chaos | 4e359ae286505974c77f25cd4862138af31ad5fc63b29fc1682a59d996bddc85

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_d34b72d869022e1b685776dfacee4aa0_destroyer_wannacry.exe
Size

88KB
MD5

d34b72d869022e1b685776dfacee4aa0
SHA1

25cf4456c9b434b56fcb77146275eee0b86d300f
SHA256

4e359ae286505974c77f25cd4862138af31ad5fc63b29fc1682a59d996bddc85
SHA512

88e123dd30a67f9bcc62e0f7bf078530dcc6efa385f9d530a73bc34a0edf1300ead4ed000e9f3da4f08787a2a6e6274e91f1455ed09067b0e7caeadf84875c43
SSDEEP

1536:Po2tljKtJr91/SDwkYU2Jm6Ywm2vmyzuXpXppfpp0ppzpphppypp9poppTp:PoijKtJr91KDdwm2vZy

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2880-1-0x0000000000C40000-0x0000000000C5C000-memory.dmp	family_chaos
behavioral1/files/0x00090000000149f5-5.dat	family_chaos
behavioral1/memory/2772-8-0x0000000001040000-0x000000000105C000-memory.dmp	family_chaos

Detects command variations typically used by ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2880-1-0x0000000000C40000-0x0000000000C5C000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/files/0x00090000000149f5-5.dat	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/2772-8-0x0000000001040000-0x000000000105C000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Renames multiple (183) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup.url	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	setup.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	setup.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	setup.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	setup.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	setup.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	setup.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	setup.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	setup.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	setup.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	setup.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	setup.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2728	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2772	setup.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2880	2024-06-16_d34b72d869022e1b685776dfacee4aa0_destroyer_wannacry.exe
2880	2024-06-16_d34b72d869022e1b685776dfacee4aa0_destroyer_wannacry.exe
2772	setup.exe
2772	setup.exe
2772	setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	2024-06-16_d34b72d869022e1b685776dfacee4aa0_destroyer_wannacry.exe
Token: SeDebugPrivilege	2772	setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2772	2880	2024-06-16_d34b72d869022e1b685776dfacee4aa0_destroyer_wannacry.exe	28
PID 2880 wrote to memory of 2772	2880	2024-06-16_d34b72d869022e1b685776dfacee4aa0_destroyer_wannacry.exe	28
PID 2880 wrote to memory of 2772	2880	2024-06-16_d34b72d869022e1b685776dfacee4aa0_destroyer_wannacry.exe	28
PID 2772 wrote to memory of 2728	2772	setup.exe	30
PID 2772 wrote to memory of 2728	2772	setup.exe	30
PID 2772 wrote to memory of 2728	2772	setup.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-06-16_d34b72d869022e1b685776dfacee4aa0_destroyer_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_d34b72d869022e1b685776dfacee4aa0_destroyer_wannacry.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Roaming\setup.exe
  "C:\Users\Admin\AppData\Roaming\setup.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\setup.exe

Filesize
88KB

MD5
d34b72d869022e1b685776dfacee4aa0

SHA1
25cf4456c9b434b56fcb77146275eee0b86d300f

SHA256
4e359ae286505974c77f25cd4862138af31ad5fc63b29fc1682a59d996bddc85

SHA512
88e123dd30a67f9bcc62e0f7bf078530dcc6efa385f9d530a73bc34a0edf1300ead4ed000e9f3da4f08787a2a6e6274e91f1455ed09067b0e7caeadf84875c43

Download Submit
C:\Users\Admin\Documents\read_it.txt

Filesize
861B

MD5
9ddf410ffe7bd14364c6e1c53b421d88

SHA1
8b6312ee7b01990d1b01d39d87cd3c7667a0b89b

SHA256
702b3327d90e6d3f81a69ffdcbc1d7bac81756e952fced755a69c8ac2ee89525

SHA512
ebbaa7b784aff8277afed199555f5e3ee13a66d3be914abcfd25fb6d0e322fc5f2f3c88993c9327d13fc24d3c556b8844ae31ffe68076650fb1978c99ffa6834

Download Submit
memory/2772-8-0x0000000001040000-0x000000000105C000-memory.dmp

Filesize
112KB

Download
memory/2772-18-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2772-27-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2772-429-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2880-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2880-1-0x0000000000C40000-0x0000000000C5C000-memory.dmp

Filesize
112KB

Download