Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 18:24

General

  • Target

    2024-10-18_796e7bcc691f6c21d235ae0c301b1081_destroyer_wannacry.exe

  • Size

    23KB

  • MD5

    796e7bcc691f6c21d235ae0c301b1081

  • SHA1

    7ef3bf6e556cbe7261abe797a0a3bb588cd09067

  • SHA256

    ff231952158f7314a3e73e46b92843e98ceff8d396092873d02eb98d0705da49

  • SHA512

    e5e7848208ed1377de2af39aeedf1e40a684de52699faa0c4445f66037f7c7ee884d96fb2d159f7432dbb2794a651c0e9375e7bb6152c68a423b14c631d245eb

  • SSDEEP

    384:+3Mg/bqo2Y5FOieDopGSkobJJ3r91CvpIBVjqe0:8qo2+FOBopjH3r9KIB4e0

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
All of your files have been stolen and encrypted. in a nutshell you're Hacked You can try whatever you wanna try but don't modify the files, they'll be damaged and impossible to decrypt. it's nothing personal, it's all about money. have a great day. Payment information Non payment will result in your data being published. YOU HAVE 7 DAYS, AFTER 3 DAYS THE MONEY DOUBLES. Bitcoin Address: bc1qpn32q8a3jykzpfnrv6crqulk7wguaryhxzadqa You must contact us using Tox messenger, download it here> https://tox.chat/download.html. Invite us on Tox, Our Tox ID : EEC1A34EA55C1DBC63D8BCC4779D93BB64FC9036C82210467DEB1948A3ABC2248CE1CAB7A181 Or contact us via email on [email protected] You need to contact us and decrypt one file for free on TOX messenger with your personal DECRYPTION ID 102121515
URLs

https://tox.chat/download.html

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 3 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-18_796e7bcc691f6c21d235ae0c301b1081_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-18_796e7bcc691f6c21d235ae0c301b1081_destroyer_wannacry.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1796
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1336
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:820
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1816
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1428
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1876
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2364
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1736
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:892
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1740
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1392

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\svchost.exe

        Filesize

        23KB

        MD5

        796e7bcc691f6c21d235ae0c301b1081

        SHA1

        7ef3bf6e556cbe7261abe797a0a3bb588cd09067

        SHA256

        ff231952158f7314a3e73e46b92843e98ceff8d396092873d02eb98d0705da49

        SHA512

        e5e7848208ed1377de2af39aeedf1e40a684de52699faa0c4445f66037f7c7ee884d96fb2d159f7432dbb2794a651c0e9375e7bb6152c68a423b14c631d245eb

      • C:\Users\Admin\Documents\read_it.txt

        Filesize

        815B

        MD5

        6ace40f2b0e2fa58f8a98bc1fadf70f2

        SHA1

        0e83b61f2a0a2b68fa9a530cf16a1bb40300d7f5

        SHA256

        bc4e8b349bbba233664452506649d78668edc1969f0bccb74991b04531cd4fa1

        SHA512

        96bc866ace3e07f02471090e85e2ebd2670ca627d5b2de3c73a4094bf7d5619c5b4358f867bcfd290235bc69e7ff880b614e34a5abeecf9f9b6970d4cce8a01c

      • memory/764-0-0x000007FEF5213000-0x000007FEF5214000-memory.dmp

        Filesize

        4KB

      • memory/764-1-0x0000000000F80000-0x0000000000F8C000-memory.dmp

        Filesize

        48KB

      • memory/2428-7-0x00000000000C0000-0x00000000000CC000-memory.dmp

        Filesize

        48KB

      • memory/2428-9-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

        Filesize

        9.9MB

      • memory/2428-16-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

        Filesize

        9.9MB

      • memory/2428-484-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

        Filesize

        9.9MB