Analysis

  • max time kernel
    126s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2024 15:24

General

  • Target

    2024-09-16_9a0a653a28144ed4aef29c405eed6cd5_destroyer_wannacry.exe

  • Size

    26KB

  • MD5

    9a0a653a28144ed4aef29c405eed6cd5

  • SHA1

    80b6f3d4ea6efd4bec02cb6864a179ffcbf7ea5e

  • SHA256

    a37e08164fbf4bcfe5e4a8b818ec45b150f0e4206a1ecb84489a5e34c7d528cb

  • SHA512

    0a98cd89d9693f7984826f0ed4cb54bf359415b2a203fc19631c12d982cd5b80c160e8b7315689cbb2df9a1eac0e79d99df0c82bd86662f7916020177eba17e7

  • SSDEEP

    384:A3Mg/bqo2vLPQUvuIqpm9FOjUJnr91Cep4DqHaQ0jseO:+qo2MU0pIOj8nr9N+DqHEIeO

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Tox ID: EEC1A34EA55C1DBC63D8BCC4779D93BB64FC9036C82210467DEB1948A3ABC2248CE1CAB7A181 Your personal DECRYPTION ID: 10211 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in tox. Tox ID : EEC1A34EA55C1DBC63D8BCC4779D93BB64FC9036C82210467DEB1948A3ABC2248CE1CAB7A181
URLs

https://tox.chat/download.html

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-16_9a0a653a28144ed4aef29c405eed6cd5_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-16_9a0a653a28144ed4aef29c405eed6cd5_destroyer_wannacry.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2664
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2692
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3904
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:432
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3988
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1280
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:4440
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4220,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
    1⤵
      PID:1820
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3832
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1256
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1616
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:1380

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\svchost.exe

        Filesize

        26KB

        MD5

        9a0a653a28144ed4aef29c405eed6cd5

        SHA1

        80b6f3d4ea6efd4bec02cb6864a179ffcbf7ea5e

        SHA256

        a37e08164fbf4bcfe5e4a8b818ec45b150f0e4206a1ecb84489a5e34c7d528cb

        SHA512

        0a98cd89d9693f7984826f0ed4cb54bf359415b2a203fc19631c12d982cd5b80c160e8b7315689cbb2df9a1eac0e79d99df0c82bd86662f7916020177eba17e7

      • C:\Users\Admin\Documents\read_it.txt

        Filesize

        2KB

        MD5

        054c24bebee63e5f3cbbbf70b8548942

        SHA1

        5a2e4f1882f7c76dce6b4d2b610485ae5852789d

        SHA256

        3ddc818e4b33b6b08abee5564011530939aa8a6f601ec00d672a31aeab9bf09f

        SHA512

        3168fcd8340945458503f35aa482f378435d3929eba614b5af61a4191bf83a39b231fc947b54539f9553e43f9f5125ba51b872bc84b783c1fa77b38a30ed3094

      • memory/740-0-0x00007FFE6A953000-0x00007FFE6A955000-memory.dmp

        Filesize

        8KB

      • memory/740-1-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

        Filesize

        48KB

      • memory/5068-14-0x00007FFE6A950000-0x00007FFE6B411000-memory.dmp

        Filesize

        10.8MB

      • memory/5068-514-0x00007FFE6A950000-0x00007FFE6B411000-memory.dmp

        Filesize

        10.8MB