Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-11-2024 01:49
General
-
Target
2024-11-05_5c73304153220629dfdcf2819f49cedb_destroyer_wannacry.exe
-
Size
17KB
-
MD5
5c73304153220629dfdcf2819f49cedb
-
SHA1
2263b3ce767639e84862138d175007b0fa904804
-
SHA256
6a3f58eb6b785786c96efe6918b8655dfb5676e85f21df0f75f7bf318fc8b11d
-
SHA512
7eb22638ead1dd2f699d3451f02dfd4b19d37e96d80d612d7979c2d35802ccf7fcf53ad15e026b89605274ed6d90837095304fcace3ce119820ca6646bf556f3
-
SSDEEP
192:h4M3MgSZWHWUHKnaV1dGOqnovuDBsphYr4codRnjcP8HgSoes/91C1m+HS3E1qEW:hl3Mg/bqo29spiZobPJor91CyLe6
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
-
Chaos family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-05_5c73304153220629dfdcf2819f49cedb_destroyer_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-05_5c73304153220629dfdcf2819f49cedb_destroyer_wannacry.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5d5bd2edb9a4e19c111636a7d2b22dcd1
SHA1ee1548f07a1cd5912ae1a72777ab80a841a87c7d
SHA256765b1cf25070cb01f9b2601970482b440742f949328446f7720160ae1ffec18e
SHA512668b1ef48cefea1e23686e33536b045b039d50d963bf96aa1bbab74d1ef8e9c7425a7234534e11cc8b119c8d14fd5f8945329a21580e6f3136579597d7134280
-
Filesize
17KB
MD55c73304153220629dfdcf2819f49cedb
SHA12263b3ce767639e84862138d175007b0fa904804
SHA2566a3f58eb6b785786c96efe6918b8655dfb5676e85f21df0f75f7bf318fc8b11d
SHA5127eb22638ead1dd2f699d3451f02dfd4b19d37e96d80d612d7979c2d35802ccf7fcf53ad15e026b89605274ed6d90837095304fcace3ce119820ca6646bf556f3
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
40KB