Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 17:28
Behavioral task
behavioral1
Sample
2024-12-02_77616cef6c6bcb8a71b89eded503e288_destroyer_wannacry.exe
Resource
win7-20241023-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-12-02_77616cef6c6bcb8a71b89eded503e288_destroyer_wannacry.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
2024-12-02_77616cef6c6bcb8a71b89eded503e288_destroyer_wannacry.exe
-
Size
21KB
-
MD5
77616cef6c6bcb8a71b89eded503e288
-
SHA1
39c85688e3fca8ef51ffa6142a501e4227862617
-
SHA256
7e567f619693e4dbda8be70e7cfbb217c13f1a8869908df16f626bde1a294a36
-
SHA512
e84ef8ef9b6e082fb366ee3ba4607927bb9e32307e73cefffb5733463b022e6720c2a7edd053d47388c69701090cfde0b60eb7607436e3254b83286550ff3be3
-
SSDEEP
384:l3MLWHn3kIkGMnkpOJbW+AfrJGr91CropseA:Vn3kIFpUCdGr9SdeA
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
resource yara_rule behavioral1/memory/1556-1-0x00000000011A0000-0x00000000011AC000-memory.dmp family_chaos behavioral1/files/0x000c00000001202c-4.dat family_chaos behavioral1/memory/1884-7-0x0000000000ED0000-0x0000000000EDC000-memory.dmp family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1676 bcdedit.exe 2932 bcdedit.exe -
pid Process 2844 wbadmin.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Widgets.url Widgets.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Widgets.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Readme.md Widgets.exe -
Executes dropped EXE 1 IoCs
pid Process 1884 Widgets.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\Music\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Widgets.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\Links\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Widgets.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Widgets.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Widgets.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Widgets.exe File opened for modification C:\Users\Public\Documents\desktop.ini Widgets.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini Widgets.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Widgets.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Widgets.exe File opened for modification C:\Users\Public\Music\desktop.ini Widgets.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini Widgets.exe File opened for modification C:\Users\Public\Videos\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Widgets.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Widgets.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2892 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1884 Widgets.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1556 2024-12-02_77616cef6c6bcb8a71b89eded503e288_destroyer_wannacry.exe 1556 2024-12-02_77616cef6c6bcb8a71b89eded503e288_destroyer_wannacry.exe 1556 2024-12-02_77616cef6c6bcb8a71b89eded503e288_destroyer_wannacry.exe 1884 Widgets.exe 1884 Widgets.exe 1884 Widgets.exe 1884 Widgets.exe 1884 Widgets.exe 1884 Widgets.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1652 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 1556 2024-12-02_77616cef6c6bcb8a71b89eded503e288_destroyer_wannacry.exe Token: SeDebugPrivilege 1884 Widgets.exe Token: SeBackupPrivilege 2664 vssvc.exe Token: SeRestorePrivilege 2664 vssvc.exe Token: SeAuditPrivilege 2664 vssvc.exe Token: SeIncreaseQuotaPrivilege 2016 WMIC.exe Token: SeSecurityPrivilege 2016 WMIC.exe Token: SeTakeOwnershipPrivilege 2016 WMIC.exe Token: SeLoadDriverPrivilege 2016 WMIC.exe Token: SeSystemProfilePrivilege 2016 WMIC.exe Token: SeSystemtimePrivilege 2016 WMIC.exe Token: SeProfSingleProcessPrivilege 2016 WMIC.exe Token: SeIncBasePriorityPrivilege 2016 WMIC.exe Token: SeCreatePagefilePrivilege 2016 WMIC.exe Token: SeBackupPrivilege 2016 WMIC.exe Token: SeRestorePrivilege 2016 WMIC.exe Token: SeShutdownPrivilege 2016 WMIC.exe Token: SeDebugPrivilege 2016 WMIC.exe Token: SeSystemEnvironmentPrivilege 2016 WMIC.exe Token: SeRemoteShutdownPrivilege 2016 WMIC.exe Token: SeUndockPrivilege 2016 WMIC.exe Token: SeManageVolumePrivilege 2016 WMIC.exe Token: 33 2016 WMIC.exe Token: 34 2016 WMIC.exe Token: 35 2016 WMIC.exe Token: SeIncreaseQuotaPrivilege 2016 WMIC.exe Token: SeSecurityPrivilege 2016 WMIC.exe Token: SeTakeOwnershipPrivilege 2016 WMIC.exe Token: SeLoadDriverPrivilege 2016 WMIC.exe Token: SeSystemProfilePrivilege 2016 WMIC.exe Token: SeSystemtimePrivilege 2016 WMIC.exe Token: SeProfSingleProcessPrivilege 2016 WMIC.exe Token: SeIncBasePriorityPrivilege 2016 WMIC.exe Token: SeCreatePagefilePrivilege 2016 WMIC.exe Token: SeBackupPrivilege 2016 WMIC.exe Token: SeRestorePrivilege 2016 WMIC.exe Token: SeShutdownPrivilege 2016 WMIC.exe Token: SeDebugPrivilege 2016 WMIC.exe Token: SeSystemEnvironmentPrivilege 2016 WMIC.exe Token: SeRemoteShutdownPrivilege 2016 WMIC.exe Token: SeUndockPrivilege 2016 WMIC.exe Token: SeManageVolumePrivilege 2016 WMIC.exe Token: 33 2016 WMIC.exe Token: 34 2016 WMIC.exe Token: 35 2016 WMIC.exe Token: SeBackupPrivilege 2360 wbengine.exe Token: SeRestorePrivilege 2360 wbengine.exe Token: SeSecurityPrivilege 2360 wbengine.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1652 AcroRd32.exe 1652 AcroRd32.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1556 wrote to memory of 1884 1556 2024-12-02_77616cef6c6bcb8a71b89eded503e288_destroyer_wannacry.exe 30 PID 1556 wrote to memory of 1884 1556 2024-12-02_77616cef6c6bcb8a71b89eded503e288_destroyer_wannacry.exe 30 PID 1556 wrote to memory of 1884 1556 2024-12-02_77616cef6c6bcb8a71b89eded503e288_destroyer_wannacry.exe 30 PID 1884 wrote to memory of 2840 1884 Widgets.exe 31 PID 1884 wrote to memory of 2840 1884 Widgets.exe 31 PID 1884 wrote to memory of 2840 1884 Widgets.exe 31 PID 2840 wrote to memory of 2892 2840 cmd.exe 33 PID 2840 wrote to memory of 2892 2840 cmd.exe 33 PID 2840 wrote to memory of 2892 2840 cmd.exe 33 PID 2840 wrote to memory of 2016 2840 cmd.exe 37 PID 2840 wrote to memory of 2016 2840 cmd.exe 37 PID 2840 wrote to memory of 2016 2840 cmd.exe 37 PID 1884 wrote to memory of 1724 1884 Widgets.exe 39 PID 1884 wrote to memory of 1724 1884 Widgets.exe 39 PID 1884 wrote to memory of 1724 1884 Widgets.exe 39 PID 1724 wrote to memory of 1676 1724 cmd.exe 41 PID 1724 wrote to memory of 1676 1724 cmd.exe 41 PID 1724 wrote to memory of 1676 1724 cmd.exe 41 PID 1724 wrote to memory of 2932 1724 cmd.exe 42 PID 1724 wrote to memory of 2932 1724 cmd.exe 42 PID 1724 wrote to memory of 2932 1724 cmd.exe 42 PID 1884 wrote to memory of 2920 1884 Widgets.exe 43 PID 1884 wrote to memory of 2920 1884 Widgets.exe 43 PID 1884 wrote to memory of 2920 1884 Widgets.exe 43 PID 2920 wrote to memory of 2844 2920 cmd.exe 45 PID 2920 wrote to memory of 2844 2920 cmd.exe 45 PID 2920 wrote to memory of 2844 2920 cmd.exe 45 PID 1884 wrote to memory of 2152 1884 Widgets.exe 49 PID 1884 wrote to memory of 2152 1884 Widgets.exe 49 PID 1884 wrote to memory of 2152 1884 Widgets.exe 49 PID 2152 wrote to memory of 1652 2152 rundll32.exe 51 PID 2152 wrote to memory of 1652 2152 rundll32.exe 51 PID 2152 wrote to memory of 1652 2152 rundll32.exe 51 PID 2152 wrote to memory of 1652 2152 rundll32.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-02_77616cef6c6bcb8a71b89eded503e288_destroyer_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-02_77616cef6c6bcb8a71b89eded503e288_destroyer_wannacry.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Roaming\Widgets.exe"C:\Users\Admin\AppData\Roaming\Widgets.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2892
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1676
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2932
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2844
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Readme.md3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Readme.md"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1652
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2972
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD512dfa7a033e31a2604f4505c049548bb
SHA13a24aa22aa76105983c7fc12b27930872c2e6109
SHA2566c49813f15452ca4c5c4545a16f6ad9e518d3471d4d2af729c47b26d289c2e39
SHA512a9641b88371bbb982f6088c9ebd8d6dc55fe3869bdf731dd34a4609e598c80761977a60cf919e0796a54ceb103088a46aa1b7ccab7dc12fd657cf5be8c95bbcc
-
Filesize
21KB
MD577616cef6c6bcb8a71b89eded503e288
SHA139c85688e3fca8ef51ffa6142a501e4227862617
SHA2567e567f619693e4dbda8be70e7cfbb217c13f1a8869908df16f626bde1a294a36
SHA512e84ef8ef9b6e082fb366ee3ba4607927bb9e32307e73cefffb5733463b022e6720c2a7edd053d47388c69701090cfde0b60eb7607436e3254b83286550ff3be3
-
Filesize
6B
MD5f1bc568cc9342687edfc177f369e3b1f
SHA1df77fcb08f3d8ea62629606ed15fb309c56b5f27
SHA256f3658fbfc56fc225cde07f8c82c00b111f0e6d6a362fe85afa39fcd2e0593429
SHA5125fc64752860fed6821728496d0fbd5b0eb4dea113de732c84589e43fbfad520ba88905fc3d73c2ee20a09a254acfd5381e4f15b128e2be6c2a93edc94b2c19ae