General

  • Target

    2024-08-30_65f701945cd471bd6e95bad1b71201f5_chaos_destroyer_wannacry

  • Size

    34KB

  • Sample

    240830-ttqwxstara

  • MD5

    65f701945cd471bd6e95bad1b71201f5

  • SHA1

    7ba2901cf5617389cf8ab17d614392bff53f6944

  • SHA256

    b105e6a95291eee9a9223554ad78d2e082ab1a8acc3523d7b644e5cf4add703a

  • SHA512

    4a455ca2d25c38390a2f4e448fe81e7435e0db75d193e95f40803c165af48c4f40e2e562a5839687d09742577612f42000aeb5ac284ea72b8b533f007153897c

  • SSDEEP

    768:vqo2SeShAFSpajl0vr90fMY4cB0dbjeC:io2zsW1l0vr90fEcB04C

Malware Config

Targets

    • Target

      2024-08-30_65f701945cd471bd6e95bad1b71201f5_chaos_destroyer_wannacry

    • Size

      34KB

    • MD5

      65f701945cd471bd6e95bad1b71201f5

    • SHA1

      7ba2901cf5617389cf8ab17d614392bff53f6944

    • SHA256

      b105e6a95291eee9a9223554ad78d2e082ab1a8acc3523d7b644e5cf4add703a

    • SHA512

      4a455ca2d25c38390a2f4e448fe81e7435e0db75d193e95f40803c165af48c4f40e2e562a5839687d09742577612f42000aeb5ac284ea72b8b533f007153897c

    • SSDEEP

      768:vqo2SeShAFSpajl0vr90fMY4cB0dbjeC:io2zsW1l0vr90fEcB04C

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks