Overview

overview

10

Static

static

10

2025-03-28...ry.exe

windows7-x64

10

2025-03-28...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 00:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe

  • Size

    1.6MB

  • MD5

    4c0e5c4aa3eb66907cf32b7bd869dd8f

  • SHA1

    2f97ad58991c727a897f4613e00d6b24a3300a85

  • SHA256

    31aa2f05a7cd0b81002336c0f0b5397415b9ee70250862f91215e2bc4bb571d8

  • SHA512

    56ddad28ad605fe95b4b8f1ea00a130db1e07e082391ce2a1c8336d4ee6f177d1d9806b8a5e200ddc2bf7319f9ba44f194cb48f52f3e9f2c689e7d9b502eea51

  • SSDEEP

    24576:T1I8mdFc9nPV3EouDm6BkNEnzC5CW78UV:OFc3C37zCyG

Score
10/10
chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\read_it.txt

Ransom Note
Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Chaos family
    chaos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    defense_evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 62 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 33 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2956
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:860
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1640
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2216
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2404
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2392
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2940
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2780
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1940
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2028
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1864

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Indicator Removal

      3
      T1070

      File Deletion

      3
      T1070.004

      Modify Registry

      3
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Defacement

      1
      T1491

      Inhibit System Recovery

      4
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\read_it.txt
        Filesize

        582B

        MD5

        ed5cc52876db869de48a4783069c2a5e

        SHA1

        a9d51ceaeff715ace430f9462ab2ee4e7f33e70e

        SHA256

        45726f2f29967ef016f8d556fb6468a577307d67388cc4530295a9ca10fdfa36

        SHA512

        1745aefb9b4db4cdd7c08ee3a7d133db08f35a336fd18b598211519b481ef25ac84a3e8a3da3db06caef9f531288d1cf0ca8d4b2560637945e7953e8b45421f5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        1.6MB

        MD5

        4c0e5c4aa3eb66907cf32b7bd869dd8f

        SHA1

        2f97ad58991c727a897f4613e00d6b24a3300a85

        SHA256

        31aa2f05a7cd0b81002336c0f0b5397415b9ee70250862f91215e2bc4bb571d8

        SHA512

        56ddad28ad605fe95b4b8f1ea00a130db1e07e082391ce2a1c8336d4ee6f177d1d9806b8a5e200ddc2bf7319f9ba44f194cb48f52f3e9f2c689e7d9b502eea51

        Download Submit

      • C:\Users\Admin\Desktop\BackupWait.pptm.6dtu
        Filesize

        246KB

        MD5

        6acd963970ad2b322f39384c173473c0

        SHA1

        fbfa48c131bc85176229cf7a2da3752591324a94

        SHA256

        9c8ea3fdf0a1444c95c73313116ff171e665c09142cf6b9fd8dedc58753e5270

        SHA512

        90706910784e0af98a80aa91baa68a28ea47f37d1db9aae048efa6f1eb178e204cca42372c768155e61feb5e6d5f82996f8ecd242a2b07ffdacc5a71ae1557a2

        Download Submit

      • C:\Users\Admin\Desktop\ConnectInstall.xlsx.6nk0
        Filesize

        10KB

        MD5

        67c9d57c117ef7b65c15f2feb1ddc722

        SHA1

        c97eae2c086ae1ae12409922942811cf0ff7091e

        SHA256

        6155defa9ecf62f2537745c73d238c1c720820ecb41ebfddf30aa04743709669

        SHA512

        ecff0f8872733144d27c1a80c1e2b3e35ac630d96c2095c6a90dad05fa3f37285021c0a2d92ae5d25f90cac9391367b14833bf774da5fede0c2e167dcef872cd

        Download Submit

      • C:\Users\Admin\Desktop\ConvertToUndo.docx.w1ib
        Filesize

        373KB

        MD5

        4c489046dcb7976dad1348d78045d7e2

        SHA1

        f8ff4c8be381ab880153a059270f8c29e21db07e

        SHA256

        ff7c4a5f53fd917db22daabcaa7800e4551b15302880607ba3f111b3531e82ae

        SHA512

        4f39cde288e635e6d735f228df385d3f468c9f435d827b770d9dfac8388989c3224cbda2366a25e9242e6566eef2a1f9a3b3ec1fe8fb5244ccf686835bf7d4b5

        Download Submit

      • C:\Users\Admin\Desktop\ExportExit.m4a
        Filesize

        1B

        MD5

        d1457b72c3fb323a2671125aef3eab5d

        SHA1

        5bab61eb53176449e25c2c82f172b82cb13ffb9d

        SHA256

        8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

        SHA512

        ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

        Download Submit

      • C:\Users\Admin\Desktop\ExportExit.m4a.lmjb
        Filesize

        212KB

        MD5

        36399cec0878b9d4e52b5bf52ee4881a

        SHA1

        533aa54dcdbec8a98f844fa82efc2fe786271fb3

        SHA256

        7a9aa861cf69a9c4d8ad1b68206291d8305276f0ea138e3f097b7e08286fa9cf

        SHA512

        85ab229b42bc8dfeb4c0c7039f42afad5a081b7397262ff27131a8b64e4796500f80f9aa51f0282fcc4317b9cea32e4a4a444f3b538bd266e3046801fba73e1e

        Download Submit

      • C:\Users\Admin\Desktop\ExportImport.jpeg.neqy
        Filesize

        562KB

        MD5

        55d159cd5df8b36f4c6493d7a8b74132

        SHA1

        220fa3eb9ab1e98822b1562913f83285cd9fa790

        SHA256

        5518e2ce8b7e7bcd6c739d643c789451d82d56ea4907cdc83910215f3c939aa0

        SHA512

        f7ab712e1d01092e9b7690aa5599a9169617ecb42685cf0a5dc345a5934071ed9cdeb6075772e496a0dd9891fa711c9c9c228d455b6fbc49c5b1e67a7dc3d4c9

        Download Submit

      • C:\Users\Admin\Desktop\ImportFind.mov.7fko
        Filesize

        384KB

        MD5

        6b5d612dbfec090e7d7a84a200f5115c

        SHA1

        ab0e03c36be626df83f0bff593914521404af2fd

        SHA256

        5639ad12cd75f26e47f9a0ff77881419cd76402509a9480269b564ec6506d24f

        SHA512

        775aa5e9bb9f095f58c9740e4798b2adff45422dfe45c254b05ad6ba0eb31eea660a06494df331becade780f21046430143e07b85ddd17d1f2613d57f1f58197

        Download Submit

      • C:\Users\Admin\Desktop\PingResume.mpg.7tq2
        Filesize

        143KB

        MD5

        ec9bc460a31c54673d2d77d3ea4e4cb8

        SHA1

        f272f5a5eb7e46278a0775b4d8bf56848418a98a

        SHA256

        177f3bce2da45f46a3ab5791d01a8997278aa933ddf0f7fd053d7ed8d8cf601d

        SHA512

        fed22eb7faad5dbc14b7266d729a8edf04ee8068907c4aeda47accc4b815c6f2abaddbed8c364f53dd336f96b4a113d4617458202990e2e1cf8529c84e1ed336

        Download Submit

      • C:\Users\Admin\Desktop\PopClear.potm.p1hh
        Filesize

        201KB

        MD5

        6c38d90cf35ed8f79394719e86d54432

        SHA1

        398f75512b111e2d3e16e9c4783972ad1e473e17

        SHA256

        9f6f807dff3e77cb57546c0ed91c14214df7a1f0a57321c6750a659a5016cf03

        SHA512

        e08fa14cd1d92ea5f0589f4fb08cbced33acd74880f8945a73bf38333f5706a1ca4e37f1b09dadcaa3021f5d42db78e4a486096a6c0bc6d3b783c2ef2b2241ae

        Download Submit

      • C:\Users\Admin\Desktop\SubmitLimit.rtf.zeee
        Filesize

        155KB

        MD5

        1dabcd1838cd8d7ab3cee458f73c029b

        SHA1

        8087b98cd16f652c2eedb31a5c5db1e45f7e4896

        SHA256

        9de45749ee9c0a8d1967ca55cad7c6ec5fd44b0d6045a7b41d3c581fa6337a31

        SHA512

        21c793f26b1a6ebe104aa43e43740f43eb4f548d649efed23a3e1b7cb3cf1eec55b29c40088c0a67948a5ba943066f15cb66c5285f5e961126355c448edb5ce0

        Download Submit

      • C:\Users\Admin\Desktop\UnblockResume.xlsx.yc45
        Filesize

        15KB

        MD5

        abaae5b324d1f2076c652fa64bc1ce3b

        SHA1

        6ae88359e847e5e931b6975952f74b4793463c33

        SHA256

        21e61c1366ca11ca4dd8821a9f5a55de7f0caccc673969704eb5247e575702aa

        SHA512

        11ccf9e9f915414ee6b7e8f153928185ec82e8ea39bf4de73bf09430da91c609d014371ded7d193604f6eb266ac12b81ab7444429e2099b357685f06df27e5c3

        Download Submit

      • C:\Users\Admin\Desktop\UnprotectInitialize.bin.encw
        Filesize

        396KB

        MD5

        bab4a5843a7148ca5e7558465059c730

        SHA1

        db4cd1f400252f6a73b0881b64853e93a074880e

        SHA256

        3b2972514b49fb1afc9f8cea867fd8f61a6cc1c3658b8f19f131193e458b65fd

        SHA512

        328c1dc305c28d3aa128ede64a8f0f35ac3f2dde8443f3e5be496c2100183b00191781d061eba601f5d3e2ac599f56a28e0e8cccadef44cc13695c6c4798908b

        Download Submit

      • C:\Users\Admin\Desktop\UpdateOut.xlt.b4df
        Filesize

        189KB

        MD5

        b43e4ae9e55980811c6e6fa2740bc385

        SHA1

        9c055648840cea6076a71c64db93025bc23bc1ab

        SHA256

        fe6f0e41abbf4d4f2cf7415a053839b6e37b2ff24e8507fe14d4c82f81aac16b

        SHA512

        7e6995b406eb7f235477037ed283e72ea349580eb4cd075c59281b67ea98b6a0165d8d4420c166bfde0585ce27d6d345ee6b7a50496ddb6de5b75aeb9df043ba

        Download Submit

      • C:\Users\Public\Desktop\Adobe Reader 9.lnk.4t9n
        Filesize

        2KB

        MD5

        deb05599e6c7474430f6f6ea82c095e6

        SHA1

        0826278051d7888c8da418de082b7b2699124e0c

        SHA256

        756a89b88860eef5e29e93d29d89d5e0e7b90df128e2e929a46fd3bb5f38694f

        SHA512

        5f765c07656e2917e37b7c3264841c1f611f635a638505e6d302b3418938052ec884183f24e4a26c4c564a8cbe1babe917cf1e8619288faf206d29cfadc76312

        Download Submit

      • C:\Users\Public\Desktop\Firefox.lnk.8k0g
        Filesize

        1KB

        MD5

        378d3a155c66fb5ef31db7eb87060950

        SHA1

        6ecaa88bfdb5f57ec136c3d9ac7d6526907de4a2

        SHA256

        03c6a654d99adb1f357985a13392200220be987bfb38b53add30ed5235f3fedb

        SHA512

        5f3edbf860e6c1be181e7df98f7b589f3c903f69bda26a76ec8577f3fbcbcc7e9b83ccc8dc8260c530ed1dec025755d78fd726282bf7c4d039284b08541ed3c2

        Download Submit

      • C:\Users\Public\Desktop\Google Chrome.lnk.z0mq
        Filesize

        2KB

        MD5

        e1cb6c6e9bfcbda7249c883780a1f2e1

        SHA1

        cc8aaf53165634c373f8e8d9f114cd3a47d91661

        SHA256

        c417df8daa047739783841781b0279f7c1f5a4f46f1725c3bc25deb2ec5b9871

        SHA512

        21d02f772de68d5fd60e1cd436fdb5239d7c9db65eef3c2c198aae70df6cb9bbfa0825df30efddd75a09bcc321f7ea2a1e2ac51ddff1c76c15186eb772c33dc8

        Download Submit

      • C:\Users\Public\Desktop\VLC media player.lnk.4lai
        Filesize

        1KB

        MD5

        4227833dc06aa72914c750aad44bbfb7

        SHA1

        4ee9f0f6e04d215be3fd2a9f6acdde62eb10e4a6

        SHA256

        71ce6a6596b34d2618ffee8b1a4708f0c639e8cf3f7c97816a3b395851e6f1df

        SHA512

        7417165e1a9e5b58100933904f4e2a13e650dd28bfb26e6dfb1dc7e689e81798cfd29e337249871be9808477c3c0029a5b57f409ba110079cc89334f021580a1

        Download Submit

      • memory/816-11-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/816-1-0x0000000000B30000-0x0000000000CCE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/816-0-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

        Filesize

        4KB

        Download

      • memory/816-2-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2388-8-0x0000000000130000-0x00000000002CE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2388-9-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2388-10-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2388-12-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2780-928-0x0000000003BC0000-0x0000000003BD0000-memory.dmp

        Filesize

        64KB

        Download