Overview

overview

10

Static

static

10

2024-09-18...ry.exe

windows7-x64

10

2024-09-18...ry.exe

windows10-2004-x64

10

Resubmissions

18-09-2024 23:34

240918-3kexqsyhlp 10

18-09-2024 23:21

240918-3b6dbsydrn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-09-18_5b46e400dc8116704f94c89181c5d046_destroyer_wannacry

  • Size

    23KB

  • Sample

    240918-3b6dbsydrn

  • MD5

    5b46e400dc8116704f94c89181c5d046

  • SHA1

    d9bcafd992d27f6b4aef3fe8dea486cb79a227b8

  • SHA256

    9aa3fd69ed9705c41e970db7655d1e810721b675bf339d77a14399675df718c6

  • SHA512

    1399d3fa6a8e435628a70469c252da5212f854f138c4975d3844f91ff77fc97e14df1d7e2948020e25dc79ee7a730330b9b2c04f283c3aa0e9f4a952dd872d35

  • SSDEEP

    384:w3Mg/bqo2XH45tYPpcAL34+X0Z/yJ3r91Co5+IBHreQ:Oqo2X4rmpc+4+kRm3r9NoIBLeQ

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
All of your files have been stolen and encrypted. in a nutshell you're Hacked You can try whatever you wanna try but don't modify the files, they'll be damaged and impossible to decrypt. it's nothing personal, it's all about money. have a great day. Payment information Non payment will result in your data being published. YOU HAVE 7 DAYS, AFTER 3 DAYS THE MONEY DOUBLES. Bitcoin Address: bc1qpn32q8a3jykzpfnrv6crqulk7wguaryhxzadqa You must contact us using Tox messenger, download it here> https://tox.chat/download.html. Invite us on Tox, Our Tox ID : EEC1A34EA55C1DBC63D8BCC4779D93BB64FC9036C82210467DEB1948A3ABC2248CE1CAB7A181 You need contact us and decrypt one file for free on TOX messenger with your personal DECRYPTION ID 5747
URLs

https://tox.chat/download.html

Targets

    • Target

      2024-09-18_5b46e400dc8116704f94c89181c5d046_destroyer_wannacry

    • Size

      23KB

    • MD5

      5b46e400dc8116704f94c89181c5d046

    • SHA1

      d9bcafd992d27f6b4aef3fe8dea486cb79a227b8

    • SHA256

      9aa3fd69ed9705c41e970db7655d1e810721b675bf339d77a14399675df718c6

    • SHA512

      1399d3fa6a8e435628a70469c252da5212f854f138c4975d3844f91ff77fc97e14df1d7e2948020e25dc79ee7a730330b9b2c04f283c3aa0e9f4a952dd872d35

    • SSDEEP

      384:w3Mg/bqo2XH45tYPpcAL34+X0Z/yJ3r91Co5+IBHreQ:Oqo2X4rmpc+4+kRm3r9NoIBLeQ

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks