Analysis
-
max time kernel
92s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2025 01:47
Behavioral task
behavioral1
Sample
2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe
Resource
win7-20240903-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe
-
Size
520KB
-
MD5
098bdcd33912b17a7641ab7affdeea84
-
SHA1
1b70504866a1449be722131eab31f345af2687bf
-
SHA256
e019c6f094965c3bccc0a7ba09bfb09c4ff7059795da5b66b6e7a7c0ac8ef7ef
-
SHA512
c133a6f237862aa5a8ed78d31eb185119b379df9148cb98933dff4cbdc87fa0158d34ffd74efd3db3060c01f8432b41bd3728218f7a6330a43b37c0d3a361736
-
SSDEEP
3072:2EL8c9EiaBEUD/rDuuK5Khcd4T/EumQYnpsGKf7P:2EL8c9e3uuMKhcd4TGl2GKf
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\read_it.txt
Ransom Note
~~~LucKY_Gh0$t~~~
>>>> All your important files are encrypted !!!
The data will not be decrypted if you do not pay the ransom
>>>> What guarantees that we will not deceive you?
We are not a politically motivated group and we do not need anything other than your money.
If you pay, we will provide you the programs for decryption and we will delete your data.
Life is too short to be sad. Be not sad, money, it is only paper.
If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future.
Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment.
>>>> Contact:
Download and install SESSION (https://getsession.org)
Our SESSION id:
05e18b4f1919469a2581ec63e75edee4f9be440bde926cf1cc3aedf1115ade5655
Write to a chat and wait for the answer, we will always answer you.
Sometimes you will need to wait for our answer because we attack many companies.
>>>> Your personal DECRYPTION ID: U0001
>>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
>>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
URLs
https://getsession.org
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral2/memory/2584-1-0x0000000000C20000-0x0000000000CA6000-memory.dmp family_chaos behavioral2/files/0x000a000000023b66-6.dat family_chaos -
Chaos family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3760 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Public\desktop.ini svchost.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\344sev0v4.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1120 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3760 svchost.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe 3760 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe Token: SeDebugPrivilege 3760 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2584 wrote to memory of 3760 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 83 PID 2584 wrote to memory of 3760 2584 2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe 83 PID 3760 wrote to memory of 1120 3760 svchost.exe 87 PID 3760 wrote to memory of 1120 3760 svchost.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1120
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2025-01-10_098bdcd33912b17a7641ab7affdeea84_wannacry.exe.log
Filesize226B
MD528d7fcc2b910da5e67ebb99451a5f598
SHA1a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA2562391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA5122d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6
-
Filesize
1KB
MD54c869c36a201d53bd164590b61e6cd21
SHA197a49d49c317865b29751005e2de195ec905db55
SHA25602354567f25b75e9861a6ce9d7f6fb52984b1f7ab40d1a5d61f1bead7db915c7
SHA5122f1b8b5072e971070d24b54e24169bd57c1855cc2ea4da810c7025317dc7dcc3fee94a2ac42642dff1631928b2ed9eb58ad0abd4ddcdbbc9832ac7ffdf51f669
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
520KB
MD5098bdcd33912b17a7641ab7affdeea84
SHA11b70504866a1449be722131eab31f345af2687bf
SHA256e019c6f094965c3bccc0a7ba09bfb09c4ff7059795da5b66b6e7a7c0ac8ef7ef
SHA512c133a6f237862aa5a8ed78d31eb185119b379df9148cb98933dff4cbdc87fa0158d34ffd74efd3db3060c01f8432b41bd3728218f7a6330a43b37c0d3a361736