Overview

overview

10

Static

static

10

2024-07-06...ry.exe

windows7-x64

10

2024-07-06...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-07-06_f55de5b6c0d9f50f0c60f756f7fe95d8_wannacry

  • Size

    1.3MB

  • Sample

    240706-jwftmatgnb

  • MD5

    f55de5b6c0d9f50f0c60f756f7fe95d8

  • SHA1

    560065e8fbc3eb7743c74d3300d73db16141fd1f

  • SHA256

    8ae1d9e815abc504d01b48ecf21e4133b34b4b3e4a0e93804f44f8a9b328bd5d

  • SHA512

    33c156038453ebd119236141236fd91e826871cd9c683d8de1b632dd78fee2e429bb922925540d387393aebbb24724d56ce37d62c0688a85d442f088fc288d17

  • SSDEEP

    12288:YOON9XNVtG5MCkcyGNg+NCVSobImvOaeohhdx7Pa1l2rZkkIW71v623TKBYa6sw8:YR96yrn6XaFmyuJIAp2

Score
10/10
chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      2024-07-06_f55de5b6c0d9f50f0c60f756f7fe95d8_wannacry

    • Size

      1.3MB

    • MD5

      f55de5b6c0d9f50f0c60f756f7fe95d8

    • SHA1

      560065e8fbc3eb7743c74d3300d73db16141fd1f

    • SHA256

      8ae1d9e815abc504d01b48ecf21e4133b34b4b3e4a0e93804f44f8a9b328bd5d

    • SHA512

      33c156038453ebd119236141236fd91e826871cd9c683d8de1b632dd78fee2e429bb922925540d387393aebbb24724d56ce37d62c0688a85d442f088fc288d17

    • SSDEEP

      12288:YOON9XNVtG5MCkcyGNg+NCVSobImvOaeohhdx7Pa1l2rZkkIW71v623TKBYa6sw8:YR96yrn6XaFmyuJIAp2

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (175) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks