chaos | 6a3f58eb6b785786c96efe6918b8655dfb5676e85f21df0f75f7bf318fc8b11d

General

Target

2024-11-05_5c73304153220629dfdcf2819f49cedb_destroyer_wannacry.exe
Size

17KB
MD5

5c73304153220629dfdcf2819f49cedb
SHA1

2263b3ce767639e84862138d175007b0fa904804
SHA256

6a3f58eb6b785786c96efe6918b8655dfb5676e85f21df0f75f7bf318fc8b11d
SHA512

7eb22638ead1dd2f699d3451f02dfd4b19d37e96d80d612d7979c2d35802ccf7fcf53ad15e026b89605274ed6d90837095304fcace3ce119820ca6646bf556f3
SSDEEP

192:h4M3MgSZWHWUHKnaV1dGOqnovuDBsphYr4codRnjcP8HgSoes/91C1m+HS3E1qEW:hl3Mg/bqo29spiZobPJor91CyLe6

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2380-1-0x0000000000CE0000-0x0000000000CEA000-memory.dmp	family_chaos
behavioral1/files/0x000f00000001756e-5.dat	family_chaos
behavioral1/memory/2468-7-0x0000000000D80000-0x0000000000D8A000-memory.dmp	family_chaos

Chaos family
chaos

Drops startup file 1 IoCs

Processes:

svchost.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid	Process
2468	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
2572	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid	Process
2468	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

2024-11-05_5c73304153220629dfdcf2819f49cedb_destroyer_wannacry.exesvchost.exe

pid	Process
2380	2024-11-05_5c73304153220629dfdcf2819f49cedb_destroyer_wannacry.exe
2468	svchost.exe
2468	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-05_5c73304153220629dfdcf2819f49cedb_destroyer_wannacry.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	2380	2024-11-05_5c73304153220629dfdcf2819f49cedb_destroyer_wannacry.exe
Token: SeDebugPrivilege	2468	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-11-05_5c73304153220629dfdcf2819f49cedb_destroyer_wannacry.exesvchost.exe

description	pid	Process	procid_target
PID 2380 wrote to memory of 2468	2380	2024-11-05_5c73304153220629dfdcf2819f49cedb_destroyer_wannacry.exe	29
PID 2380 wrote to memory of 2468	2380	2024-11-05_5c73304153220629dfdcf2819f49cedb_destroyer_wannacry.exe	29
PID 2380 wrote to memory of 2468	2380	2024-11-05_5c73304153220629dfdcf2819f49cedb_destroyer_wannacry.exe	29
PID 2468 wrote to memory of 2572	2468	svchost.exe	30
PID 2468 wrote to memory of 2572	2468	svchost.exe	30
PID 2468 wrote to memory of 2572	2468	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-11-05_5c73304153220629dfdcf2819f49cedb_destroyer_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-05_5c73304153220629dfdcf2819f49cedb_destroyer_wannacry.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\read_it.txt

Filesize
16B

MD5
d5bd2edb9a4e19c111636a7d2b22dcd1

SHA1
ee1548f07a1cd5912ae1a72777ab80a841a87c7d

SHA256
765b1cf25070cb01f9b2601970482b440742f949328446f7720160ae1ffec18e

SHA512
668b1ef48cefea1e23686e33536b045b039d50d963bf96aa1bbab74d1ef8e9c7425a7234534e11cc8b119c8d14fd5f8945329a21580e6f3136579597d7134280

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
17KB

MD5
5c73304153220629dfdcf2819f49cedb

SHA1
2263b3ce767639e84862138d175007b0fa904804

SHA256
6a3f58eb6b785786c96efe6918b8655dfb5676e85f21df0f75f7bf318fc8b11d

SHA512
7eb22638ead1dd2f699d3451f02dfd4b19d37e96d80d612d7979c2d35802ccf7fcf53ad15e026b89605274ed6d90837095304fcace3ce119820ca6646bf556f3

Download Submit
memory/2380-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Filesize
40KB

Download
memory/2468-7-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/2468-9-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2468-10-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2468-27-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads