Overview

overview

10

Static

static

10

2025-03-17...ry.exe

windows7-x64

10

2025-03-17...ry.exe

windows10-2004-x64

10

Resubmissions

25/03/2025, 13:33

250325-qtmbyszqs8 10

25/03/2025, 13:28

250325-qqrr9swyhv 10

17/03/2025, 17:07

250317-vm97navxdt 10

17/03/2025, 16:33

250317-t2ll6svsdv 10

17/03/2025, 16:01

250317-tge9natxcw 10

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    17/03/2025, 16:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-17_fa88e518bfa73401b06f46344fd7f50f_destroyer_wannacry.exe

  • Size

    25KB

  • MD5

    fa88e518bfa73401b06f46344fd7f50f

  • SHA1

    113b0427a8068ee83b5367ba400b8d900ef37d51

  • SHA256

    436a860b7cf33a894940080dba3c9de6b3fc3a619f657915aecc22ea6c1de01f

  • SHA512

    cc1a7cce176861b73dc38463090ad6b487284cd76aac91543be74ae7ac2ff469e05a1555145fb3529b9b33ca2cabb442478df5384ddf4fb036ca89f07694a0d4

  • SSDEEP

    384:jYenjLLAwELM4Nuzb/3m3D4OIp91L5U1mbgyydxDGH:KwELMbXn941Ly+xDI

Score
10/10
chaosransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\read_it.txt

Ransom Note
Your computer has been permanently locked. You need to contact us to unlock your computer. How to get decryption services, you need to pay a ransom. Contact me by email. [email protected] You only need to pay me $500 and I will unencrypt your computer files for you, otherwise you will never be able to recover your computer data. -------------------------------------------------------------------------------------------------------------------------------------------------------------- 您的计算机已被永久锁定。你需要联系我们解锁你的电脑。 如何获得解密服务,你需要支付赎金。用电子邮件联系我。[email protected] 你只需要付我500美元,我就会为你解密你的电脑文件,否则你将永远无法恢复你的电脑数据。
Emails

[email protected]

如何获得解密服务,你需要支付赎金。用电子邮件联系我。[email protected]

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 1 IoCs
  • Chaos family
    chaos
  • Renames multiple (186) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-17_fa88e518bfa73401b06f46344fd7f50f_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-17_fa88e518bfa73401b06f46344fd7f50f_destroyer_wannacry.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1932
  • C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnblockComplete.asx"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\read_it.txt
    Filesize

    830B

    MD5

    55be6655caca2486576c70dad6187a71

    SHA1

    1123129f1c851d9adc949704f2517c89d8cd2ea3

    SHA256

    c731f640e6d522d1a455727547aa14fc5e7e4a6a8efbeee1ffcc1b3c48c5a026

    SHA512

    5d15427fbe370dca227b1b4be0ee4b4ad1648daa9cd70fe07d205760a4f7d42a3d50ff3c5d2460b7f8c429387f87fd683ca1f5e4c202c8a047e9ea49f3a217a1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ConnectClear.ini
    Filesize

    1B

    MD5

    d1457b72c3fb323a2671125aef3eab5d

    SHA1

    5bab61eb53176449e25c2c82f172b82cb13ffb9d

    SHA256

    8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

    SHA512

    ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

    Download Submit

  • memory/1660-965-0x000007FEF2060000-0x000007FEF2071000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1660-963-0x000007FEF1750000-0x000007FEF17B7000-memory.dmp

    Filesize

    412KB

    Download

  • memory/1660-984-0x000007FEED8B0000-0x000007FEEE960000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/1660-983-0x000007FEF2360000-0x000007FEF2616000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1660-985-0x000007FEECB20000-0x000007FEECC2E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1660-942-0x000007FEF6D20000-0x000007FEF6D54000-memory.dmp

    Filesize

    208KB

    Download

  • memory/1660-941-0x000000013F830000-0x000000013F928000-memory.dmp

    Filesize

    992KB

    Download

  • memory/1660-944-0x000007FEFB7C0000-0x000007FEFB7D8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1660-946-0x000007FEF6CE0000-0x000007FEF6CF1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1660-945-0x000007FEF6D00000-0x000007FEF6D17000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1660-943-0x000007FEF2360000-0x000007FEF2616000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1660-947-0x000007FEF6BE0000-0x000007FEF6BF7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1660-948-0x000007FEF6BC0000-0x000007FEF6BD1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1660-949-0x000007FEF6B50000-0x000007FEF6B6D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1660-950-0x000007FEF6B30000-0x000007FEF6B41000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1660-952-0x000007FEF1BA0000-0x000007FEF1DAB000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1660-967-0x000007FEF2030000-0x000007FEF2058000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1660-964-0x000007FEF16D0000-0x000007FEF174C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1660-968-0x000007FEF16A0000-0x000007FEF16C4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1660-966-0x000007FEEF670000-0x000007FEEF6C7000-memory.dmp

    Filesize

    348KB

    Download

  • memory/1660-981-0x000000013F830000-0x000000013F928000-memory.dmp

    Filesize

    992KB

    Download

  • memory/1660-982-0x000007FEF6D20000-0x000007FEF6D54000-memory.dmp

    Filesize

    208KB

    Download

  • memory/1660-969-0x000007FEEF650000-0x000007FEEF668000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1660-962-0x000007FEF2080000-0x000007FEF20B0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1660-961-0x000007FEF20B0000-0x000007FEF20C8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1660-960-0x000007FEF2120000-0x000007FEF2131000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1660-959-0x000007FEF2140000-0x000007FEF215B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1660-958-0x000007FEF2160000-0x000007FEF2171000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1660-957-0x000007FEF2180000-0x000007FEF2191000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1660-956-0x000007FEF21A0000-0x000007FEF21B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1660-955-0x000007FEF21C0000-0x000007FEF21D8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1660-954-0x000007FEF6B00000-0x000007FEF6B21000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1660-953-0x000007FEF21E0000-0x000007FEF2221000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1660-951-0x000007FEED8B0000-0x000007FEEE960000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/1660-972-0x000007FEEF5E0000-0x000007FEEF5F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1660-971-0x000007FEEF600000-0x000007FEEF611000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1660-970-0x000007FEEF620000-0x000007FEEF643000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1660-973-0x000007FEECB20000-0x000007FEECC2E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2384-0-0x000007FEF5E83000-0x000007FEF5E84000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2384-1-0x0000000000910000-0x000000000091C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2384-935-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2384-934-0x000007FEF5E83000-0x000007FEF5E84000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2384-225-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

    Filesize

    9.9MB

    Download