Extracted

• • Target

    2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry

  • Size

    263KB

  • MD5

    dc884e3241e125218d69f53f400e8442

  • SHA1

    8687422a10ad022925c19c2719381e8bd169331c

  • SHA256

    0bf9b5ef693b11181d39deb87556e8f8dfbf7f617c13bd2602547ae73c4fd1e9

  • SHA512

    7a34d84e3458ba7da67bd9d9dba797c4b4be000fe8b261feb3b3f10525eaace4a74aa28ba35ac439e934d5f65bd3d44eb09c33a35d96a37de777c008032ce4c6

  • SSDEEP

    3072:Dcq9wqyZnCboGSqihQ5Mk/EHCSQ9IiNP8Q1fBLe8vQQ7b8lW76+zGklGT5Ckn/dN:Dcq9HScRiDH6b/e8/8li3GXuE3y74

  Score

  10^/10

  chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos

  • Chaos Ransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Disables Task Manager via registry modification

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1