Overview

overview

10

Static

static

10

2024-11-27...ry.exe

windows7-x64

10

2024-11-27...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-11-27_3bcb06bfd037d20132b11c49f21940e5_wannacry

  • Size

    103KB

  • Sample

    241127-lex3paxpcw

  • MD5

    3bcb06bfd037d20132b11c49f21940e5

  • SHA1

    90b36f6a8da347ec2629675cf07698329d286570

  • SHA256

    b2f188b9e27d4a877e506457667a97c39f6805a597fceb1dc729e6a3f2cf6639

  • SHA512

    ad540e1f66dc86a8cb2906ec042f266c39e7264935a42a11da08a17e765e1e93b7867e1b7339e8508bfd6ce41468fad65598c149bf19f7de20163e93c71ad277

  • SSDEEP

    3072:ZoXTtyjXr9H7490Ra2icHUkPuo0vDfiO9qWQ/KTZgKbt8:d7r9b44a2BUZoKf/Ngeu+t

Score
10/10
chaoswannacrydefense_evasionevasionexecutionimpactransomwarespywarestealerworm

Malware Config

Targets

    • Target

      2024-11-27_3bcb06bfd037d20132b11c49f21940e5_wannacry

    • Size

      103KB

    • MD5

      3bcb06bfd037d20132b11c49f21940e5

    • SHA1

      90b36f6a8da347ec2629675cf07698329d286570

    • SHA256

      b2f188b9e27d4a877e506457667a97c39f6805a597fceb1dc729e6a3f2cf6639

    • SHA512

      ad540e1f66dc86a8cb2906ec042f266c39e7264935a42a11da08a17e765e1e93b7867e1b7339e8508bfd6ce41468fad65598c149bf19f7de20163e93c71ad277

    • SSDEEP

      3072:ZoXTtyjXr9H7490Ra2icHUkPuo0vDfiO9qWQ/KTZgKbt8:d7r9b44a2BUZoKf/Ngeu+t

    Score
    10/10
    chaoswannacrydefense_evasionevasionexecutionimpactransomwarespywarestealerworm

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Chaos family

      chaos

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Wannacry family

      wannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (190) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks