Analysis
-
max time kernel
140s -
max time network
152s -
resource
win10v191014
Task
task1
Sample
wannacry.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
wannacry.exe
Resource
win10v191014
0 signatures
General
-
Target
wannacry.exe
-
Sample
191029-vhssnz4w3x
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Score
N/A
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\Admin\Desktop\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\Admin\Documents\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Recovery\WindowsRE\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\Admin\AppData\Local\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\Admin\AppData\Roaming\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\Admin\Downloads\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\Admin\Music\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\Admin\Pictures\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\AppV\Setup\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\Diagnosis\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\Network\Downloader\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\UEV\Scripts\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\User Account Pictures\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\Windows\Caches\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\Windows Live\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
Path
C:\Users\All Users\Microsoft\Windows NT\MSScan\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 5060 icacls.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4260 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4260 svchost.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 1040 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 1040 svchost.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5016 attrib.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4992 wrote to memory of 5016 4992 wannacry.exe 72 PID 4992 wrote to memory of 5060 4992 wannacry.exe 75 PID 4992 wrote to memory of 4452 4992 wannacry.exe 77 PID 4992 wrote to memory of 3448 4992 wannacry.exe 78 PID 3448 wrote to memory of 4596 3448 cmd.exe 80 PID 4164 wrote to memory of 4180 4164 SppExtComObj.exe 86 PID 4992 wrote to memory of 4212 4992 wannacry.exe 88 PID 4992 wrote to memory of 3912 4992 wannacry.exe 89 PID 3912 wrote to memory of 4812 3912 cmd.exe 91 PID 4992 wrote to memory of 2812 4992 wannacry.exe 92 PID 4992 wrote to memory of 4940 4992 wannacry.exe 93 PID 4992 wrote to memory of 4900 4992 wannacry.exe 94 PID 4992 wrote to memory of 2464 4992 wannacry.exe 96 PID 4900 wrote to memory of 5072 4900 cmd.exe 97 PID 4212 wrote to memory of 1924 4212 @[email protected] 99 PID 4812 wrote to memory of 5048 4812 @[email protected] 102 PID 5048 wrote to memory of 4968 5048 cmd.exe 104 PID 5048 wrote to memory of 3020 5048 cmd.exe 106 PID 4992 wrote to memory of 5080 4992 wannacry.exe 108 PID 4992 wrote to memory of 368 4992 wannacry.exe 109 PID 4992 wrote to memory of 5068 4992 wannacry.exe 110 PID 4992 wrote to memory of 4412 4992 wannacry.exe 114 PID 4992 wrote to memory of 4192 4992 wannacry.exe 115 PID 4992 wrote to memory of 4148 4992 wannacry.exe 116 PID 4992 wrote to memory of 1548 4992 wannacry.exe 122 PID 4992 wrote to memory of 1596 4992 wannacry.exe 123 PID 4992 wrote to memory of 1608 4992 wannacry.exe 124 -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4812 @[email protected] 4212 @[email protected] 4940 @[email protected] 5068 @[email protected] 4148 @[email protected] 1608 @[email protected] -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1924 taskhsvc.exe -
Uses Volume Shadow Copy Service COM API 13 IoCs
description ioc pid Process Key opened \Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623} 4968 vssadmin.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623} 4968 vssadmin.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\TreatAs 4968 vssadmin.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\ 4968 vssadmin.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler32 4968 vssadmin.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler 4968 vssadmin.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623} 4956 vssvc.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623} 4956 vssvc.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\TreatAs 4956 vssvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\ 4956 vssvc.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocServer32 4956 vssvc.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler32 4956 vssvc.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler 4956 vssvc.exe -
Executes dropped EXE 16 IoCs
pid Process 4452 taskdl.exe 4212 @[email protected] 4812 @[email protected] 2812 taskse.exe 4940 @[email protected] 2464 taskdl.exe 1924 taskhsvc.exe 5080 taskdl.exe 368 taskse.exe 5068 @[email protected] 4412 taskdl.exe 4192 taskse.exe 4148 @[email protected] 1548 taskdl.exe 1596 taskse.exe 1608 @[email protected] -
Drops startup file 6 IoCs
description ioc pid Process File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAF1E.tmp 4992 wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAF1E.tmp 4992 wannacry.exe File deleted C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAF1E.tmp 4992 wannacry.exe File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDAF54.tmp 4992 wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDAF54.tmp 4992 wannacry.exe File deleted C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDAF54.tmp 4992 wannacry.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeTcbPrivilege 2812 taskse.exe Token: SeBackupPrivilege 4956 vssvc.exe Token: SeRestorePrivilege 4956 vssvc.exe Token: SeAuditPrivilege 4956 vssvc.exe Token: SeIncreaseQuotaPrivilege 3020 WMIC.exe Token: SeSecurityPrivilege 3020 WMIC.exe Token: SeTakeOwnershipPrivilege 3020 WMIC.exe Token: SeLoadDriverPrivilege 3020 WMIC.exe Token: SeSystemProfilePrivilege 3020 WMIC.exe Token: SeSystemtimePrivilege 3020 WMIC.exe Token: SeProfSingleProcessPrivilege 3020 WMIC.exe Token: SeIncBasePriorityPrivilege 3020 WMIC.exe Token: SeCreatePagefilePrivilege 3020 WMIC.exe Token: SeBackupPrivilege 3020 WMIC.exe Token: SeRestorePrivilege 3020 WMIC.exe Token: SeShutdownPrivilege 3020 WMIC.exe Token: SeDebugPrivilege 3020 WMIC.exe Token: SeSystemEnvironmentPrivilege 3020 WMIC.exe Token: SeRemoteShutdownPrivilege 3020 WMIC.exe Token: SeUndockPrivilege 3020 WMIC.exe Token: SeManageVolumePrivilege 3020 WMIC.exe Token: 33 3020 WMIC.exe Token: 34 3020 WMIC.exe Token: 35 3020 WMIC.exe Token: 36 3020 WMIC.exe Token: SeTcbPrivilege 368 taskse.exe Token: SeTcbPrivilege 4192 taskse.exe Token: SeTcbPrivilege 1596 taskse.exe -
Loads dropped DLL 1 IoCs
pid Process 1924 taskhsvc.exe -
Drops file in system dir 5 IoCs
description ioc pid Process File opened for modification C:\Windows\Debug\ESE.TXT 4588 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 4588 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 4588 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 4588 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 4588 svchost.exe -
Deletes shadow copies 2 TTPs 2 IoCs
pid Process 4968 vssadmin.exe 3020 WMIC.exe -
Wannacry file encrypt 64 IoCs
description ioc pid Process File renamed C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRYT => C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Desktop\WritePop.pptx.WNCRYT => C:\Users\Admin\Desktop\WritePop.pptx.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Desktop\WritePop.pptx.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRYT => C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Desktop\DismountHide.php.WNCRYT => C:\Users\Admin\Desktop\DismountHide.php.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Desktop\DismountHide.php.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Desktop\JoinPush.wmv.WNCRYT => C:\Users\Admin\Desktop\JoinPush.wmv.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Desktop\JoinPush.wmv.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRYT => C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRYT => C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Desktop\StartLock.zip.WNCRYT => C:\Users\Admin\Desktop\StartLock.zip.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Desktop\StartLock.zip.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Desktop\StopBlock.bat.WNCRYT => C:\Users\Admin\Desktop\StopBlock.bat.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Desktop\StopBlock.bat.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRYT => C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\Are.docx.WNCRYT => C:\Users\Admin\Documents\Are.docx.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\Are.docx.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\Files.docx.WNCRYT => C:\Users\Admin\Documents\Files.docx.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\Files.docx.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\MergeStep.vsdx.WNCRYT => C:\Users\Admin\Documents\MergeStep.vsdx.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\MergeStep.vsdx.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\Opened.docx.WNCRYT => C:\Users\Admin\Documents\Opened.docx.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\Opened.docx.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRYT => C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\Recently.docx.WNCRYT => C:\Users\Admin\Documents\Recently.docx.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\Recently.docx.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRYT => C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\These.docx.WNCRYT => C:\Users\Admin\Documents\These.docx.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\These.docx.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\UnblockExport.csv.WNCRYT => C:\Users\Admin\Documents\UnblockExport.csv.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\UnblockExport.csv.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRYT => C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\AddDismount.pptm.WNCRYT => C:\Users\Admin\Documents\AddDismount.pptm.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\AddDismount.pptm.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRYT => C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\CloseLock.potx.WNCRYT => C:\Users\Admin\Documents\CloseLock.potx.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\CloseLock.potx.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRYT => C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\DismountUse.odp.WNCRYT => C:\Users\Admin\Documents\DismountUse.odp.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\DismountUse.odp.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRYT => C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\OutConvert.docm.WNCRYT => C:\Users\Admin\Documents\OutConvert.docm.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\OutConvert.docm.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRYT => C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\Documents\UnregisterRead.ods.WNCRYT => C:\Users\Admin\Documents\UnregisterRead.ods.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\UnregisterRead.ods.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRY 4992 wannacry.exe File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRY 4992 wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRY 4992 wannacry.exe -
description ioc pid Process File opened for modification C:\Users\Admin\Desktop\WritePop.pptx 4992 wannacry.exe File opened for modification C:\Users\Admin\Desktop\OpenSplit.xltx 4992 wannacry.exe File opened for modification C:\Users\Admin\Desktop\SkipUnlock.xltx 4992 wannacry.exe File opened for modification C:\Users\Admin\Desktop\SuspendAssert.xlsm 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\Are.docx 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\Files.docx 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\Opened.docx 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\Recently.docx 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\SubmitDebug.ppt 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\These.docx 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\WriteDismount.xlsx 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\AddDismount.pptm 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\ApproveMeasure.docm 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\CloseLock.potx 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\DisconnectCompare.xltm 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\NewUnprotect.xltm 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\OutConvert.docm 4992 wannacry.exe File opened for modification C:\Users\Admin\Documents\ReceiveEnable.pot 4992 wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\ExpandPing.doc 4992 wannacry.exe File opened for modification C:\Users\Admin\Downloads\SwitchLock.docx 4992 wannacry.exe File opened for modification C:\Users\Admin\Downloads\TraceUninstall.xls 4992 wannacry.exe File opened for modification C:\Users\Admin\Music\UninstallGet.docx 4992 wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\CompleteInvoke.ppsm 4992 wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\OpenTest.dotm 4992 wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\StopPop.xltm 4992 wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx 4992 wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm 4992 wannacry.exe File opened for modification C:\Users\Admin\Downloads\TraceWatch.xlsb 4992 wannacry.exe File opened for modification C:\Users\Admin\Music\RestartPublish.docm 4992 wannacry.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc pid Process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" 4992 wannacry.exe Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" 4940 @[email protected] -
Modifies registry key 1 TTPs 1 IoCs
pid Process 5072 reg.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc pid Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nmsqcsinudawe237 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" 5072 reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\wannacry.exe"C:\Users\Admin\AppData\Local\Temp\wannacry.exe"1⤵
- Suspicious use of WriteProcessMemory
- Drops startup file
- Wannacry file encrypt
- Drops Office document
- Sets desktop wallpaper using registry
PID:4992
-
C:\Windows\SysWOW64\attrib.exeattrib +h .1⤵
- Views/modifies file attributes
PID:5016
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q1⤵
- Modifies file permissions
PID:5060
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe1⤵
- Executes dropped EXE
PID:4452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 132211572358953.bat1⤵
- Suspicious use of WriteProcessMemory
PID:3448
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs1⤵PID:4596
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4164
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:4212
-
C:\Windows\SysWOW64\cmd.exePID:3912
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:4812
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:4940
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f1⤵
- Suspicious use of WriteProcessMemory
PID:4900
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe1⤵
- Executes dropped EXE
PID:2464
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f1⤵
- Modifies registry key
- Adds Run entry to start application
PID:5072
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Loads dropped DLL
PID:1924
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet1⤵
- Suspicious use of WriteProcessMemory
PID:5048
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet1⤵
- Uses Volume Shadow Copy Service COM API
- Deletes shadow copies
PID:4968
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Uses Volume Shadow Copy Service COM API
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete1⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes shadow copies
PID:3020
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe1⤵
- Executes dropped EXE
PID:5080
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:368
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:5068
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
PID:4588
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe1⤵
- Executes dropped EXE
PID:4412
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4148
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:4260
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:656
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:1040
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe1⤵
- Executes dropped EXE
PID:1548
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1608
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1089
- T1158
- T1107
- T1060