Overview

overview

10

Static

static

10

2024-12-13...ry.exe

windows7-x64

10

2024-12-13...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 04:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-13_ee3cf7167280e28f0771ffedfb631a8c_chaos_destroyer_wannacry.exe

  • Size

    23KB

  • MD5

    ee3cf7167280e28f0771ffedfb631a8c

  • SHA1

    d8f54832a4eb9157bc11fb2ec8c05b96fee4d52f

  • SHA256

    b66cf029d1671b246d1a4ccd86793f587bf8e4237460b892b8009e36a7bf0e68

  • SHA512

    f4df591404f3819457c86db32473610264105f0884fa6b99c904cee57f123ee6d58bb2740587df8130b202f1b8ee47271f7dabe8849c01fd72e71f1cdd882985

  • SSDEEP

    384:R3Mg/bqo2TdYJB7RpfDKw/+98uJYr91CkT7kFWqe+C:Tqo2JoRpfDN/NyYr91kFHex

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\LEIA-ME.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- Todos os seus arquivos foram criptografados Seu computador foi infectado com um vírus ransomware. Seus arquivos foram criptografados e você não ser capaz de descriptografá-los sem nossa ajuda. O que posso fazer para recuperar meus arquivos? Você pode comprar nosso especial software de descriptografia, este software permitirá que você recupere todos os seus dados e remova o ransomware do seu computador. O preço do software é de 10 reais. O pagamento pode ser feito apenas em pix Como faço para pagar, tranfira neste pix copia e cola 00020126430014br.gov.bcb.pix0121leoboni2655@gmail.com520400005303986540510.005802BR5924Alessandra Santos Maciel6009Sao Paulo62290525tpBoqzTIGn3exNx6Jg6wSsGkP630421FC caso nao consiga chame neste email :[email protected]

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Chaos family
    chaos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-13_ee3cf7167280e28f0771ffedfb631a8c_chaos_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-13_ee3cf7167280e28f0771ffedfb631a8c_chaos_destroyer_wannacry.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1968
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2304
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1428
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:780
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3036
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:448
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2252
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\LEIA-ME.txt
        3⤵
          PID:296
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:580
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1560
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:996
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:1776

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          23KB

          MD5

          ee3cf7167280e28f0771ffedfb631a8c

          SHA1

          d8f54832a4eb9157bc11fb2ec8c05b96fee4d52f

          SHA256

          b66cf029d1671b246d1a4ccd86793f587bf8e4237460b892b8009e36a7bf0e68

          SHA512

          f4df591404f3819457c86db32473610264105f0884fa6b99c904cee57f123ee6d58bb2740587df8130b202f1b8ee47271f7dabe8849c01fd72e71f1cdd882985

          Download Submit

        • C:\Users\Admin\Documents\LEIA-ME.txt
          Filesize

          868B

          MD5

          db678c9756d9e4d1fc912a7b9b5aad2f

          SHA1

          3e260e5ed4e1ef0e51c910a4e0b94c62a3a24521

          SHA256

          da568b7fa0fc05e7c153e03db837143f4f327228492b9aa9a1f1229abdd878d0

          SHA512

          e8d24549ae2e33655d64f8fc4d689ccea0d8ed28a09bf57a0527d21d8e1fccb16af5ec5cd2bed38b6d21fc1dd644f9ee413d62c9c96414198d31130b654064f8

          Download Submit

        • memory/2404-7-0x0000000000C80000-0x0000000000C8C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2404-9-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2404-16-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2404-468-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2464-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2464-1-0x00000000010B0000-0x00000000010BC000-memory.dmp

          Filesize

          48KB

          Download