General

  • Target

    2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry

  • Size

    362KB

  • Sample

    241215-dxnmzasnav

  • MD5

    603e48a98dad157d9f8661097ac9bd4e

  • SHA1

    5680b89b1ff990bd32067bf2d84bb792d1614fa6

  • SHA256

    b6b9fa58bf57ceab4809ad2fc5983686567df05b92413aa8183a979b75f30016

  • SHA512

    43db5e997f260e66865195e08379dc9a6a83439cbff497f71f03255dde8ff2620b7852eeb592c1cb82d9a09934af9c0e802de879ae4476fe73a32ef324bb5354

  • SSDEEP

    6144:X4Zq9lVYxyj9aqEaEPs8PqAftRe2CT1R4qV3hAB52:X4gVYxuTEa8PqAfTPEqqV3yB52

Malware Config

Targets

    • Target

      2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry

    • Size

      362KB

    • MD5

      603e48a98dad157d9f8661097ac9bd4e

    • SHA1

      5680b89b1ff990bd32067bf2d84bb792d1614fa6

    • SHA256

      b6b9fa58bf57ceab4809ad2fc5983686567df05b92413aa8183a979b75f30016

    • SHA512

      43db5e997f260e66865195e08379dc9a6a83439cbff497f71f03255dde8ff2620b7852eeb592c1cb82d9a09934af9c0e802de879ae4476fe73a32ef324bb5354

    • SSDEEP

      6144:X4Zq9lVYxyj9aqEaEPs8PqAftRe2CT1R4qV3hAB52:X4gVYxuTEa8PqAfTPEqqV3yB52

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks