Overview

overview

10

Static

static

10

2024-09-12...ry.exe

windows7-x64

10

2024-09-12...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 23:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-12_f5414e93aa1483962148b1e73058156a_destroyer_wannacry.exe

  • Size

    23KB

  • MD5

    f5414e93aa1483962148b1e73058156a

  • SHA1

    a48ea50789321e999868d33cb5c373fca86fe9b3

  • SHA256

    43ce9f0cc8826d95942cb68e66603be2b61604d173ae5d6e48e24a311d68c40d

  • SHA512

    215d5c028998ec10cc8f17a4e4b54db1a5a8ab932b6cf602c8cc83547b07495662f492f39f4ffd1893ebc469a3541c07999073a996ce00173ad26c6e09c70f85

  • SSDEEP

    384:s3Mg/bqo2m0XM3oGJZRxNStpUqjuwzULJ1r91C4oUDfeq:Sqo2LLG8tphjK91r9noUzeq

Score
10/10
chaosransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
All of your files have been stolen and encrypted, we have downloaded sensitive and compromising data from your system/network including your financial data and network map. Your files have been encrypted and you won't be able to decrypt them without our help. If you modify the files you won't be able to decrypt them You can try whatever you wanna try but don't modify the files, they'll be damaged and impossible to decrypt. it's nothing personal, it's all about money. have a great day. Bitcoin Address: bc1qpn32q8a3jykzpfnrv6crqulk7wguaryhxzadqa Non payment will result in your data being published. YOU HAVE 7 DAYS, AFTER 3 DAYS THE MONEY DOUBLES. You can contact us using Tox messenger https://tox.chat/download.html. Tox ID : EEC1A34EA55C1DBC63D8BCC4779D93BB64FC9036C82210467DEB1948A3ABC2248CE1CAB7A181 You need contact us and decrypt one file for free on TOX messenger with your personal DECRYPTION ID 496
URLs

https://tox.chat/download.html

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-12_f5414e93aa1483962148b1e73058156a_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-12_f5414e93aa1483962148b1e73058156a_destroyer_wannacry.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:4300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    23KB

    MD5

    f5414e93aa1483962148b1e73058156a

    SHA1

    a48ea50789321e999868d33cb5c373fca86fe9b3

    SHA256

    43ce9f0cc8826d95942cb68e66603be2b61604d173ae5d6e48e24a311d68c40d

    SHA512

    215d5c028998ec10cc8f17a4e4b54db1a5a8ab932b6cf602c8cc83547b07495662f492f39f4ffd1893ebc469a3541c07999073a996ce00173ad26c6e09c70f85

    Download Submit

  • C:\Users\Admin\Documents\read_it.txt
    Filesize

    936B

    MD5

    6c95753d076566628ffe5f4c2b87fde3

    SHA1

    277330e99f3e43377412b78fa649ec152f5f00e2

    SHA256

    174ffbad56d2d862bd1d2ee488d5ac0a5d14a44379c93111c139236145fdbff8

    SHA512

    9068c94eeb9e6abb7472bc52a7e9b531b9c7ebc3b1332ce7809623379bcdb1ab13af5cb02e144f15775310a41175995192049374f69aaa9f0b2245889c1950ea

    Download Submit

  • memory/1964-14-0x00007FFD80080000-0x00007FFD80B41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1964-462-0x00007FFD80080000-0x00007FFD80B41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3172-0-0x00007FFD80083000-0x00007FFD80085000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3172-1-0x00000000001E0000-0x00000000001EC000-memory.dmp

    Filesize

    48KB

    Download