Overview

overview

10

Static

static

10

2025-02-18...ry.exe

windows7-x64

10

2025-02-18...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18-02-2025 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-18_55d7b767f0213d18e4de54350c3891a9_wannacry.exe

  • Size

    5.6MB

  • MD5

    55d7b767f0213d18e4de54350c3891a9

  • SHA1

    d2b74d78591cedbd9b22de2cf4a155514cafbaca

  • SHA256

    65bfacb5497982e5f9af9c76efc44509fb2629d85c636273d8c7d605a34e8522

  • SHA512

    61b14063501afe53a88c0a8039476a27db5ab4d38b4037eb861355f816bc4f99db133d323cfc674cd691877ac0b9a4b6de9a37cb5f70b21fec37baace2cc3e8b

  • SSDEEP

    384:/3MLWHn3kIsd+KYgCyJpVwjonJ7r91CzKlnnnnnnnu51RTZhpN0epN:rn3kInjryJpVCoJ7r9iwnnnnnnng0en

Score
10/10
chaosdefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealer

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Chaos family
    chaos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-18_55d7b767f0213d18e4de54350c3891a9_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-18_55d7b767f0213d18e4de54350c3891a9_wannacry.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Users\Admin\AppData\Roaming\wininit.exe
      "C:\Users\Admin\AppData\Roaming\wininit.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2700
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1540
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2392
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2176
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2404
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2256
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\overwritten.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2228 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2640
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1564
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2168
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2188
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:2692

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        80a14ee20bbaede3b7b635356fb21c65

        SHA1

        84e22f9a972d526ba812df214de2d1a92b2c39ee

        SHA256

        50eaaa2a2b520fb8519ba8ded28299bbfb8a96c2e9181af788ad2a349c1502f6

        SHA512

        fd5d04a8c2d88f5dd8c77110888ede48113afb42924fa486cea9c77cbdeb089a5455b4a3467b6f11416c140bb3bab8245ee9ea01d6ebc611c27921f4c8b338ce

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        7edaba23efd3326d6163302ec3e5bc08

        SHA1

        40747e54881775696d257d6781c3d21e7315ce99

        SHA256

        cfc57835dd5e7dff7cbf19a8f171b2009fa972a33511f0911a1648512706ebb1

        SHA512

        8663842e0e3b06598de2bfff248f5c3f7e42e1edf8097ad08b0afdc33e0c11dd09c6d84f57c8124e286d940fcdde2c4d1c567c17cbe10ce1ddb29dcf0ffa8429

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        75509092e04f7523524f245d8cf4e647

        SHA1

        df2ae226768ee26de5e977ac5c2d2cb56839b78d

        SHA256

        b24d7573c514993dfcb3bc5eab28e7f6501b894890fd345989efb103b52deff8

        SHA512

        7200c78cf914ad8ed1320deb88041e5bafc48eeff9c3412629de3d824b422e31594fab0820147a8e340a3d04eb8e424df94b9f1ab2b5647102c2fd4ed65081f4

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        f84ff90a85e1e552b0b2f444a3a861ff

        SHA1

        5662923e5a46d49ab5d0005a009aa17ced9dfcd7

        SHA256

        bce9155d828beac31a96c8d11c2aaf858dd5752e3e9493681cb87fefd6507a97

        SHA512

        200ca452d774659a36605fd0e36aabcb5e2cd4f05e5bfae4fd71c8ea623fa377a32ca3ddb96f77ef77fa32a9d3a9d196bd94dc0fa38ea8b42c9a80c496da0779

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        60dd9fb91637004cc6325341cdec2e8e

        SHA1

        a1496cde3c9df0e8baaa59e09cbc66d85b83a21d

        SHA256

        219b08b068525f13573d8711a1e07cad296404dc9da03adbc4d47cdd2246ddbb

        SHA512

        e5109891d0668e6b5e0d61a61846ada1f19bcb1ffe591794875af99002be00b9ce1d9aa6cc8431baa947bf88edfc834b68be702c017dfa632f798ba30a39cf6b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        e5b392304e075db8682bf9bb465be3d4

        SHA1

        54963b7a9c53bf869ade4f83dbdcc0ee4ba5c1ab

        SHA256

        d5b1c0bed2cca56ba28883aaa145275e97b700933798823c83f42668155f2029

        SHA512

        aa1b0cb6df0226c0414a58b39fad4d01d54b42d265e22587ae2b8417d6b1a4b9c63e88d7fdada187cb901ce926002d41c51991ab3eae7f5d8670f19194b6ea7d

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        fd6fbd2a693815bbf8d820d0a787622b

        SHA1

        92e57945be16d00048e90dc8cc40a142c93d5d14

        SHA256

        507b4bbda7437524fef006d1526b6983c2b87b2c8af1d52e2bc7e381835bc4c1

        SHA512

        59331c6e2398402b92c93fe7549c68789507001657410dfce8a501c2af33a7e00e328b79d78f70ac9b3480dc559c8b9c97cfa2db78d037582d85dd43df14a238

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        5b21f1ea506e5986198ac56c028dd3ab

        SHA1

        89f988ba82d3c658b6ed514bc0e42f57ac4af6bb

        SHA256

        c2cad3a2f12411161384ec02b241e7395f1722d745a2b806e5c40f358705ca65

        SHA512

        67a4bcfef0ea4a7cc9188e1c65521f0f5e0d48a81d908a839f3970a23085d480c96a701b6399216ee40bbe8be3d18718f8c948e687b7f16858ad8caa96b15b75

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        74cec81cc7fe25f664d1a8d6ed349516

        SHA1

        92dd10e386c648d1729fc2d69541f7019c3cdbe6

        SHA256

        2039a03f1e2dce87ee8bbb8cffe50b7d743582e972bf238abf6278e128443a73

        SHA512

        56a4cd7bf1141efdedf2ead394d29d7cf5f63d4cf69c41cf38ffa9e20fbdcaff9ecf5d1bd6dbb09e072b91fb7fb6c632b8034f2f7b31f0165bb6bcc276461c41

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        d77e58618fc34421b5511da923b3eeb6

        SHA1

        ab6d2eb9188c833689494771d6a158378e71dc32

        SHA256

        130669c29111ea224b8d8e204fac010783dda643ffe931077e5583d216c1ef9e

        SHA512

        c3a616e05b3cad9228271fdfe344be19d92b3396a8b79645cfb4221e411f6f336f4bc6b7a96600e38b28c2a945dc767bfd2fc00e7bd5a62f6dfa8177616a5990

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        04064175dbb863a0463d0ef38547820b

        SHA1

        1ba63d6149cdd46829259162102a74437a4941e9

        SHA256

        2b7bdb56f7da6e2ce2ae40193393451c11ca6ccd6d6ca3b4bd4130f2267243e7

        SHA512

        4cb7ed564ea8bd9c6860e23081c107300e69696e9ed5e37e34cc34fdb64179e5ecfc5b3f4a0b041c8fbe4c4d43ca58a297b2d89aeabc0e69b878c9ceba68ca38

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        792e1c1686a343b3dbdbf80a3878d074

        SHA1

        055688f554c42e242df45272d6c382fa9c452076

        SHA256

        704fb0f77f97a7870f03b0b87fea60db9933dace9d127ada594ecfaa9e990772

        SHA512

        170fccf1e986395d6a1ad358cc6f0b4e2ae5e9831fec1af1c2917a677d09ff6860bbd204502387094f9428ef21b4f4a9f338e00dbcd9c4963268f097c3fedcf2

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        0768bf9bb09e364e46e7a3a1ccecd239

        SHA1

        7b9eff6a33af3466d57bc9e5dc3b4a5b1dccb3e6

        SHA256

        f2bf331d6823f0c34e1649285cd774566e250794a08a676c1d02a17ff0c39f35

        SHA512

        15c2bab4bcf308cc3a91b7b85b228d438b7687e3b5c1ee7a503c520472148dfd6e6f069d7c4fa1ea23a3a5107a94a0e6c16b347b313ab41a22dbea3288636151

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        6877593cfc7c658292d08b1e665a6fe9

        SHA1

        e442ca22cb8386f20518140a8fa9f1bb46593da8

        SHA256

        42814a2f547160cf38763d8716595cfec57910b0db9803c81af64aaa3b5a8042

        SHA512

        724c31377e2338103017f6256831cecc7674f8d4910fe83e3141f3d17c15e9f3f92184a5acc9f2f8de84879cd370e20dcbf8a0abc6a179945806b52a292f872a

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        f7dc66f263bb86411c1cc2125ac9ad4e

        SHA1

        439a0e9d7ee875bebf5d997310996f117f9bdff2

        SHA256

        3bace432d0a8c53bfb8b6b71422cfadee9e89f165ca99ece51e9ebdce44fbaaa

        SHA512

        dfc7c38489590951a35ed75e075c002a3fdd93083fc588f5e803af07ca3164dac0d2d8a5061af55bf39a608a1144547eb9c7c0530cb85be7ea6ee2ceabeb3511

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        d760cd92ecb862f4129468b08379ba57

        SHA1

        956d4b4226ab56b252de8386abea030bc2b6d52f

        SHA256

        16722c834b9eff1e9434fe189562eb94810edf3bc834a2264194882dca784f8a

        SHA512

        b47f30ab47ab186d21e34779051e95956110665f0adf264f049f1fa8d1bbdf300ad7eb07fab8fcedc2cc6b3b3418d723e46560a562359d8d1e36c1f7c4f7957b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        a4cba8614f2b8956b3a3e784ca431ad1

        SHA1

        6feb1eaf6c75c988220d15233cc160fc2bd0b1e8

        SHA256

        6b83406ec61506f486dba3aea3eb2a4602df98960963afd663e854d0935de5f5

        SHA512

        ceaea37525d4d6fd5ff0d7e3322b1af13d09f32ed5af321a8787fb98a747d00d63bd3049a87a0c5f927a40cb8fe6f3c77848149548b2af591af4be85e9a55b3a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabE4C7.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarE575.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\wininit.exe
        Filesize

        5.6MB

        MD5

        55d7b767f0213d18e4de54350c3891a9

        SHA1

        d2b74d78591cedbd9b22de2cf4a155514cafbaca

        SHA256

        65bfacb5497982e5f9af9c76efc44509fb2629d85c636273d8c7d605a34e8522

        SHA512

        61b14063501afe53a88c0a8039476a27db5ab4d38b4037eb861355f816bc4f99db133d323cfc674cd691877ac0b9a4b6de9a37cb5f70b21fec37baace2cc3e8b

        Download Submit

      • C:\Users\Admin\Desktop\overwritten.html
        Filesize

        82B

        MD5

        fa4a3a1d2ab22fa84d84ec6646c7885c

        SHA1

        4b9a1e8c6535a9d3e76eb773bb9c54bb852e1eac

        SHA256

        8fe31ddd89b9f3f9e5107d24d0a1184ab1047fe89142b66d1eba1e117eba2ba3

        SHA512

        bade982388c07caf9c2b8c967c9f38627b9511294022f710404ecbb18a6d36777b7df7668e175e79d7d642b682c2a3c9fac60d27d7dbc37672579d330d6a2145

        Download Submit

      • memory/1476-515-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1476-7-0x00000000011C0000-0x0000000001764000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1476-8-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1476-79-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1476-85-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2548-0-0x000007FEF6133000-0x000007FEF6134000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2548-1-0x0000000000F30000-0x00000000014D4000-memory.dmp

        Filesize

        5.6MB

        Download