Analysis Overview
SHA256
0545950ceb362f4f82da58a3c24825c26e188e210d345fbd127ad75b0f8dbcc9
Threat Level: Known bad
The file 202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry was found to be: Known bad.
Malicious Activity Summary
Chaos Ransomware
Chaos
Chaos family
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Loads dropped DLL
Executes dropped EXE
Drops startup file
Checks BIOS information in registry
Drops desktop.ini file(s)
Maps connected drives based on registry
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-08 09:09
Signatures
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Chaos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-08 09:09
Reported
2024-09-08 09:12
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2112 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 2112 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 2112 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 2976 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | C:\Windows\system32\WerFault.exe |
| PID 2976 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | C:\Windows\system32\WerFault.exe |
| PID 2976 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2976 -s 768
Network
Files
memory/2112-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp
memory/2112-1-0x00000000000E0000-0x0000000000124000-memory.dmp
memory/2112-2-0x0000000000480000-0x000000000048C000-memory.dmp
memory/2112-3-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\sByte.dll
| MD5 | d80d1b6d9a6d5986fa47f6f8487030e1 |
| SHA1 | 8f5773bf9eca43b079c1766b2e9f44cc90bd9215 |
| SHA256 | 446128f1712da8064d0197376184315cb529ed26ed9122f7b171bb208e22c0c3 |
| SHA512 | 9fcf0105c2c9ee81c526d41633d93579bb8e2837989d77fb4a6523440415ec2d7fa46ac9ae4e55ecebd99126837817ac308cc079475de02667b21727a43d74cc |
memory/2112-7-0x00000000004A0000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 6b573d2e5879c3cb307b1e1fdb9087f4 |
| SHA1 | 690d83a67319f6ff98690776e86dc0704b0d4a92 |
| SHA256 | 0545950ceb362f4f82da58a3c24825c26e188e210d345fbd127ad75b0f8dbcc9 |
| SHA512 | 674f061c61277f2b73a9d9b12ae83039ac3607c8bb0b043ac0ba9806eaef57508869e706bf9179258700dea6ae83ab87c64bac00441ab09df645a59720f71656 |
memory/2976-17-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
memory/2976-16-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
memory/2976-13-0x00000000008A0000-0x00000000008E4000-memory.dmp
memory/2112-18-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
memory/2976-20-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-08 09:09
Reported
2024-09-08 09:12
Platform
win10v2004-20240802-en
Max time kernel
96s
Max time network
155s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\202409086b573d2e5879c3cb307b1e1fdb9087f4wannacry.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/3812-0-0x00007FF9FBA03000-0x00007FF9FBA05000-memory.dmp
memory/3812-1-0x0000000000DF0000-0x0000000000E34000-memory.dmp
memory/3812-2-0x00000000014D0000-0x00000000014DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\sByte.dll
| MD5 | d80d1b6d9a6d5986fa47f6f8487030e1 |
| SHA1 | 8f5773bf9eca43b079c1766b2e9f44cc90bd9215 |
| SHA256 | 446128f1712da8064d0197376184315cb529ed26ed9122f7b171bb208e22c0c3 |
| SHA512 | 9fcf0105c2c9ee81c526d41633d93579bb8e2837989d77fb4a6523440415ec2d7fa46ac9ae4e55ecebd99126837817ac308cc079475de02667b21727a43d74cc |
memory/3812-6-0x0000000001780000-0x0000000001788000-memory.dmp
memory/3812-7-0x00007FF9FBA00000-0x00007FF9FC4C1000-memory.dmp
memory/3812-8-0x00007FF9FBA00000-0x00007FF9FC4C1000-memory.dmp