Overview

overview

10

Static

static

10

2024-12-03...ry.exe

windows7-x64

10

2024-12-03...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-12-03_bcf73d0b807d66634d7d25f399fa8ffe_destroyer_wannacry

  • Size

    88KB

  • Sample

    241203-2e8r7atjgj

  • MD5

    bcf73d0b807d66634d7d25f399fa8ffe

  • SHA1

    3db3790b46e2d430374f6c40e7ce25e633696b75

  • SHA256

    0bb2957b2b8ed0a1c458da6edeaf5a48b2c1ecdd7d7ed33d00749ef1f5653b1e

  • SHA512

    0750fe4212f1bc7a16a426f6c363797e926656f7f27cc2bc5d5f624a436b3a075263ca29fa609696d7ef2d18b79ef7da4998c75a36c9bda2bd2beb456ae08f31

  • SSDEEP

    768:Hqo2MgNp4wBAQr9uNev2SU2Ip4jBqltCF0AxEjenoB69+Fx:Ko2g0AQr9usv2SFHBWAxEjc+

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Targets

    • Target

      2024-12-03_bcf73d0b807d66634d7d25f399fa8ffe_destroyer_wannacry

    • Size

      88KB

    • MD5

      bcf73d0b807d66634d7d25f399fa8ffe

    • SHA1

      3db3790b46e2d430374f6c40e7ce25e633696b75

    • SHA256

      0bb2957b2b8ed0a1c458da6edeaf5a48b2c1ecdd7d7ed33d00749ef1f5653b1e

    • SHA512

      0750fe4212f1bc7a16a426f6c363797e926656f7f27cc2bc5d5f624a436b3a075263ca29fa609696d7ef2d18b79ef7da4998c75a36c9bda2bd2beb456ae08f31

    • SSDEEP

      768:Hqo2MgNp4wBAQr9uNev2SU2Ip4jBqltCF0AxEjenoB69+Fx:Ko2g0AQr9usv2SFHBWAxEjc+

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Chaos family

      chaos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (227) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks