General

  • Target

    2025-06-30_6521941002a027eda11ddfb5e0bfd070_destroyer_elex_wannacry

  • Size

    64KB

  • Sample

    250630-zdk9dsgl4x

  • MD5

    6521941002a027eda11ddfb5e0bfd070

  • SHA1

    c74546be184bae0db27155335ef2b6b8cc1bad0b

  • SHA256

    6ffc11d1318fb26a30fed9b77d0b1d44d26c3ad204bccc12828de5952c00ef4e

  • SHA512

    b634f1af63e80009a6c4ad012930e68dd9f7c3a743dd8072c491c134ea5f22771534656f0c977edfa88b8a3115299f72af33a3eac38a5e2beba990eb46525f25

  • SSDEEP

    768:Aqo213mnplnmjQIr9q+wH/RScoWFqnr64NdUwDD/4SArl/TOGWwePKc:no212DAQIr9qb//oWInrZ3fb187iP

Malware Config

Extracted

Path

C:\Users\Admin\Documents\PREDATOR V0.0.9 PRO EDITION

Ransom Note
███▓▒░☠ CHAOS RANSOMWARE ☠░▒▓███ >>> DO NOT TRY TO RECOVER FILES YOURSELF <<< YOUR ENTIRE SYSTEM HAS BEEN COMPROMISED. All your files – documents, databases, personal photos – HAVE BEEN ENCRYPTED with military-grade algorithms. This is not a joke. We have full access to your system. Backups are either encrypted or already destroyed. ❗️YOU HAVE 72 HOURS TO PAY OR LOSE EVERYTHING❗️ After this time: – Your files will be permanently unrecoverable – A copy of your data will be **leaked publicly** – You will lose access to this message and your system may be **destroyed remotely** To recover your files, you must pay: 📌 AMOUNT: $500 in Bitcoin 📌 BTC ADDRESS: 1PUoQp1FWW8Yv6AXdrd7sLN6rcnUmJG1Q4 💡 Send payment and then contact us on Telegram to get your decryption key. We are the only ones who can help you. Antivirus cannot remove Chaos. Do not waste time. Every second counts. 🕒 Time remaining: [72:00:00] Once the timer hits ZERO — your fate is sealed. Telegram: [https://t.me/Whitefoxxx] 💀 YOU HAVE BEEN WARNED 💀
Wallets

1PUoQp1FWW8Yv6AXdrd7sLN6rcnUmJG1Q4

Targets

    • Target

      2025-06-30_6521941002a027eda11ddfb5e0bfd070_destroyer_elex_wannacry

    • Size

      64KB

    • MD5

      6521941002a027eda11ddfb5e0bfd070

    • SHA1

      c74546be184bae0db27155335ef2b6b8cc1bad0b

    • SHA256

      6ffc11d1318fb26a30fed9b77d0b1d44d26c3ad204bccc12828de5952c00ef4e

    • SHA512

      b634f1af63e80009a6c4ad012930e68dd9f7c3a743dd8072c491c134ea5f22771534656f0c977edfa88b8a3115299f72af33a3eac38a5e2beba990eb46525f25

    • SSDEEP

      768:Aqo213mnplnmjQIr9q+wH/RScoWFqnr64NdUwDD/4SArl/TOGWwePKc:no212DAQIr9qb//oWInrZ3fb187iP

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v16

Tasks