Overview

overview

10

Static

static

10

2024-06-05...ry.exe

windows7-x64

10

2024-06-05...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2024 04:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-05_4ff85cbdd46c103d0e396807f24e910a_destroyer_wannacry.exe

  • Size

    17KB

  • MD5

    4ff85cbdd46c103d0e396807f24e910a

  • SHA1

    9ec70e1ec2eeaaf7fa55986d6d57f62d2ae50765

  • SHA256

    bd02208a5415b76b35f8057702ffbf8820349d4a4139158681932f1957c73e06

  • SHA512

    11e1f1d3bd8166d798f95a16f14097baffdcc526bfa60c9207a0da63810327801f08ada6f65e7fcc711ef6973efddd0e3749b22477e2bd43ca7af070721c9aa8

  • SSDEEP

    192:m9M3MgSZWHWUHKnaV1dGOqnovuDm4PDpJZX9ld4njwcPRHgStes/91C1mDm9S3vb:m+3Mg/bqo2RLpLtlOj7Jtr91CEmIRe/

Score
10/10
chaosransomwarespywarestealer

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Detects command variations typically used by ransomware 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-05_4ff85cbdd46c103d0e396807f24e910a_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-05_4ff85cbdd46c103d0e396807f24e910a_destroyer_wannacry.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\read_it.txt
    Filesize

    31B

    MD5

    bfa32079fea0deb78981666628772bb1

    SHA1

    1fdf7fc0b47cd971a912ea622cf42201c77e9f71

    SHA256

    e9698ccd7406c3f414f1ef2ad8ed63b6f110410ac72be25a0a4b055f09175f31

    SHA512

    bfe70383e9ac72c560b97e0283c79865b8eaf8f38d10e71fea396f7f7d0187de9d008273fbf00275c0b257e7177c316c65051c7403ce8378dccf96d5a8ec908d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    17KB

    MD5

    4ff85cbdd46c103d0e396807f24e910a

    SHA1

    9ec70e1ec2eeaaf7fa55986d6d57f62d2ae50765

    SHA256

    bd02208a5415b76b35f8057702ffbf8820349d4a4139158681932f1957c73e06

    SHA512

    11e1f1d3bd8166d798f95a16f14097baffdcc526bfa60c9207a0da63810327801f08ada6f65e7fcc711ef6973efddd0e3749b22477e2bd43ca7af070721c9aa8

    Download Submit

  • memory/1856-0-0x00007FFF10A13000-0x00007FFF10A15000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1856-1-0x0000000000160000-0x000000000016A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4448-14-0x00007FFF10A10000-0x00007FFF114D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4448-26-0x00007FFF10A10000-0x00007FFF114D1000-memory.dmp

    Filesize

    10.8MB

    Download