Analysis
-
max time kernel
135s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2024 20:28
Behavioral task
behavioral1
Sample
2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe
-
Size
23KB
-
MD5
c6eb3aad7a5ba437d2e39c44d645aed2
-
SHA1
87b24045539b8db9ead35e462aef513602743ded
-
SHA256
78529452630857c2edc60a55dd41771617d0c9e99d2cf276e39a5288f55160c8
-
SHA512
cede2ff722843666b0f8cfcc3aa12f1f946b430d0db813afff326a1b4d9df9568e6843913bd9ee8497f312b3cad67f21e538786196e443239d2b8eb5efe92127
-
SSDEEP
384:Q3Mg/bqo2ucVzt2eaWCzpgDKF+98uJEr91CKxb+uteA:uqo2F52eanpgDKNyEr9xxb5eA
Malware Config
Extracted
Path
C:\Users\Admin\Documents\read_it.txt
Family
chaos
Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <----
All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help.What can I do to get my files back?You can buy our special
decryption software, this software will allow you to recover all of your data and remove the
ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.
How do I pay, where do I get Bitcoin?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
Payment informationAmount: 0.00138959 BTC
Bitcoin Address: bc1q7njx7z489vx9444agzf759u4q46vfgtydzwyll
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1516-1-0x0000000000800000-0x000000000080C000-memory.dmp family_chaos behavioral2/files/0x000f000000023a6b-6.dat family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exesvchost.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid Process 2220 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 1824 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid Process 3296 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid Process 2220 svchost.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exesvchost.exepid Process 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exesvchost.exevssvc.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe Token: SeDebugPrivilege 2220 svchost.exe Token: SeBackupPrivilege 2108 vssvc.exe Token: SeRestorePrivilege 2108 vssvc.exe Token: SeAuditPrivilege 2108 vssvc.exe Token: SeIncreaseQuotaPrivilege 4688 WMIC.exe Token: SeSecurityPrivilege 4688 WMIC.exe Token: SeTakeOwnershipPrivilege 4688 WMIC.exe Token: SeLoadDriverPrivilege 4688 WMIC.exe Token: SeSystemProfilePrivilege 4688 WMIC.exe Token: SeSystemtimePrivilege 4688 WMIC.exe Token: SeProfSingleProcessPrivilege 4688 WMIC.exe Token: SeIncBasePriorityPrivilege 4688 WMIC.exe Token: SeCreatePagefilePrivilege 4688 WMIC.exe Token: SeBackupPrivilege 4688 WMIC.exe Token: SeRestorePrivilege 4688 WMIC.exe Token: SeShutdownPrivilege 4688 WMIC.exe Token: SeDebugPrivilege 4688 WMIC.exe Token: SeSystemEnvironmentPrivilege 4688 WMIC.exe Token: SeRemoteShutdownPrivilege 4688 WMIC.exe Token: SeUndockPrivilege 4688 WMIC.exe Token: SeManageVolumePrivilege 4688 WMIC.exe Token: 33 4688 WMIC.exe Token: 34 4688 WMIC.exe Token: 35 4688 WMIC.exe Token: 36 4688 WMIC.exe Token: SeIncreaseQuotaPrivilege 4688 WMIC.exe Token: SeSecurityPrivilege 4688 WMIC.exe Token: SeTakeOwnershipPrivilege 4688 WMIC.exe Token: SeLoadDriverPrivilege 4688 WMIC.exe Token: SeSystemProfilePrivilege 4688 WMIC.exe Token: SeSystemtimePrivilege 4688 WMIC.exe Token: SeProfSingleProcessPrivilege 4688 WMIC.exe Token: SeIncBasePriorityPrivilege 4688 WMIC.exe Token: SeCreatePagefilePrivilege 4688 WMIC.exe Token: SeBackupPrivilege 4688 WMIC.exe Token: SeRestorePrivilege 4688 WMIC.exe Token: SeShutdownPrivilege 4688 WMIC.exe Token: SeDebugPrivilege 4688 WMIC.exe Token: SeSystemEnvironmentPrivilege 4688 WMIC.exe Token: SeRemoteShutdownPrivilege 4688 WMIC.exe Token: SeUndockPrivilege 4688 WMIC.exe Token: SeManageVolumePrivilege 4688 WMIC.exe Token: 33 4688 WMIC.exe Token: 34 4688 WMIC.exe Token: 35 4688 WMIC.exe Token: 36 4688 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exesvchost.execmd.exedescription pid Process procid_target PID 1516 wrote to memory of 2220 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 87 PID 1516 wrote to memory of 2220 1516 2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe 87 PID 2220 wrote to memory of 4008 2220 svchost.exe 94 PID 2220 wrote to memory of 4008 2220 svchost.exe 94 PID 4008 wrote to memory of 1824 4008 cmd.exe 96 PID 4008 wrote to memory of 1824 4008 cmd.exe 96 PID 4008 wrote to memory of 4688 4008 cmd.exe 101 PID 4008 wrote to memory of 4688 4008 cmd.exe 101 PID 2220 wrote to memory of 3296 2220 svchost.exe 102 PID 2220 wrote to memory of 3296 2220 svchost.exe 102 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-29_c6eb3aad7a5ba437d2e39c44d645aed2_chaos_destroyer_wannacry.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1824
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:3296
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5c6eb3aad7a5ba437d2e39c44d645aed2
SHA187b24045539b8db9ead35e462aef513602743ded
SHA25678529452630857c2edc60a55dd41771617d0c9e99d2cf276e39a5288f55160c8
SHA512cede2ff722843666b0f8cfcc3aa12f1f946b430d0db813afff326a1b4d9df9568e6843913bd9ee8497f312b3cad67f21e538786196e443239d2b8eb5efe92127
-
Filesize
965B
MD58405ca5488c5d8321e070794dd06f485
SHA1104adc71cd3ca7924ccdc36a8d607eb8b45f0bf8
SHA256e4cf6fbdc212d4b92cf3503cc1c38dd72eed77221b28e1e43b0fa5e8128dc2bf
SHA512b24b0e14b09a1e7b796292b550b367e8e1bde7be9fcb4c7715f70bdb7b519d0fd6b2a8e780fdb71c219d2cb1818cc2856678c93f6e648e588236f4247ccd8e96