Overview

overview

10

Static

static

10

2024-10-16...ry.exe

windows7-x64

10

2024-10-16...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 12:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-16_7c556a045999ea1ca4f00d5b9b886b4c_destroyer_wannacry.exe

  • Size

    23KB

  • MD5

    7c556a045999ea1ca4f00d5b9b886b4c

  • SHA1

    e99a8deb643a2fb835a51664d384c1d9677e7698

  • SHA256

    8cafe2829a80bcc87175685e04d9297c8403453d274a2be2c90d764f0c88991d

  • SHA512

    b9e142a7a7524febf3f919b28f3b150a0fcff1b5f5948accbe84ceb89a3cbccd130057b4806d0c2b38cdee5803fb189e2200ff29cc9f9954132787c8a1c0b8dd

  • SSDEEP

    384:53Mg/bqo2DnQyvyHpfitobnJOr91CZIBA0eb:rqo2zlvKppJOr9iIBneb

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
All of your files have been stolen and encrypted. in a nutshell you're Hacked You can try whatever you wanna try but don't modify the files, they'll be damaged and impossible to decrypt. it's nothing personal, it's all about money. have a great day. Payment information Non payment will result in your data being published. YOU HAVE 7 DAYS, AFTER 3 DAYS THE MONEY DOUBLES. Bitcoin Address: bc1qpn32q8a3jykzpfnrv6crqulk7wguaryhxzadqa You must contact us using Tox messenger, download it here> https://tox.chat/download.html. Invite us on Tox, Our Tox ID : EEC1A34EA55C1DBC63D8BCC4779D93BB64FC9036C82210467DEB1948A3ABC2248CE1CAB7A181 You need contact us and decrypt one file for free on TOX messenger with your personal DECRYPTION ID 10212
URLs

https://tox.chat/download.html

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-16_7c556a045999ea1ca4f00d5b9b886b4c_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7c556a045999ea1ca4f00d5b9b886b4c_destroyer_wannacry.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2916
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2004
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2068
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1548
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2668
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:612
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:852
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3028
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2872
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1364
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1872

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        23KB

        MD5

        7c556a045999ea1ca4f00d5b9b886b4c

        SHA1

        e99a8deb643a2fb835a51664d384c1d9677e7698

        SHA256

        8cafe2829a80bcc87175685e04d9297c8403453d274a2be2c90d764f0c88991d

        SHA512

        b9e142a7a7524febf3f919b28f3b150a0fcff1b5f5948accbe84ceb89a3cbccd130057b4806d0c2b38cdee5803fb189e2200ff29cc9f9954132787c8a1c0b8dd

        Download Submit

      • C:\Users\Admin\Documents\read_it.txt
        Filesize

        755B

        MD5

        ab89c3aa2151781f57352fd2d7d8b73e

        SHA1

        90be8d872e6a7c36e2ffd4a51bece1727506ef31

        SHA256

        079d6eb4aed2f7d634e9f8efaea827ff221f0f03bdd72674647c58b509d15ecb

        SHA512

        4edeb4583ba91c63bf84e733f59eed9158fa7ede0b65d478ffe71d2c8bbc56cee964188e5dd1b98f8b4759d86aa6ee6e709a6aa364f92ce5da04b0785e38e3d3

        Download Submit

      • memory/2124-7-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2124-15-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2124-22-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2124-483-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2124-484-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2632-0-0x000007FEF4E33000-0x000007FEF4E34000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2632-1-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

        Filesize

        48KB

        Download