chaos | a29f7f16177b1aed8ad6b56dbe19763b9264734304cfc3db9b5c3ce77ea1e08f

Resubmissions

20-09-2024 01:06

240920-bf79ya1anh 10

20-09-2024 00:42

240920-a2lgmazcpg 10

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe
Size

230KB
MD5

c47451e9db6bc856051f49f728e05e27
SHA1

3a6eae645c5c44ed2933aed3379ae6f7e1ab8331
SHA256

a29f7f16177b1aed8ad6b56dbe19763b9264734304cfc3db9b5c3ce77ea1e08f
SHA512

7a85e7bc7be2f71f799b918bd42dfbc6043ef6222b12ff6b7258bfeeadb38c4f3186ece742a589aa224292749fa66089faca161248b15793ae1a93975bde586a
SSDEEP

6144:QYr9AxLsirVD0GfhyvOhBpC81xmjuQmDbjoYl5m:ULNVDbfhygC81xFBDbj7m

Score

10^/10

chaos discovery ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2544-1-0x00000000010C0000-0x0000000001100000-memory.dmp	family_chaos
behavioral1/files/0x000b000000012253-5.dat	family_chaos
behavioral1/memory/2412-7-0x0000000000100000-0x0000000000140000-memory.dmp	family_chaos

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2412	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\o3x1ph5w1.jpg"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2412	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2544	2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe
2544	2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe
2544	2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2280	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe
Token: SeDebugPrivilege	2412	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2280	AcroRd32.exe
2280	AcroRd32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2412	2544	2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe	30
PID 2544 wrote to memory of 2412	2544	2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe	30
PID 2544 wrote to memory of 2412	2544	2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe	30
PID 2412 wrote to memory of 1508	2412	svchost.exe	32
PID 2412 wrote to memory of 1508	2412	svchost.exe	32
PID 2412 wrote to memory of 1508	2412	svchost.exe	32
PID 1508 wrote to memory of 2280	1508	rundll32.exe	34
PID 1508 wrote to memory of 2280	1508	rundll32.exe	34
PID 1508 wrote to memory of 2280	1508	rundll32.exe	34
PID 1508 wrote to memory of 2280	1508	rundll32.exe	34

C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\README
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\README"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
25d8261461df2d9508a6ae296dd733ef

SHA1
ed8f0ab875249a215e4c88e7c8fe1b53f60c0ff1

SHA256
7ba40f51110298aa5620a52d50f3e341558f88f8d7ddef21e903270eee291406

SHA512
865aacbc4380e29a73388fd4dcee86bb7a451d7519a542a519356469da481bf49c38f0a8c9ab9b8ac7be654c2603efbbe903282e04c4035753009da2d7e5fe5c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
230KB

MD5
c47451e9db6bc856051f49f728e05e27

SHA1
3a6eae645c5c44ed2933aed3379ae6f7e1ab8331

SHA256
a29f7f16177b1aed8ad6b56dbe19763b9264734304cfc3db9b5c3ce77ea1e08f

SHA512
7a85e7bc7be2f71f799b918bd42dfbc6043ef6222b12ff6b7258bfeeadb38c4f3186ece742a589aa224292749fa66089faca161248b15793ae1a93975bde586a

Download Submit
C:\Users\Admin\Documents\README

Filesize
740B

MD5
247fd138d3881e0b6135f930d272158a

SHA1
e174a53071e17bc7983932636dca23d0fb46a0b8

SHA256
cfe39d1892f95613ff09b68190f9077b62e09983bce24042e1cbd1fa29ccce9f

SHA512
86accb04f72eff1842473440d30634e4fd86f239d78674e014d8a110d65bf56be8e81a9d07e2d6d8516aebb30329ce02bae59f35db2e638c88ab71689e353ae5

Download Submit
memory/2412-7-0x0000000000100000-0x0000000000140000-memory.dmp

Filesize
256KB

Download
memory/2412-8-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-13-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-486-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2544-0-0x000007FEF6523000-0x000007FEF6524000-memory.dmp

Filesize
4KB

Download
memory/2544-1-0x00000000010C0000-0x0000000001100000-memory.dmp

Filesize
256KB

Download