Overview

overview

10

Static

static

10

2024-06-16...ry.exe

windows7-x64

10

2024-06-16...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-06-16_1edae706b6ba5c74c4e614551bb50add_wannacry

  • Size

    211KB

  • Sample

    240616-e1p6mszbkd

  • MD5

    1edae706b6ba5c74c4e614551bb50add

  • SHA1

    3aa456a3e8b74fa7237158ed90c79e06e87d3fb0

  • SHA256

    d8d7964db066a0d46060fbff334cf56292ba4dbba875d86e59a24e75841c85eb

  • SHA512

    c39babf21f2046d0f49b176718cbe82352c7afcfcd7128b380fbad1958f0718cde990cf7697de025b9ec1b656f6ae6ad062be3ff4c0901a17aecb4c098137b40

  • SSDEEP

    3072:nc91C49Jg1zgiH4gPmxon+ncNz8RQmxxrRyXk4:nc9s4M7YBG8

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\readme.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted your machine has just been infected by Lockbit 3.0 All your data has been encrypted and cannot be decrypted without our help. If you wish to recover your data, you must pay 180 euros/dollars in btc. You have 7 days. If you refuse to pay, or pay only part of the fee, your files will be permanently deleted. Modifying or decrypting your data yourself may lead to complications and our decryption tool will be ineffective. We are lockbit, a group that generally attacks companies. We have been active since 2017. Our movement is not political. What's the guarantee that we'll restore your files? Lockbit just wants your money, this thing, this piece piece of paper so meaningless. Deleting your data won't do us any good. The choice is yours. Once you've paid the ransom, let us know by sending an e-mail to [email protected], specifying the date and time of payment and this unique code which will enable us to identify which machine to restore: 835534. Payment informationAmount:Dependsoncurrency BTC Bitcoin Address: bc1qvnsaalef5t0ymae0vzk69hxng8xfjudn0pu6h9

Targets

    • Target

      2024-06-16_1edae706b6ba5c74c4e614551bb50add_wannacry

    • Size

      211KB

    • MD5

      1edae706b6ba5c74c4e614551bb50add

    • SHA1

      3aa456a3e8b74fa7237158ed90c79e06e87d3fb0

    • SHA256

      d8d7964db066a0d46060fbff334cf56292ba4dbba875d86e59a24e75841c85eb

    • SHA512

      c39babf21f2046d0f49b176718cbe82352c7afcfcd7128b380fbad1958f0718cde990cf7697de025b9ec1b656f6ae6ad062be3ff4c0901a17aecb4c098137b40

    • SSDEEP

      3072:nc91C49Jg1zgiH4gPmxon+ncNz8RQmxxrRyXk4:nc9s4M7YBG8

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Detects command variations typically used by ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks