Analysis
-
max time kernel
93s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 20:21
Behavioral task
behavioral1
Sample
2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe
Resource
win7-20240708-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe
-
Size
29KB
-
MD5
0f1c3242c7f577cb3687f7dfe592bac3
-
SHA1
4871fc4c95e72aef2110b4c8e49b06a4d5fa1170
-
SHA256
6aeca042b584b45f29a74186ae490e7c09a40f20d7fccca9358d5c79c75ae85e
-
SHA512
069467c163aac7d5058422fca4d1e11f6e4525ca9d137f7eed2bc7844b20de6c7023fc75e84791a1dea6466f650cea9893b23f247dfc85968d70359828bb73c4
-
SSDEEP
768:2OgHsv2zm3FHMBar9dYbjT7EKBTnYD3T7:hgMeaiar9d8798DD7
Malware Config
Extracted
Path
C:\Users\Admin\Documents\ENCRYPTED!!!!
Family
chaos
Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <----
All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help.What can I do to get my files back?You can buy our special
decryption software, this software will allow you to recover all of your data and remove the
ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.
How do I pay, where do I get Bitcoin?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
Payment informationAmount: 0.1473766 BTC
Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral2/memory/1888-1-0x0000000000890000-0x000000000089C000-memory.dmp family_chaos behavioral2/files/0x000b000000023b70-12.dat family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4952 bcdedit.exe 3648 bcdedit.exe -
Renames multiple (93) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2588 wbadmin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1504 svchost.exe -
Drops desktop.ini file(s) 16 IoCs
description ioc Process File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5052 vssadmin.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings svchost.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1504 svchost.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe 1504 svchost.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe Token: SeDebugPrivilege 1504 svchost.exe Token: SeBackupPrivilege 1096 vssvc.exe Token: SeRestorePrivilege 1096 vssvc.exe Token: SeAuditPrivilege 1096 vssvc.exe Token: SeIncreaseQuotaPrivilege 1404 WMIC.exe Token: SeSecurityPrivilege 1404 WMIC.exe Token: SeTakeOwnershipPrivilege 1404 WMIC.exe Token: SeLoadDriverPrivilege 1404 WMIC.exe Token: SeSystemProfilePrivilege 1404 WMIC.exe Token: SeSystemtimePrivilege 1404 WMIC.exe Token: SeProfSingleProcessPrivilege 1404 WMIC.exe Token: SeIncBasePriorityPrivilege 1404 WMIC.exe Token: SeCreatePagefilePrivilege 1404 WMIC.exe Token: SeBackupPrivilege 1404 WMIC.exe Token: SeRestorePrivilege 1404 WMIC.exe Token: SeShutdownPrivilege 1404 WMIC.exe Token: SeDebugPrivilege 1404 WMIC.exe Token: SeSystemEnvironmentPrivilege 1404 WMIC.exe Token: SeRemoteShutdownPrivilege 1404 WMIC.exe Token: SeUndockPrivilege 1404 WMIC.exe Token: SeManageVolumePrivilege 1404 WMIC.exe Token: 33 1404 WMIC.exe Token: 34 1404 WMIC.exe Token: 35 1404 WMIC.exe Token: 36 1404 WMIC.exe Token: SeIncreaseQuotaPrivilege 1404 WMIC.exe Token: SeSecurityPrivilege 1404 WMIC.exe Token: SeTakeOwnershipPrivilege 1404 WMIC.exe Token: SeLoadDriverPrivilege 1404 WMIC.exe Token: SeSystemProfilePrivilege 1404 WMIC.exe Token: SeSystemtimePrivilege 1404 WMIC.exe Token: SeProfSingleProcessPrivilege 1404 WMIC.exe Token: SeIncBasePriorityPrivilege 1404 WMIC.exe Token: SeCreatePagefilePrivilege 1404 WMIC.exe Token: SeBackupPrivilege 1404 WMIC.exe Token: SeRestorePrivilege 1404 WMIC.exe Token: SeShutdownPrivilege 1404 WMIC.exe Token: SeDebugPrivilege 1404 WMIC.exe Token: SeSystemEnvironmentPrivilege 1404 WMIC.exe Token: SeRemoteShutdownPrivilege 1404 WMIC.exe Token: SeUndockPrivilege 1404 WMIC.exe Token: SeManageVolumePrivilege 1404 WMIC.exe Token: 33 1404 WMIC.exe Token: 34 1404 WMIC.exe Token: 35 1404 WMIC.exe Token: 36 1404 WMIC.exe Token: SeBackupPrivilege 1536 wbengine.exe Token: SeRestorePrivilege 1536 wbengine.exe Token: SeSecurityPrivilege 1536 wbengine.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 588 OpenWith.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1888 wrote to memory of 1504 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 83 PID 1888 wrote to memory of 1504 1888 2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe 83 PID 1504 wrote to memory of 4144 1504 svchost.exe 84 PID 1504 wrote to memory of 4144 1504 svchost.exe 84 PID 4144 wrote to memory of 5052 4144 cmd.exe 86 PID 4144 wrote to memory of 5052 4144 cmd.exe 86 PID 4144 wrote to memory of 1404 4144 cmd.exe 91 PID 4144 wrote to memory of 1404 4144 cmd.exe 91 PID 1504 wrote to memory of 1512 1504 svchost.exe 93 PID 1504 wrote to memory of 1512 1504 svchost.exe 93 PID 1512 wrote to memory of 3648 1512 cmd.exe 95 PID 1512 wrote to memory of 3648 1512 cmd.exe 95 PID 1512 wrote to memory of 4952 1512 cmd.exe 96 PID 1512 wrote to memory of 4952 1512 cmd.exe 96 PID 1504 wrote to memory of 4824 1504 svchost.exe 97 PID 1504 wrote to memory of 4824 1504 svchost.exe 97 PID 4824 wrote to memory of 2588 4824 cmd.exe 99 PID 4824 wrote to memory of 2588 4824 cmd.exe 99 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-03_0f1c3242c7f577cb3687f7dfe592bac3_chaos_destroyer_wannacry.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:5052
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3648
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2588
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4848
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4912
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD50f1c3242c7f577cb3687f7dfe592bac3
SHA14871fc4c95e72aef2110b4c8e49b06a4d5fa1170
SHA2566aeca042b584b45f29a74186ae490e7c09a40f20d7fccca9358d5c79c75ae85e
SHA512069467c163aac7d5058422fca4d1e11f6e4525ca9d137f7eed2bc7844b20de6c7023fc75e84791a1dea6466f650cea9893b23f247dfc85968d70359828bb73c4
-
Filesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740