ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Resubmissions

18-10-2019 15:52

191018-8typv9j9fn 0

09-08-2019 12:22

190809-4hmrwf3nzs 0

Analysis

max time kernel
150s
max time network
148s
resource
win7v191014

Sharing

Copy URL

Twitter E-mail

General

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Sample

191018-8typv9j9fn
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Score

N/A

Malware Config

Signatures

Drops Office document 26 IoCs

description	ioc	pid	Process
File opened for modification	C:\Users\Admin\Desktop\DisableReceive.ppt	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\StopUnregister.docx	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ConvertSubmit.xls	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\LimitRead.ppt	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SplitAssert.xls	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\These.docx	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UnblockUnprotect.xlsx	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ExportPush.dotx	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\PopRevoke.potx	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UninstallClear.ppsm	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\WaitSelect.dotm	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\ImportOut.ppt	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SubmitConvertTo.ppsm	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SuspendEdit.xlt	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\UnlockConvertTo.potm	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\ApproveTest.xlt	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\LimitGet.xlt	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\MeasureSearch.xltm	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\RemoveOut.pot	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\RestoreConvertTo.xltm	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Modifies file permissions 1 TTPs 1 IoCs

File and Directory Permissions Modification

T1222

pid	Process
1112	icacls.exe

Wannacry file encrypt 64 IoCs

description	ioc	pid	Process
File renamed	C:\Users\Admin\Desktop\DisableReceive.ppt.WNCRYT => C:\Users\Admin\Desktop\DisableReceive.ppt.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\DisableReceive.ppt.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\StopUnregister.docx.WNCRYT => C:\Users\Admin\Desktop\StopUnregister.docx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\StopUnregister.docx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\CompareRedo.js.WNCRYT => C:\Users\Admin\Desktop\CompareRedo.js.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\CompareRedo.js.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\ConvertToHide.cmd.WNCRYT => C:\Users\Admin\Desktop\ConvertToHide.cmd.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\ConvertToHide.cmd.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\GroupSkip.m3u.WNCRYT => C:\Users\Admin\Desktop\GroupSkip.m3u.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\GroupSkip.m3u.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\GroupWait.wma.WNCRYT => C:\Users\Admin\Desktop\GroupWait.wma.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\GroupWait.wma.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\OutDismount.bmp.WNCRYT => C:\Users\Admin\Desktop\OutDismount.bmp.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\OutDismount.bmp.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\PopCompress.bmp.WNCRYT => C:\Users\Admin\Desktop\PopCompress.bmp.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\PopCompress.bmp.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\ResetDebug.gif.WNCRYT => C:\Users\Admin\Desktop\ResetDebug.gif.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\ResetDebug.gif.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\UndoShow.wma.WNCRYT => C:\Users\Admin\Desktop\UndoShow.wma.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\UndoShow.wma.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\UnprotectPop.mov.WNCRYT => C:\Users\Admin\Desktop\UnprotectPop.mov.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\UnprotectPop.mov.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Are.docx.WNCRYT => C:\Users\Admin\Documents\Are.docx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ConvertSubmit.xls.WNCRYT => C:\Users\Admin\Documents\ConvertSubmit.xls.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ConvertSubmit.xls.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\DenyExpand.pdf.WNCRYT => C:\Users\Admin\Documents\DenyExpand.pdf.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DenyExpand.pdf.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Files.docx.WNCRYT => C:\Users\Admin\Documents\Files.docx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\LimitRead.ppt.WNCRYT => C:\Users\Admin\Documents\LimitRead.ppt.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\LimitRead.ppt.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Opened.docx.WNCRYT => C:\Users\Admin\Documents\Opened.docx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ReadDeny.csv.WNCRYT => C:\Users\Admin\Documents\ReadDeny.csv.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ReadDeny.csv.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Recently.docx.WNCRYT => C:\Users\Admin\Documents\Recently.docx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\SplitAssert.xls.WNCRYT => C:\Users\Admin\Documents\SplitAssert.xls.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SplitAssert.xls.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\These.docx.WNCRYT => C:\Users\Admin\Documents\These.docx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\These.docx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\UnblockUnprotect.xlsx.WNCRYT => C:\Users\Admin\Documents\UnblockUnprotect.xlsx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UnblockUnprotect.xlsx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ExitCompress.ods.WNCRYT => C:\Users\Admin\Documents\ExitCompress.ods.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ExitCompress.ods.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ExportPush.dotx.WNCRYT => C:\Users\Admin\Documents\ExportPush.dotx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ExportPush.dotx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\PopRevoke.potx.WNCRYT => C:\Users\Admin\Documents\PopRevoke.potx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\PopRevoke.potx.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\SaveSubmit.odp.WNCRYT => C:\Users\Admin\Documents\SaveSubmit.odp.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SaveSubmit.odp.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\SearchSet.odp.WNCRYT => C:\Users\Admin\Documents\SearchSet.odp.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SearchSet.odp.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\UninstallClear.ppsm.WNCRYT => C:\Users\Admin\Documents\UninstallClear.ppsm.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UninstallClear.ppsm.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\WaitSelect.dotm.WNCRYT => C:\Users\Admin\Documents\WaitSelect.dotm.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\WaitSelect.dotm.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Deletes shadow copies 2 TTPs 2 IoCs

ransomware

Inhibit System Recovery

T1490

pid	Process
1348	vssadmin.exe
1752	WMIC.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2004	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1132	@[email protected]

Executes dropped EXE 16 IoCs

pid	Process
1980	taskdl.exe
1960	@[email protected]
920	@[email protected]
1384	taskhsvc.exe
1896	taskdl.exe
2032	taskse.exe
1132	@[email protected]
1980	taskdl.exe
2032	taskse.exe
1168	@[email protected]
1572	taskdl.exe
1080	@[email protected]
1144	taskse.exe
1488	taskdl.exe
324	taskse.exe
1540	@[email protected]

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1752	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	27
PID 1392 wrote to memory of 1112	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	29
PID 1392 wrote to memory of 1980	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	31
PID 1392 wrote to memory of 2028	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	32
PID 2028 wrote to memory of 1128	2028	cmd.exe	34
PID 1392 wrote to memory of 1960	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	36
PID 1392 wrote to memory of 1752	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	37
PID 1752 wrote to memory of 920	1752	cmd.exe	39
PID 1960 wrote to memory of 1384	1960	@[email protected]	41
PID 920 wrote to memory of 1252	920	@[email protected]	43
PID 1252 wrote to memory of 1348	1252	cmd.exe	45
PID 1252 wrote to memory of 1752	1252	cmd.exe	47
PID 1392 wrote to memory of 1896	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	48
PID 1392 wrote to memory of 2032	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	49
PID 1392 wrote to memory of 1132	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	50
PID 1392 wrote to memory of 920	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	51
PID 920 wrote to memory of 2004	920	cmd.exe	53
PID 1392 wrote to memory of 1980	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	55
PID 1392 wrote to memory of 2032	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	56
PID 1392 wrote to memory of 1168	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	57
PID 1392 wrote to memory of 1572	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	59
PID 1392 wrote to memory of 1144	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	60
PID 1392 wrote to memory of 1080	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	61
PID 1392 wrote to memory of 1488	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	64
PID 1392 wrote to memory of 324	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	65
PID 1392 wrote to memory of 1540	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	66

Loads dropped DLL 5 IoCs

pid	Process
1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1128	cscript.exe
1752	cmd.exe
1960	@[email protected]
1384	taskhsvc.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeBackupPrivilege	2012	vssvc.exe
Token: SeRestorePrivilege	2012	vssvc.exe
Token: SeAuditPrivilege	2012	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1752	WMIC.exe
Token: SeSecurityPrivilege	1752	WMIC.exe
Token: SeTakeOwnershipPrivilege	1752	WMIC.exe
Token: SeLoadDriverPrivilege	1752	WMIC.exe
Token: SeSystemProfilePrivilege	1752	WMIC.exe
Token: SeSystemtimePrivilege	1752	WMIC.exe
Token: SeProfSingleProcessPrivilege	1752	WMIC.exe
Token: SeIncBasePriorityPrivilege	1752	WMIC.exe
Token: SeCreatePagefilePrivilege	1752	WMIC.exe
Token: SeBackupPrivilege	1752	WMIC.exe
Token: SeRestorePrivilege	1752	WMIC.exe
Token: SeShutdownPrivilege	1752	WMIC.exe
Token: SeDebugPrivilege	1752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1752	WMIC.exe
Token: SeRemoteShutdownPrivilege	1752	WMIC.exe
Token: SeUndockPrivilege	1752	WMIC.exe
Token: SeManageVolumePrivilege	1752	WMIC.exe
Token: 33	1752	WMIC.exe
Token: 34	1752	WMIC.exe
Token: 35	1752	WMIC.exe
Token: SeTcbPrivilege	2032	taskse.exe
Token: SeTcbPrivilege	2032	taskse.exe
Token: SeTcbPrivilege	1144	taskse.exe
Token: SeTcbPrivilege	324	taskse.exe

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

pid	Process
1752	attrib.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	1132	@[email protected]

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
920	@[email protected]
1960	@[email protected]
1132	@[email protected]
1168	@[email protected]
1080	@[email protected]
1540	@[email protected]

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1384	taskhsvc.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ftqqepmlkbmm513 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	2004	reg.exe

wannacry family
family

Drops startup file 6 IoCs

description	ioc	pid	Process
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5F1D.tmp	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5F1D.tmp	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5F1D.tmp	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5F40.tmp	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5F40.tmp	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5F40.tmp	1392	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops Office document
- Wannacry file encrypt
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Drops startup file
PID:1392

C:\Windows\SysWOW64\attrib.exe
attrib +h .
1⤵
- Views/modifies file attributes
PID:1752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1528219934-930572129-557549151-63610335584663788913041379101392070685-478866540"
1⤵
PID:1132

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
1⤵
- Modifies file permissions
PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1280433662-10226513411475538158-487762275-697527473-59457536-4355982841118018610"
1⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c 318631571421170.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-260280539-2055907706-4783626107481143912013436800-1939050061-4979581211617693306"
1⤵
PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
1⤵
- Loads dropped DLL
PID:1128

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1595314945-10746574251026515353-19305185351583364773-686724169-1509310796-246236261"
1⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:920

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2052218617-993595734-203332604899427385217761576431694465813-1443044323-582022771"
1⤵
PID:488

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
1⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7252279301998213456-1202163845-9177384552045403594-14446853802135238250-1582904550"
1⤵
PID:1028

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Deletes shadow copies
PID:1348

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Deletes shadow copies
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1132

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-527562182140399476535714604-1931247446-444797314-2040278859-21241577872099057348"
1⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Modifies registry key
- Adds Run entry to start application
PID:2004

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

MITRE ATT&CK Additional techniques

T1107
T1158
T1060

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1128-44-0x0000000002770000-0x0000000002774000-memory.dmp

Filesize
16KB

Download
memory/1384-402-0x0000000003350000-0x0000000003361000-memory.dmp

Filesize
68KB

Download
memory/1384-235-0x0000000002B90000-0x0000000002BA1000-memory.dmp

Filesize
68KB

Download
memory/1384-69-0x0000000002FA0000-0x0000000002FB1000-memory.dmp

Filesize
68KB

Download
memory/1384-70-0x0000000002B90000-0x0000000002BA1000-memory.dmp

Filesize
68KB

Download
memory/1384-236-0x0000000002FA0000-0x0000000002FB1000-memory.dmp

Filesize
68KB

Download
memory/1384-237-0x0000000002B90000-0x0000000002BA1000-memory.dmp

Filesize
68KB

Download
memory/1384-404-0x0000000003350000-0x0000000003361000-memory.dmp

Filesize
68KB

Download
memory/1384-68-0x0000000002B90000-0x0000000002BA1000-memory.dmp

Filesize
68KB

Download
memory/1384-403-0x0000000003760000-0x0000000003771000-memory.dmp

Filesize
68KB

Download
memory/1392-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download