Overview

overview

10

Static

static

10

2024-06-04...ry.exe

windows7-x64

10

2024-06-04...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-06-04_0fc06a200b5caee925f0daf120725106_wannacry

  • Size

    565KB

  • Sample

    240604-njvt8see7w

  • MD5

    0fc06a200b5caee925f0daf120725106

  • SHA1

    9f186aa6bbbf50c0a430d9bd1b3276164fbbce42

  • SHA256

    1130f367f8ae3ce57756116751f902489ab746751f0a4fd3b6cc737f9c2afa7a

  • SHA512

    695deb0c5e5b27e84dc3a62b57e159b84b79be960c1116f45bb40ac7f13170ea38cddf4837a4fdd2c8eff12633cc895b4c839c749470284939ff48bde845c49b

  • SSDEEP

    12288:xO4cmFlknCorfeHFK+i0aN+Ef7vk757l4PD8wtIRKg2zs+1YZeYZr8axeAC3pM:xnIean/tEoP3S

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\# XRET #.txt

Ransom Note
%%% Xret Ransomware %%% >>> What happened? We encrypted and stolen all of your files. We use AES and ECC algorithms. Nobody can recover your files without our decryption service. >>> How to recover? We are not a politically motivated group and we want nothing more than money. If you pay, we will provide you with decryption software and destroy the stolen data. >>> What guarantees? You can send us an unimportant file less than 1 MG, We decrypt it as guarantee. If we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise. >>> How to contact us? Our email address: [email protected] In case of no answer within 24 hours, contact to this Whatsapp: +56-997165537 Write &*&@! in the subject of the email. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> XRET <<<<< >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> Warnings! - Do not go to recovery companies, they are just middlemen who will make money off you and cheat you. They secretly negotiate with us, buy decryption software and will sell it to you many times more expensive or they will simply scam you. - Do not hesitate for a long time. The faster you pay, the lower the price. - Do not delete or modify encrypted files, it will lead to problems with decryption of files.

Targets

    • Target

      2024-06-04_0fc06a200b5caee925f0daf120725106_wannacry

    • Size

      565KB

    • MD5

      0fc06a200b5caee925f0daf120725106

    • SHA1

      9f186aa6bbbf50c0a430d9bd1b3276164fbbce42

    • SHA256

      1130f367f8ae3ce57756116751f902489ab746751f0a4fd3b6cc737f9c2afa7a

    • SHA512

      695deb0c5e5b27e84dc3a62b57e159b84b79be960c1116f45bb40ac7f13170ea38cddf4837a4fdd2c8eff12633cc895b4c839c749470284939ff48bde845c49b

    • SSDEEP

      12288:xO4cmFlknCorfeHFK+i0aN+Ef7vk757l4PD8wtIRKg2zs+1YZeYZr8axeAC3pM:xnIean/tEoP3S

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Detects command variations typically used by ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (203) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks