Overview

overview

10

Static

static

10

2024-06-14...ry.exe

windows7-x64

10

2024-06-14...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 07:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-14_47cb4cb930541788a53da6337f726dc8_destroyer_wannacry.exe

  • Size

    88KB

  • MD5

    47cb4cb930541788a53da6337f726dc8

  • SHA1

    2d7297e0469e51784b44212c795bae5237c314dc

  • SHA256

    635adb7c70d41a43be40469bd0a517e8feb8a9ddb3e68f0ead3c2a4b82875213

  • SHA512

    cfd584a481a8416900d0d081e81c5da1206c2723a39b02225afbfb636f5d81e705b425816e9498cc089daa7e387434af4d1a1ffc866181c43af3f5b83fa796a2

  • SSDEEP

    1536:Co27Ggr90aa8ZkYU2Jm6Ywm2vmyzuXpXppfpp0ppzpphppypp9poppTp:CoUGgr90H86wm2vZy

Score
10/10
chaosransomwarespywarestealer

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Detects command variations typically used by ransomware 3 IoCs
  • Renames multiple (207) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-14_47cb4cb930541788a53da6337f726dc8_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-14_47cb4cb930541788a53da6337f726dc8_destroyer_wannacry.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\AppData\Roaming\마인크래프트 무료설치.exe
      "C:\Users\Admin\AppData\Roaming\마인크래프트 무료설치.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\마인크래프트 무료설치.exe
    Filesize

    88KB

    MD5

    47cb4cb930541788a53da6337f726dc8

    SHA1

    2d7297e0469e51784b44212c795bae5237c314dc

    SHA256

    635adb7c70d41a43be40469bd0a517e8feb8a9ddb3e68f0ead3c2a4b82875213

    SHA512

    cfd584a481a8416900d0d081e81c5da1206c2723a39b02225afbfb636f5d81e705b425816e9498cc089daa7e387434af4d1a1ffc866181c43af3f5b83fa796a2

    Download Submit

  • C:\Users\Admin\Documents\read_it.txt
    Filesize

    641B

    MD5

    b91469b8c47041b5b5a04581fab689d2

    SHA1

    562ce0e37bc596854d8f664f255f40c05e42f565

    SHA256

    a82a92f952293fbea756de18927fc0a6091d65b7c23bfe45b61f9e876c474c69

    SHA512

    3b39eddab0d4aaf6c1c0a51e720d031d2b21df5ab0df69860b9ffb92680e27ee4ae57e9e25bde31ca4c4424970f4f72bfc371bbca78055ede83d2b737efafaa4

    Download Submit

  • memory/1976-0-0x000007FEF5863000-0x000007FEF5864000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1976-1-0x00000000000F0000-0x000000000010C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2828-7-0x0000000000FC0000-0x0000000000FDC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2828-9-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2828-10-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2828-476-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

    Filesize

    9.9MB

    Download