General

  • Target

    2024-10-16_7c556a045999ea1ca4f00d5b9b886b4c_destroyer_wannacry

  • Size

    23KB

  • Sample

    241016-pq6qratbpl

  • MD5

    7c556a045999ea1ca4f00d5b9b886b4c

  • SHA1

    e99a8deb643a2fb835a51664d384c1d9677e7698

  • SHA256

    8cafe2829a80bcc87175685e04d9297c8403453d274a2be2c90d764f0c88991d

  • SHA512

    b9e142a7a7524febf3f919b28f3b150a0fcff1b5f5948accbe84ceb89a3cbccd130057b4806d0c2b38cdee5803fb189e2200ff29cc9f9954132787c8a1c0b8dd

  • SSDEEP

    384:53Mg/bqo2DnQyvyHpfitobnJOr91CZIBA0eb:rqo2zlvKppJOr9iIBneb

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
All of your files have been stolen and encrypted. in a nutshell you're Hacked You can try whatever you wanna try but don't modify the files, they'll be damaged and impossible to decrypt. it's nothing personal, it's all about money. have a great day. Payment information Non payment will result in your data being published. YOU HAVE 7 DAYS, AFTER 3 DAYS THE MONEY DOUBLES. Bitcoin Address: bc1qpn32q8a3jykzpfnrv6crqulk7wguaryhxzadqa You must contact us using Tox messenger, download it here> https://tox.chat/download.html. Invite us on Tox, Our Tox ID : EEC1A34EA55C1DBC63D8BCC4779D93BB64FC9036C82210467DEB1948A3ABC2248CE1CAB7A181 You need contact us and decrypt one file for free on TOX messenger with your personal DECRYPTION ID 10212
URLs

https://tox.chat/download.html

Targets

    • Target

      2024-10-16_7c556a045999ea1ca4f00d5b9b886b4c_destroyer_wannacry

    • Size

      23KB

    • MD5

      7c556a045999ea1ca4f00d5b9b886b4c

    • SHA1

      e99a8deb643a2fb835a51664d384c1d9677e7698

    • SHA256

      8cafe2829a80bcc87175685e04d9297c8403453d274a2be2c90d764f0c88991d

    • SHA512

      b9e142a7a7524febf3f919b28f3b150a0fcff1b5f5948accbe84ceb89a3cbccd130057b4806d0c2b38cdee5803fb189e2200ff29cc9f9954132787c8a1c0b8dd

    • SSDEEP

      384:53Mg/bqo2DnQyvyHpfitobnJOr91CZIBA0eb:rqo2zlvKppJOr9iIBneb

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks