chaos | 5a55e691732dc0601f0db09e4e3a9ea5faace1a6497455e5f9223dc913c4f264

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
Size

23KB
MD5

ea6329f56de3d950ec51147a51e7e4f5
SHA1

ed291641efe32c980504a8f093f61d0c7a7e1c7c
SHA256

5a55e691732dc0601f0db09e4e3a9ea5faace1a6497455e5f9223dc913c4f264
SHA512

06bc1a910d08be17d9c14ce1d163d05c6f36a8ea8b9eeccb1f9f1ab9eacb68c3a833a1b68632f0b0cab8136b1b01fed960e1ff44e4e4c7727f0fdc1e6fc411cc
SSDEEP

384:u3Mg/bqo2Q+tZR11pXrjsWyrVaJPr91CA4yQieY:Mqo23tZRTpXrjsPVePr9F4AeY

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note

GARMIN Your files have been encrypted! All of your files are locked. We have used strong encryption to secure all of your data. To decrypt it, you need to pay a ransom. Contact us at: [email protected] for the price of your data. Important: Do not try to restore your files using backup systems or third-party tools, as this may lead to permanent data loss. You have 24hours to make the payment before your files are permanently deleted. If you contact law enforcement or attempt to bypass the process, we will delete your data immediately and without warning. We are the only ones who can restore your files.

Emails

[email protected]

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/4596-1-0x0000000000750000-0x000000000075C000-memory.dmp	family_chaos
behavioral2/files/0x000a000000023bb7-6.dat	family_chaos

Chaos family
chaos
Renames multiple (219) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wastedLocker.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wastedLocker.url	wastedLocker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	wastedLocker.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	wastedLocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1396	wastedLocker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	wastedLocker.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	wastedLocker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	wastedLocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	wastedLocker.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2872	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1396	wastedLocker.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe
1396	wastedLocker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
Token: SeDebugPrivilege	1396	wastedLocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 1396	4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe	82
PID 4596 wrote to memory of 1396	4596	2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe	82
PID 1396 wrote to memory of 2872	1396	wastedLocker.exe	84
PID 1396 wrote to memory of 2872	1396	wastedLocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_ea6329f56de3d950ec51147a51e7e4f5_destroyer_wannacry.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Roaming\wastedLocker.exe
  "C:\Users\Admin\AppData\Roaming\wastedLocker.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\wastedLocker.exe

Filesize
23KB

MD5
ea6329f56de3d950ec51147a51e7e4f5

SHA1
ed291641efe32c980504a8f093f61d0c7a7e1c7c

SHA256
5a55e691732dc0601f0db09e4e3a9ea5faace1a6497455e5f9223dc913c4f264

SHA512
06bc1a910d08be17d9c14ce1d163d05c6f36a8ea8b9eeccb1f9f1ab9eacb68c3a833a1b68632f0b0cab8136b1b01fed960e1ff44e4e4c7727f0fdc1e6fc411cc

Download Submit
C:\Users\Admin\Documents\read_it.txt

Filesize
641B

MD5
afe539c365d5216c4e0cfedf82d5dbdd

SHA1
6890bcb79664331d4fb5ace0443b09094249904a

SHA256
be50e1cdfae402763e8cce03be4029e01bd555c8d1f9d6dae54b8515d1dd1875

SHA512
d8b01d8c08e5d5f894a671c2fc9a2786919dc3259f6d76ba395a9d545ca050e25aa00113675d61908d3d680605356b08f0ef13dbc427dd80cfc251575d6e357f

Download Submit
memory/1396-14-0x00007FFFCD2F0000-0x00007FFFCDDB1000-memory.dmp

Filesize
10.8MB

Download
memory/1396-24-0x00007FFFCD2F0000-0x00007FFFCDDB1000-memory.dmp

Filesize
10.8MB

Download
memory/1396-505-0x00007FFFCD2F0000-0x00007FFFCDDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-0-0x00007FFFCD2F3000-0x00007FFFCD2F5000-memory.dmp

Filesize
8KB

Download
memory/4596-1-0x0000000000750000-0x000000000075C000-memory.dmp

Filesize
48KB

Download