19:18

240430-x1bx5aga38 10

30-04-2024 18:59

240430-xm42rafe58 10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30-04-2024 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-30_c9f6fc22d04c4d56622e9322d1a34d70_wannacry.exe

  • Size

    1.1MB

  • MD5

    c9f6fc22d04c4d56622e9322d1a34d70

  • SHA1

    d45ed6385e183456f1d0f68aba47727df1d38256

  • SHA256

    b7b3f9f8e59c42d40505a0e53039b69ba969b84b14d31a71557f5a09855b678a

  • SHA512

    f73342e15b3f1fb180f845950ed90f0fdc9c54f1040d457d78f2a13be445d65650dca455b254254db566e81b4c089539370edda3ef76a4c5bbc32ea7aaaa40e2

  • SSDEEP

    12288:o7YHBR9ideJWmXm+if5BYstvfCjqf2KqY5UBx2qIYvnv+pkiccfIzdLzsb4D7ZfL:ogBNq5u0v6AUjBfLyZEi

Score
10/10
chaosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\read_it.txt

Ransom Note
(Explanation) Shit well unfornatley you have fallen for my ransomware. Meaning that all of your personal files like your images, videos, applications etc are locked. In order to get your files back you will need to pay a small fee of 0.0008 bitcoin. You may be asking yourself well how the fuck do I get bitcoin and or what is bitcoin. Well bitcoin is a digital currency that can be converted into USD anonymously. Buying bitcoin is super easy you can buy it at bitcoin atms near you or applications on your phone which I will If you do not care about your files they will automatically be deleted in 2 days or you can reset your computer. If you do care about your files then please follow the instructions to successfully recover your files. Step 1: Create a bitcoin wallet on your phone or whatever mobile device you are using. DO NOT create a bitcoin wallet on your computer or you could possibly lose all of your funds (I'm saving you the trouble of losing out on even more of your money). I would recommend downloading the wallet 'Cake Wallet'. It is very simple to use for begginners and works great it is available on the apple app store and google play store aswell. Step 2: You Will need to buy bitcoin to pay the ransom in recovering your files. Some places to buy bitcoin could be for example https://coinflip.tech (This is a website that tells you where the nearest bitcoin atm is from you the fee is 15.99% so you may need to bring more cash with you.) You can fill your wallet up until you have enough to send the ransom and cover the fee you need to pay me the fees on sending bitcoin usually sits between $4-$6. If you have cashapp you can try sending bitcoin that way aswell there is a place where you can invest into bitcoin I would recommend watching videos on buying and sending it. Step 3: Once you have boughten bitcoin you will need to send it. Please scan the QR code that is shown in my wallpaper. The wallpaper is on your computer if you have not already seen it. If you are unsure on how to scan it with a bitcoin wallet you made on your mobile device then please scan the qr code by going into your camera app and hovering over it. It should pop up with a bitcoin address once you get the bitcoin address then send the required bitcoin. You can also use snapchat's camera to scan bitcoin QR codes. If you are using cake wallet select that 'fast' option for a fast confirmation the faster I can confirm that the bitcoin has been sent to my bitcoin address the faster you will get your files back. If you are using cash app to send the bitcoin select the fastest option for a quick payment. Step 4: Contact my email once the bitcoin is sent again the bitcoin needs to be sent from a different device other then the infected computer in order to make a smoothe and quick transaction. My Email: [email protected] Step 5: A decrypter will be provided to you once the payment is sent make sure that you disable virus protection temporaily again to decrypt your files. To decrypt please drag the private key into the decrypter application it should say 'Open With' and just hit 'more info' and select yes if needed to run it. After it is ran your files will then successfully be unlocked and in your possession. If a payment has not been made within 2 days all of your personal files on your computer such as your pictures, passwords, any data, private logs, etc will be sent out on to the darkweb or (The Tor Browser). As well as any connected USB's or backup drives will also have been infected and they will be sent out on the dark web as well. It is important to have good communication with me or if my one of my workers (who spread the malware on your computer) is helping you out for example make such that they can verify that the payment has gone through. No further warnings will go out. Once again please make a crypto wallet on a different device other then your computer because there is a high chance that you will lose your funds using your computer. So Again I recommend using a Phone or any other mobile device that you have. If you forgot how much to send in bitcoin to the qr code it was 0.0008 Bitcoin Again my email to contact me at is: [email protected]
URLs

https://coinflip.tech

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 4 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Detects command variations typically used by ransomware 4 IoCs
  • Detects executables containing many references to VEEAM. Observed in ransomware 4 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (202) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-30_c9f6fc22d04c4d56622e9322d1a34d70_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-30_c9f6fc22d04c4d56622e9322d1a34d70_wannacry.exe"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Roaming\Installer.exe
      "C:\Users\Admin\AppData\Roaming\Installer.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2648
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2752
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1660
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2060
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2352
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1088
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2052
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:640
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2460
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:816
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1824
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1716

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Installer.exe
        Filesize

        1.1MB

        MD5

        c9f6fc22d04c4d56622e9322d1a34d70

        SHA1

        d45ed6385e183456f1d0f68aba47727df1d38256

        SHA256

        b7b3f9f8e59c42d40505a0e53039b69ba969b84b14d31a71557f5a09855b678a

        SHA512

        f73342e15b3f1fb180f845950ed90f0fdc9c54f1040d457d78f2a13be445d65650dca455b254254db566e81b4c089539370edda3ef76a4c5bbc32ea7aaaa40e2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.DumbStackz
        Filesize

        48KB

        MD5

        4d4a49d2632faa9d820d25c8a7f09598

        SHA1

        731cbb94bb844639b85b3ad6653324fb754c0f87

        SHA256

        9d1c8367003fe360d4ed394df1582e4f1c0c5877a8b5129d0dc90bc69e14594a

        SHA512

        973b97acc2c77249e33ff9efe6aa6d57fece3a669d4f804516c2a06efb5da153dda8e77ff6fdf11413393c71f9ea18d2e3e07dde2a7158adf8cf5dd665c8dc82

        Download Submit

      • C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\read_it.txt
        Filesize

        4KB

        MD5

        3487c41ad8ea8f2659c603539beaf06e

        SHA1

        b1d658eba8f7be795a5bbd6657036d6cb08fa6b9

        SHA256

        31e3c22beda1445bba2c1e275fc4bc3f3cfa5d835db1ecf15ffa65d340436d89

        SHA512

        d936da83f894bf5de5d4d761bf4298f16a867ebb3a7873bb53f2915d5be440234310c4e07048b2a5beab5a19c706055d4bc212fdfc5101d23025b03d3bfdaad4

        Download Submit

      • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
        Filesize

        1B

        MD5

        d1457b72c3fb323a2671125aef3eab5d

        SHA1

        5bab61eb53176449e25c2c82f172b82cb13ffb9d

        SHA256

        8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

        SHA512

        ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

        Download Submit

      • memory/2224-10-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2224-8-0x0000000000880000-0x000000000099C000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2224-11-0x000000001AF00000-0x000000001AF80000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2224-1015-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2416-0-0x0000000000AD0000-0x0000000000BEC000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2416-1-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2416-2-0x000000001B150000-0x000000001B1D0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2416-9-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

        Filesize

        9.9MB

        Download