Overview

overview

10

Static

static

10

2024-09-18...ry.exe

windows7-x64

10

2024-09-18...ry.exe

windows10-2004-x64

10

Resubmissions

18-09-2024 23:34

240918-3kexqsyhlp 10

18-09-2024 23:21

240918-3b6dbsydrn 10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2024 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-18_5b46e400dc8116704f94c89181c5d046_destroyer_wannacry.exe

  • Size

    23KB

  • MD5

    5b46e400dc8116704f94c89181c5d046

  • SHA1

    d9bcafd992d27f6b4aef3fe8dea486cb79a227b8

  • SHA256

    9aa3fd69ed9705c41e970db7655d1e810721b675bf339d77a14399675df718c6

  • SHA512

    1399d3fa6a8e435628a70469c252da5212f854f138c4975d3844f91ff77fc97e14df1d7e2948020e25dc79ee7a730330b9b2c04f283c3aa0e9f4a952dd872d35

  • SSDEEP

    384:w3Mg/bqo2XH45tYPpcAL34+X0Z/yJ3r91Co5+IBHreQ:Oqo2X4rmpc+4+kRm3r9NoIBLeQ

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
All of your files have been stolen and encrypted. in a nutshell you're Hacked You can try whatever you wanna try but don't modify the files, they'll be damaged and impossible to decrypt. it's nothing personal, it's all about money. have a great day. Payment information Non payment will result in your data being published. YOU HAVE 7 DAYS, AFTER 3 DAYS THE MONEY DOUBLES. Bitcoin Address: bc1qpn32q8a3jykzpfnrv6crqulk7wguaryhxzadqa You must contact us using Tox messenger, download it here> https://tox.chat/download.html. Invite us on Tox, Our Tox ID : EEC1A34EA55C1DBC63D8BCC4779D93BB64FC9036C82210467DEB1948A3ABC2248CE1CAB7A181 You need contact us and decrypt one file for free on TOX messenger with your personal DECRYPTION ID 5747
URLs

https://tox.chat/download.html

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-18_5b46e400dc8116704f94c89181c5d046_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-18_5b46e400dc8116704f94c89181c5d046_destroyer_wannacry.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1432
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2360
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2468
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2444
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:468
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1980
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2400
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1560
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2520
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1192

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        23KB

        MD5

        5b46e400dc8116704f94c89181c5d046

        SHA1

        d9bcafd992d27f6b4aef3fe8dea486cb79a227b8

        SHA256

        9aa3fd69ed9705c41e970db7655d1e810721b675bf339d77a14399675df718c6

        SHA512

        1399d3fa6a8e435628a70469c252da5212f854f138c4975d3844f91ff77fc97e14df1d7e2948020e25dc79ee7a730330b9b2c04f283c3aa0e9f4a952dd872d35

        Download Submit

      • C:\Users\Admin\Documents\read_it.txt
        Filesize

        754B

        MD5

        95b768856b2de34a69c96f29dead1912

        SHA1

        05bbb06ce4ab6f6607a2f1a1176c53a05bc5970e

        SHA256

        b7758a672f173bfed32e6f8a423a80362625e42d307f8d990173c49edf6b777d

        SHA512

        52302aaeabf76a826554e9551cd37f08583e46b07cce3c9e711e1aebaec3c2c1b66d4fe6ac5bafb7ef45f3e27344b4d8af57246c8f8b93ca1c7a433b2752527b

        Download Submit

      • memory/2224-0-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2224-1-0x0000000000E40000-0x0000000000E4C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2800-7-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2800-8-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2800-24-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2800-492-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2800-493-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

        Filesize

        9.9MB

        Download