chaos | 24893dc83648dac9acf101c38381fbe5f09dff7788e4cd1d9ac6fc10bde8bb7a

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
Size

69KB
MD5

8e9498d9f1009d82fe20dec5e56e6ab6
SHA1

07fd1c05d1e706a75cb8327bce60524faaf89735
SHA256

24893dc83648dac9acf101c38381fbe5f09dff7788e4cd1d9ac6fc10bde8bb7a
SHA512

26d1e96bb5bb7cc263c5d5f0688a53c537cac9a11893633b62d38213610d0655e76203c8a6fed6f3c795756039fc24df5b534fe978494e531a6b17e34bfab8d8
SSDEEP

1536:fo2yGMhur9i35UbK+X7ryVIxBtNGmD1aBoolWi1UfF:foUMhur9i3MK+X7euBHGmJaBooEF

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note

All of your files have been encrypted Your computer was infected with a ransomware and RDP virus. Your files and data have been encrypted and you won't be able to decrypt them without our help. What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer. The price for the software is $50. Payment can be made in Crypto only. How do I pay, where do I get Crypto? Purchasing Crypto varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Crypto. Many of our customers have reported these sites to be fast and reliable: Cashapp, Coinbase, bicance, Paypal, Kraken Once the payment has been made you can email us and a Decryption key will be sent to you. All Restore Points, Shadow Coppies and recovery mode on ur computer have been deleted/disabled Clients Must pay or sadly ALL data and files are lost, PC Reset will resualt in disabling windows operations If you have any questions please email us, but also remember, we dont make this Ransomeware, just the decryption keys. Email: [email protected] Payment Amount: $50.00 Bitcoin Address: bc1qmxehlpjkuk4xpanapdnsghda2eajdhj0wyvhlc Litecoin Address Lg6PmtU6vusUH3DhYR4QL6h2UtLkzwHrfL Ethereum Address: 0x2ad0e5ABc63d003448Fbe03f580Aa30e5E831d09 Solana Address: 7iKLcDfUqJrbkFk7V1AUQ7RhyyN5qVzv6DWnBvHENW3f

Emails

[email protected]

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 1 IoCs

resource	yara_rule
behavioral1/memory/2528-1-0x0000000001250000-0x0000000001268000-memory.dmp	family_chaos

Renames multiple (207) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.url	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xfr61fimy.jpg"	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2328	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2528	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2528	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
2528	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2328	2528	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe	30
PID 2528 wrote to memory of 2328	2528	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe	30
PID 2528 wrote to memory of 2328	2528	2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_8e9498d9f1009d82fe20dec5e56e6ab6_destroyer_wannacry.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\read_it.txt

Filesize
1KB

MD5
a12615b25efbc9b0e692d78cf143b46e

SHA1
3016daff192f705df77c53eea3bbb8bc0d93476c

SHA256
19d5acf79db3a71973959348dde1c1f7feb04365addc248e2fbe679131082575

SHA512
379226c164f50f5fb8700b934125e926019b43acc1c66d973335b82fe0c7106e1b81e596a32951f06b2908375f062bf5f5f000cf5aaae69cb177668789bd1848

Download Submit
memory/2528-0-0x000007FEF6663000-0x000007FEF6664000-memory.dmp

Filesize
4KB

Download
memory/2528-1-0x0000000001250000-0x0000000001268000-memory.dmp

Filesize
96KB

Download
memory/2528-15-0x000007FEF6660000-0x000007FEF704C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-472-0x000007FEF6663000-0x000007FEF6664000-memory.dmp

Filesize
4KB

Download
memory/2528-473-0x000007FEF6660000-0x000007FEF704C000-memory.dmp

Filesize
9.9MB

Download