Overview

overview

10

Static

static

10

2024-06-30...ry.exe

windows7-x64

10

2024-06-30...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-06-30_9419d434db629f523344716672cd4187_wannacry

  • Size

    4.3MB

  • Sample

    240630-nvl2gaxcjh

  • MD5

    9419d434db629f523344716672cd4187

  • SHA1

    3cdab65847e493d1bed982debbd9497561c4a3c0

  • SHA256

    390db2712380d32479d8f0b61397e9cfba7eb084677cd46fc1e72555f5166420

  • SHA512

    f12e761105a5c38d5916bad504713c6f1c87a3ca8f0654d9e920e28eb0b2f7d26c23cd90ebdc79660fcad0267b42d6f21ee0d39090da3956c364a5ce786395e3

  • SSDEEP

    49152:9bV9T1iQXYMP39qD3nB9kbIImcF7vTZJnP:

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\read_mt.txt

Ransom Note
All your files have been encrypted by Anonymous Arabs Your computer has been infected with ransomware. Your files have been encrypted and you won't Be able to decrypt it without our help. What can I do to recover my files? You can purchase our software Decryption software, this software will allow you to recover all your data and remove files Ransomware from your computer. The price of the program is $1500. Payment can only be made with Bitcoin Cash How do I pay, where can I get Bitcoin? Buying Bitcoin varies from country to country, and it's best to do a quick Google search Learn how to buy Bitcoin. It is best to use the TrustWallet wallet to be able to send money to us Payment Information Amount: 3.58 Bitcoin Cash Bitcoin Cash address in TrustWilt wallet: qrzm8vrzg93qpdry8t6dxdlcxfqcrwjr8yvv9dx5c3

Targets

    • Target

      2024-06-30_9419d434db629f523344716672cd4187_wannacry

    • Size

      4.3MB

    • MD5

      9419d434db629f523344716672cd4187

    • SHA1

      3cdab65847e493d1bed982debbd9497561c4a3c0

    • SHA256

      390db2712380d32479d8f0b61397e9cfba7eb084677cd46fc1e72555f5166420

    • SHA512

      f12e761105a5c38d5916bad504713c6f1c87a3ca8f0654d9e920e28eb0b2f7d26c23cd90ebdc79660fcad0267b42d6f21ee0d39090da3956c364a5ce786395e3

    • SSDEEP

      49152:9bV9T1iQXYMP39qD3nB9kbIImcF7vTZJnP:

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (168) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks