Overview

overview

10

Static

static

10

2024-07-28...ry.exe

windows7-x64

10

2024-07-28...ry.exe

windows10-2004-x64

Analysis

  • max time kernel
    3s
  • max time network
    6s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240729-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 19:21

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    2024-07-28_2310f84927d030fad49735e109c864f3_wannacry.exe

  • Size

    142KB

  • MD5

    2310f84927d030fad49735e109c864f3

  • SHA1

    ea64caf28773a541b0a32f6dc4a35acb0d7d15c8

  • SHA256

    acb1b649b8fa101f04674189de1064add8c929b7e51de01c1a667b41d2333604

  • SHA512

    b29a61082d99f5b53501ddd2bc5437c44f3ab73235ef152cbffe2b318578d3a7e29106412f5c5943960a891fc7e5707921aa4e00901357d53b973357574f977e

  • SSDEEP

    3072:fogMdUr9fsAdLIxkvIDY1779BORVTq/+lS8SMlVBbng:Dpr9fshkloDbfV9n

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\Read_me.txt

Ransom Note
All of your files have been encrypted. Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help. What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer. The price for the software is $5,000. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com !!!In case you feel like not paying, it's important that you know we will not hesitate to sell your data on the darknet!!! Bitcoin Address: 32pTE6MyVVfBNSsbCdffuEsKwE51JTT4Uj <----- Send all bitcoins to this address
Wallets

32pTE6MyVVfBNSsbCdffuEsKwE51JTT4Uj

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-28_2310f84927d030fad49735e109c864f3_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-28_2310f84927d030fad49735e109c864f3_wannacry.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4220
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
        PID:3092
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
          3⤵
            PID:1996
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:3148
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic shadowcopy delete
              4⤵
                PID:3676
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
              3⤵
                PID:3488
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  4⤵
                  • Modifies boot configuration data using bcdedit
                  PID:4656
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} recoveryenabled no
                  4⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1756
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                3⤵
                  PID:3564
                  • C:\Windows\system32\wbadmin.exe
                    wbadmin delete catalog -quiet
                    4⤵
                    • Deletes backup catalog
                    PID:4640
                • C:\Windows\system32\NOTEPAD.EXE
                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Read_me.txt
                  3⤵
                  • Opens file in notepad (likely ransom note)
                  PID:1472
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:5048
              • C:\Windows\system32\wbengine.exe
                "C:\Windows\system32\wbengine.exe"
                1⤵
                  PID:1848
                • C:\Windows\System32\vdsldr.exe
                  C:\Windows\System32\vdsldr.exe -Embedding
                  1⤵
                    PID:3904
                  • C:\Windows\System32\vds.exe
                    C:\Windows\System32\vds.exe
                    1⤵
                      PID:4512

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\svchost.exe
                      Filesize

                      142KB

                      MD5

                      2310f84927d030fad49735e109c864f3

                      SHA1

                      ea64caf28773a541b0a32f6dc4a35acb0d7d15c8

                      SHA256

                      acb1b649b8fa101f04674189de1064add8c929b7e51de01c1a667b41d2333604

                      SHA512

                      b29a61082d99f5b53501ddd2bc5437c44f3ab73235ef152cbffe2b318578d3a7e29106412f5c5943960a891fc7e5707921aa4e00901357d53b973357574f977e

                      Download Submit

                    • C:\Users\Admin\Documents\Read_me.txt
                      Filesize

                      1008B

                      MD5

                      92e4efcfba31fbf8e7dc5e0073eb1170

                      SHA1

                      2380a731f0fdd226a28bbd7acc9a6ccfb550ac6c

                      SHA256

                      9785aee9c6f083ee8da868491f4649e8bfe179a24f99704cee68873f99bd40f9

                      SHA512

                      eb321db8ddc0d36d1fd4c2d631cc872a5c15ff341192b7b151dfd87ed744ef381cc14602abd43c5cc2ec48db24f66da009733e0a5c32ab31783358cd5e808cf6

                      Download Submit

                    • memory/3092-14-0x00007FFA33770000-0x00007FFA34231000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4220-0-0x00000000001A0000-0x00000000001CA000-memory.dmp

                      Filesize

                      168KB

                      Download

                    • memory/4220-1-0x00007FFA33773000-0x00007FFA33775000-memory.dmp

                      Filesize

                      8KB

                      Download