Overview

overview

10

Static

static

10

2024-05-18...ry.exe

windows7-x64

10

2024-05-18...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-05-18_f89dcaf691e6355ecff8faf4f2d66456_wannacry

  • Size

    293KB

  • Sample

    240518-b5cvbsed26

  • MD5

    f89dcaf691e6355ecff8faf4f2d66456

  • SHA1

    263c5f942b8f5787a466fd8c4a5a6cbee6dfb87b

  • SHA256

    aeeef616860df5ac0bcf37567fb1476d8d60ecc3d9eb6b82515ad5d5c3d5218d

  • SHA512

    b2c6e911c4c417354ca4857f5cbd85f8f8bd80afc3ae43fb3640013d1755f4e1235842617a993a98c253ba8690c328ce1c0b5b4bbc111f93ba5392124cc2bc9a

  • SSDEEP

    6144:H0eq9CkaffINH2da6Bi842ZwWoHa2ksBBk:U8kaffYH2dZBi83ZwWo62ksBB

Score
10/10
chaospersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\readme.txt

Ransom Note
Hello, Congrats you have been hit by the Scrypt Ransomware so lets talk about recovering your files. First off don't even waste your time with free decrypters. Scrypt Ransomware uses 256 aes bit encryption which means its impossible to bruteforce or attempt to recover your files. So here are the steps to recovering your files. First off let me prefix this by saying reporting this malware or leaving a bad review on the product will instantly disqualify you from recovering your files, so if you wish to see your files in any shape or form I reccomend you keep quiet and follow these steps: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Download BitPay: https://bitpay.com/ This can also be downloaded from the microsoft store. 2. Purchase $500 in bitcoin using the buy crypto option 3. Send that $500 in bitcoin to this addr: {_BITCOIN_ADDR} 4. After you have sent the money send an email to {_EMAIL} saying that you have paid and please include your user id. 5. Wait roughly 6 hours, I will send you your decrypter and key which can be used to decrypt all files encrypted by the ransomware. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ YOU HAVE ONE WEEK, AFTER ONE WEEK DECRYPTING YOUR FILES WILL BECOME $5000 REPORTING THIS FILE TO ANYONE WILL RESULT IN A FULL LOSS OF FILES FAILING TO PAY WILL RESULT IN YOUR PERSONAL DETAILS SUCH AS: - IP - Address - Username - Emails and passwords - Discord Account BEEN SOLD ON THE DARKWEB
URLs

https://bitpay.com/

Targets

    • Target

      2024-05-18_f89dcaf691e6355ecff8faf4f2d66456_wannacry

    • Size

      293KB

    • MD5

      f89dcaf691e6355ecff8faf4f2d66456

    • SHA1

      263c5f942b8f5787a466fd8c4a5a6cbee6dfb87b

    • SHA256

      aeeef616860df5ac0bcf37567fb1476d8d60ecc3d9eb6b82515ad5d5c3d5218d

    • SHA512

      b2c6e911c4c417354ca4857f5cbd85f8f8bd80afc3ae43fb3640013d1755f4e1235842617a993a98c253ba8690c328ce1c0b5b4bbc111f93ba5392124cc2bc9a

    • SSDEEP

      6144:H0eq9CkaffINH2da6Bi842ZwWoHa2ksBBk:U8kaffYH2dZBi83ZwWo62ksBB

    Score
    10/10
    chaospersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Detects command variations typically used by ransomware

    • Detects executables containing many references to VEEAM. Observed in ransomware

    • Renames multiple (158) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks