Overview

overview

10

Static

static

10

2025-01-25...ry.exe

windows7-x64

10

2025-01-25...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2025 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-25_87ed765171e1a1bcad9a331bfa094360_wannacry.exe

  • Size

    619KB

  • MD5

    87ed765171e1a1bcad9a331bfa094360

  • SHA1

    7db04b4b6e6f6246ab830367996e3a2ccfa0799f

  • SHA256

    441c1aa1a603a4f77a118d5469ff8a6f8346b7f3225cbba7f3f726ec734aeb5c

  • SHA512

    17af72c21461e97e274e6178b92d84c94c41cedcd4a8f46edd47e08482bcc32dd40eed4dc7f466392b57ed3cc5a22d61ff078ebfdc18e82e943c7b7faf2f1541

  • SSDEEP

    12288:u+dknyzlV0tt5IbDEylitqURFiUq1wWmCdZ75UJTAEXNwcyvoKe47H:lsDTYDJRW

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Chaos family
    chaos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    defense_evasion
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-25_87ed765171e1a1bcad9a331bfa094360_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-25_87ed765171e1a1bcad9a331bfa094360_wannacry.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Roaming\System.exe
      "C:\Users\Admin\AppData\Roaming\System.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2700
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2832
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2624
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1952
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1852
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1464
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Dark101_read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1728
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2796
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1272
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2596
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:2836

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\Dark101_read_it.txt
        Filesize

        674B

        MD5

        8916e1b5e50ccfe7771fdbb8775ced7e

        SHA1

        5d41955f8ba51abe56caf50b537aa2c651e32247

        SHA256

        20458d610fa04c336598b4d96fc8eefef7a8b43c6b61a4a7b670646cd56fa132

        SHA512

        0b6caad7cedcd41afb7b210dc8b5515d2a0f73914e5218c903ff78483774fbf6688b1451493c54a8c4125fe8f14dedece7528c1844088fd74e8d31d39474e4b5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\EnableCopy.mov
        Filesize

        1B

        MD5

        d1457b72c3fb323a2671125aef3eab5d

        SHA1

        5bab61eb53176449e25c2c82f172b82cb13ffb9d

        SHA256

        8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

        SHA512

        ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System.exe
        Filesize

        619KB

        MD5

        87ed765171e1a1bcad9a331bfa094360

        SHA1

        7db04b4b6e6f6246ab830367996e3a2ccfa0799f

        SHA256

        441c1aa1a603a4f77a118d5469ff8a6f8346b7f3225cbba7f3f726ec734aeb5c

        SHA512

        17af72c21461e97e274e6178b92d84c94c41cedcd4a8f46edd47e08482bcc32dd40eed4dc7f466392b57ed3cc5a22d61ff078ebfdc18e82e943c7b7faf2f1541

        Download Submit

      • memory/2156-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2156-1-0x0000000000B50000-0x0000000000BF0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/2576-7-0x0000000000A90000-0x0000000000B30000-memory.dmp

        Filesize

        640KB

        Download

      • memory/2576-9-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2576-77-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2576-944-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

        Filesize

        9.9MB

        Download