Overview

overview

10

Static

static

10

2024-04-30...ry.exe

windows7-x64

10

2024-04-30...ry.exe

windows10-2004-x64

10

Resubmissions

30-04-2024 19:18

240430-x1bx5aga38 10

30-04-2024 18:59

240430-xm42rafe58 10

Analysis

  • max time kernel
    66s
  • max time network
    50s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-30_c9f6fc22d04c4d56622e9322d1a34d70_wannacry.exe

  • Size

    1.1MB

  • MD5

    c9f6fc22d04c4d56622e9322d1a34d70

  • SHA1

    d45ed6385e183456f1d0f68aba47727df1d38256

  • SHA256

    b7b3f9f8e59c42d40505a0e53039b69ba969b84b14d31a71557f5a09855b678a

  • SHA512

    f73342e15b3f1fb180f845950ed90f0fdc9c54f1040d457d78f2a13be445d65650dca455b254254db566e81b4c089539370edda3ef76a4c5bbc32ea7aaaa40e2

  • SSDEEP

    12288:o7YHBR9ideJWmXm+if5BYstvfCjqf2KqY5UBx2qIYvnv+pkiccfIzdLzsb4D7ZfL:ogBNq5u0v6AUjBfLyZEi

Score
10/10
chaosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Default\read_it.txt

Ransom Note
(Explanation) Shit well unfornatley you have fallen for my ransomware. Meaning that all of your personal files like your images, videos, applications etc are locked. In order to get your files back you will need to pay a small fee of 0.0008 bitcoin. You may be asking yourself well how the fuck do I get bitcoin and or what is bitcoin. Well bitcoin is a digital currency that can be converted into USD anonymously. Buying bitcoin is super easy you can buy it at bitcoin atms near you or applications on your phone which I will If you do not care about your files they will automatically be deleted in 2 days or you can reset your computer. If you do care about your files then please follow the instructions to successfully recover your files. Step 1: Create a bitcoin wallet on your phone or whatever mobile device you are using. DO NOT create a bitcoin wallet on your computer or you could possibly lose all of your funds (I'm saving you the trouble of losing out on even more of your money). I would recommend downloading the wallet 'Cake Wallet'. It is very simple to use for begginners and works great it is available on the apple app store and google play store aswell. Step 2: You Will need to buy bitcoin to pay the ransom in recovering your files. Some places to buy bitcoin could be for example https://coinflip.tech (This is a website that tells you where the nearest bitcoin atm is from you the fee is 15.99% so you may need to bring more cash with you.) You can fill your wallet up until you have enough to send the ransom and cover the fee you need to pay me the fees on sending bitcoin usually sits between $4-$6. If you have cashapp you can try sending bitcoin that way aswell there is a place where you can invest into bitcoin I would recommend watching videos on buying and sending it. Step 3: Once you have boughten bitcoin you will need to send it. Please scan the QR code that is shown in my wallpaper. The wallpaper is on your computer if you have not already seen it. If you are unsure on how to scan it with a bitcoin wallet you made on your mobile device then please scan the qr code by going into your camera app and hovering over it. It should pop up with a bitcoin address once you get the bitcoin address then send the required bitcoin. You can also use snapchat's camera to scan bitcoin QR codes. If you are using cake wallet select that 'fast' option for a fast confirmation the faster I can confirm that the bitcoin has been sent to my bitcoin address the faster you will get your files back. If you are using cash app to send the bitcoin select the fastest option for a quick payment. Step 4: Contact my email once the bitcoin is sent again the bitcoin needs to be sent from a different device other then the infected computer in order to make a smoothe and quick transaction. My Email: [email protected] Step 5: A decrypter will be provided to you once the payment is sent make sure that you disable virus protection temporaily again to decrypt your files. To decrypt please drag the private key into the decrypter application it should say 'Open With' and just hit 'more info' and select yes if needed to run it. After it is ran your files will then successfully be unlocked and in your possession. If a payment has not been made within 2 days all of your personal files on your computer such as your pictures, passwords, any data, private logs, etc will be sent out on to the darkweb or (The Tor Browser). As well as any connected USB's or backup drives will also have been infected and they will be sent out on the dark web as well. It is important to have good communication with me or if my one of my workers (who spread the malware on your computer) is helping you out for example make such that they can verify that the payment has gone through. No further warnings will go out. Once again please make a crypto wallet on a different device other then your computer because there is a high chance that you will lose your funds using your computer. So Again I recommend using a Phone or any other mobile device that you have. If you forgot how much to send in bitcoin to the qr code it was 0.0008 Bitcoin Again my email to contact me at is: [email protected]
URLs

https://coinflip.tech

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Detects command variations typically used by ransomware 2 IoCs
  • Detects executables containing many references to VEEAM. Observed in ransomware 2 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (261) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-30_c9f6fc22d04c4d56622e9322d1a34d70_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-30_c9f6fc22d04c4d56622e9322d1a34d70_wannacry.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\Users\Admin\AppData\Roaming\Installer.exe
      "C:\Users\Admin\AppData\Roaming\Installer.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3344
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:5044
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1700
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:640
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2284
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4204
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4400
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1540
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:464
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3208
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2812
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1512
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4648

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2024-04-30_c9f6fc22d04c4d56622e9322d1a34d70_wannacry.exe.log
      Filesize

      1KB

      MD5

      baf55b95da4a601229647f25dad12878

      SHA1

      abc16954ebfd213733c4493fc1910164d825cac8

      SHA256

      ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

      SHA512

      24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Installer.exe
      Filesize

      1.1MB

      MD5

      c9f6fc22d04c4d56622e9322d1a34d70

      SHA1

      d45ed6385e183456f1d0f68aba47727df1d38256

      SHA256

      b7b3f9f8e59c42d40505a0e53039b69ba969b84b14d31a71557f5a09855b678a

      SHA512

      f73342e15b3f1fb180f845950ed90f0fdc9c54f1040d457d78f2a13be445d65650dca455b254254db566e81b4c089539370edda3ef76a4c5bbc32ea7aaaa40e2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\a9whdnbl.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite.DumbStackz
      Filesize

      48KB

      MD5

      b1730c5793cf808333ce080f2f34c482

      SHA1

      36a2b835ed3f007872e871a2aa5eea8ad4ad6cd9

      SHA256

      b6177e44743826511f37fe5abf2d467c07627d699d03e92d91c8d28c3fb47e2a

      SHA512

      b0371e8c0d05c0b99919d65ccf1a32f562b1b5d8517f4324bb720e5146730663436230bb3d17861065bdad19a628958c12290266c4ed3b26f0858fa18ccfc8ae

      Download Submit

    • C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk
      Filesize

      1B

      MD5

      d1457b72c3fb323a2671125aef3eab5d

      SHA1

      5bab61eb53176449e25c2c82f172b82cb13ffb9d

      SHA256

      8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

      SHA512

      ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

      Download Submit

    • C:\Users\Default\read_it.txt
      Filesize

      4KB

      MD5

      3487c41ad8ea8f2659c603539beaf06e

      SHA1

      b1d658eba8f7be795a5bbd6657036d6cb08fa6b9

      SHA256

      31e3c22beda1445bba2c1e275fc4bc3f3cfa5d835db1ecf15ffa65d340436d89

      SHA512

      d936da83f894bf5de5d4d761bf4298f16a867ebb3a7873bb53f2915d5be440234310c4e07048b2a5beab5a19c706055d4bc212fdfc5101d23025b03d3bfdaad4

      Download Submit

    • memory/512-15-0x00007FFE63300000-0x00007FFE63DC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/512-0-0x0000000000C40000-0x0000000000D5C000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/512-2-0x00000000014F0000-0x0000000001500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/512-1-0x00007FFE63300000-0x00007FFE63DC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2812-18-0x00007FFE7F3A9000-0x00007FFE7F3AA000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3344-17-0x000000001AFB0000-0x000000001AFC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3344-16-0x00007FFE63300000-0x00007FFE63DC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3344-1559-0x00007FFE63300000-0x00007FFE63DC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3344-1560-0x000000001AFB0000-0x000000001AFC0000-memory.dmp

      Filesize

      64KB

      Download