Overview

overview

10

Static

static

10

2025-01-25...ry.exe

windows7-x64

10

2025-01-25...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2025 19:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe

  • Size

    23KB

  • MD5

    ea6329f56de3d950ec51147a51e7e4f5

  • SHA1

    ed291641efe32c980504a8f093f61d0c7a7e1c7c

  • SHA256

    5a55e691732dc0601f0db09e4e3a9ea5faace1a6497455e5f9223dc913c4f264

  • SHA512

    06bc1a910d08be17d9c14ce1d163d05c6f36a8ea8b9eeccb1f9f1ab9eacb68c3a833a1b68632f0b0cab8136b1b01fed960e1ff44e4e4c7727f0fdc1e6fc411cc

  • SSDEEP

    384:u3Mg/bqo2Q+tZR11pXrjsWyrVaJPr91CA4yQieY:Mqo23tZRTpXrjsPVePr9F4AeY

Score
10/10
chaosransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
GARMIN Your files have been encrypted! All of your files are locked. We have used strong encryption to secure all of your data. To decrypt it, you need to pay a ransom. Contact us at: [email protected] for the price of your data. Important: Do not try to restore your files using backup systems or third-party tools, as this may lead to permanent data loss. You have 24hours to make the payment before your files are permanently deleted. If you contact law enforcement or attempt to bypass the process, we will delete your data immediately and without warning. We are the only ones who can restore your files.

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Chaos family
    chaos
  • Renames multiple (230) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Users\Admin\AppData\Roaming\wastedLocker.exe
      "C:\Users\Admin\AppData\Roaming\wastedLocker.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\wastedLocker.exe
    Filesize

    23KB

    MD5

    ea6329f56de3d950ec51147a51e7e4f5

    SHA1

    ed291641efe32c980504a8f093f61d0c7a7e1c7c

    SHA256

    5a55e691732dc0601f0db09e4e3a9ea5faace1a6497455e5f9223dc913c4f264

    SHA512

    06bc1a910d08be17d9c14ce1d163d05c6f36a8ea8b9eeccb1f9f1ab9eacb68c3a833a1b68632f0b0cab8136b1b01fed960e1ff44e4e4c7727f0fdc1e6fc411cc

    Download Submit

  • C:\Users\Admin\Documents\read_it.txt
    Filesize

    641B

    MD5

    afe539c365d5216c4e0cfedf82d5dbdd

    SHA1

    6890bcb79664331d4fb5ace0443b09094249904a

    SHA256

    be50e1cdfae402763e8cce03be4029e01bd555c8d1f9d6dae54b8515d1dd1875

    SHA512

    d8b01d8c08e5d5f894a671c2fc9a2786919dc3259f6d76ba395a9d545ca050e25aa00113675d61908d3d680605356b08f0ef13dbc427dd80cfc251575d6e357f

    Download Submit

  • memory/2608-0-0x000007FEF5963000-0x000007FEF5964000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-1-0x0000000000F80000-0x0000000000F8C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2904-7-0x00000000012F0000-0x00000000012FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2904-9-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2904-10-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2904-523-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

    Filesize

    9.9MB

    Download