chaos | d573d63d8a5a350f94565a56229f544dad6b1ad2aa63fd724d09e51f093a5324

General

Target

2024-05-26_473bb234d2c4d704a4ade547eb0d4b86_destroyer_wannacry.exe
Size

22KB
MD5

473bb234d2c4d704a4ade547eb0d4b86
SHA1

92e86e3295d902e5db0e0f34876cc67c8f6f23a7
SHA256

d573d63d8a5a350f94565a56229f544dad6b1ad2aa63fd724d09e51f093a5324
SHA512

76bd0d9c7cebc238cfda7f193648e480ef10d311208699fd3fba94b0a89bfe81f4b061454dc80e402ef6b2def6385fc00132503b0444d3353c14e1df3051cd43
SSDEEP

384:fn3Mg/bqo2dWNx9pmdbJcJ9r91Canxe41dDen:5qo2+fpaJ09r9Jnxe415en

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-1-0x0000000000E40000-0x0000000000E4C000-memory.dmp	family_chaos
C:\Users\Admin\AppData\Roaming\svchost.exe	family_chaos
behavioral1/memory/2248-8-0x0000000000920000-0x000000000092C000-memory.dmp	family_chaos

Detects command variations typically used by ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-1-0x0000000000E40000-0x0000000000E4C000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
C:\Users\Admin\AppData\Roaming\svchost.exe	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/2248-8-0x0000000000920000-0x000000000092C000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Drops startup file 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2248 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1540 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid process

2248 svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe

pid	process
2248	svchost.exe

pid	process
1540	NOTEPAD.EXE

pid	process
2248	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

2024-05-26_473bb234d2c4d704a4ade547eb0d4b86_destroyer_wannacry.exesvchost.exe

pid	process
2172	2024-05-26_473bb234d2c4d704a4ade547eb0d4b86_destroyer_wannacry.exe
2172	2024-05-26_473bb234d2c4d704a4ade547eb0d4b86_destroyer_wannacry.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-26_473bb234d2c4d704a4ade547eb0d4b86_destroyer_wannacry.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2172	2024-05-26_473bb234d2c4d704a4ade547eb0d4b86_destroyer_wannacry.exe
Token: SeDebugPrivilege	2248	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-05-26_473bb234d2c4d704a4ade547eb0d4b86_destroyer_wannacry.exesvchost.exe

description	pid	process	target process
PID 2172 wrote to memory of 2248	2172	2024-05-26_473bb234d2c4d704a4ade547eb0d4b86_destroyer_wannacry.exe	svchost.exe
PID 2172 wrote to memory of 2248	2172	2024-05-26_473bb234d2c4d704a4ade547eb0d4b86_destroyer_wannacry.exe	svchost.exe
PID 2172 wrote to memory of 2248	2172	2024-05-26_473bb234d2c4d704a4ade547eb0d4b86_destroyer_wannacry.exe	svchost.exe
PID 2248 wrote to memory of 1540	2248	svchost.exe	NOTEPAD.EXE
PID 2248 wrote to memory of 1540	2248	svchost.exe	NOTEPAD.EXE
PID 2248 wrote to memory of 1540	2248	svchost.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\2024-05-26_473bb234d2c4d704a4ade547eb0d4b86_destroyer_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_473bb234d2c4d704a4ade547eb0d4b86_destroyer_wannacry.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Unlock_FIles.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:1540

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
22KB

MD5
473bb234d2c4d704a4ade547eb0d4b86

SHA1
92e86e3295d902e5db0e0f34876cc67c8f6f23a7

SHA256
d573d63d8a5a350f94565a56229f544dad6b1ad2aa63fd724d09e51f093a5324

SHA512
76bd0d9c7cebc238cfda7f193648e480ef10d311208699fd3fba94b0a89bfe81f4b061454dc80e402ef6b2def6385fc00132503b0444d3353c14e1df3051cd43

Download Submit
C:\Users\Admin\Music\Unlock_FIles.txt
Filesize
314B

MD5
346bf23d55d0633adde387c99f3bc6b4

SHA1
4e2f231b945831fdc19d97397a3949e1c1ceb06b

SHA256
b3f65aae52119cfbbbb919959b4f0923d36e1b4f81de4f5840e183afc9dd5263

SHA512
0247d480ef9052f04a3cecb7020d2085270ffa4383a61fd7670b6eb07470bc21f282ba470ad1edd4ce150401f8b3ffe7d21dedac30a2427fa0378dcb96733ef4

Download Submit
memory/2172-0-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

Filesize
4KB

Download
memory/2172-1-0x0000000000E40000-0x0000000000E4C000-memory.dmp

Filesize
48KB

Download
memory/2248-7-0x000007FEF5513000-0x000007FEF5514000-memory.dmp

Filesize
4KB

Download
memory/2248-8-0x0000000000920000-0x000000000092C000-memory.dmp

Filesize
48KB

Download
memory/2248-38-0x000007FEF5510000-0x000007FEF5EFC000-memory.dmp

Filesize
9.9MB

Download
memory/2248-188-0x000007FEF5513000-0x000007FEF5514000-memory.dmp

Filesize
4KB

Download
memory/2248-189-0x000007FEF5510000-0x000007FEF5EFC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads