chaos

General

Target

2024-04-08_bc7d2982cf93e751f42e42e649856949_wannacry
Size

435KB
Sample

240620-kqtzqsydnc
MD5

bc7d2982cf93e751f42e42e649856949
SHA1

5d760bf9bacdd2dbb77c1c31af142025fe8a1a91
SHA256

88003a5d7e92939d923369ef7d7a9d54230dd8aa1e97760a04df75b89aa62126
SHA512

610c05f78f380c1875160d76ec08e5c5b5cf37c17c759ff51fdfa86dc0191e88c7e174789450f754c469476afdfeb45d4cc4ed6ba17e52b39ad3b2faaaad2524
SSDEEP

12288:34J5PLJED4FtD2IOyd0K5Qzpi/MhHvFOHHHRw3+Ue70VkF33T8Wx355N:3QWOYKAJqnxLH

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Updater6\READ_SOLUTION.txt

Ransom Note

If you are opportune to see this message right now, that means your data security has been compromised !!! You have been hit hard by a sophisticated Ransomware Attack by CROCODILE SMILE, LOL. This Attack is known as OPERATION FLUSH. All your critical and confidential files, including private documents, photos, databases, and other important informations, have been encrypted, leaked, and transferred to our servers. In accordance with European data protection regulations, we are reaching out to inform you of this breach and to offer assistance in recovering your encrypted files. We acknowledge the gravity of the situation and are fully dedicated to swiftly delivering a solution. Our priority is to safeguard your organization's reputation and ensure the confidentiality of your files and documents remains intact, free from any leaks or compromises. To initiate the decryption process and retrieve your files, please follow these official steps: 1) Contact our designated communication channel via Telegram ID: CrocodileSmile 2) Make the necessary arrangements to obtain 20.6 Bitcoin, as payment for the decryption service. Please note that decryption can only be completed upon receipt of payment in Bitcoins. 3) Upon successful payment, we will provide you with the decryption key required to swiftly decrypt all affected files. We assure you that compliance with these instructions is crucial for the recovery of your data. We urge you to act swiftly to mitigate further data loss and restore the integrity of your information assets. Should you require any clarification or assistance, do not hesitate to contact us through the designated communication channel.

Targets

- Target
  
  2024-04-08_bc7d2982cf93e751f42e42e649856949_wannacry
- Size
  
  435KB
- MD5
  
  bc7d2982cf93e751f42e42e649856949
- SHA1
  
  5d760bf9bacdd2dbb77c1c31af142025fe8a1a91
- SHA256
  
  88003a5d7e92939d923369ef7d7a9d54230dd8aa1e97760a04df75b89aa62126
- SHA512
  
  610c05f78f380c1875160d76ec08e5c5b5cf37c17c759ff51fdfa86dc0191e88c7e174789450f754c469476afdfeb45d4cc4ed6ba17e52b39ad3b2faaaad2524
- SSDEEP
  
  12288:34J5PLJED4FtD2IOyd0K5Qzpi/MhHvFOHHHRw3+Ue70VkF33T8Wx355N:3QWOYKAJqnxLH
Score

10^/10

chaos defense_evasion evasion execution impact persistence ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (180) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2