Overview

overview

10

task1

 

10

task2

 

10

task3

 

10

task4

 

10

Resubmissions

02-12-2019 09:09

191202-3peefk1fgj 10

25-11-2019 09:33

191125-mlb76vzzln 0

13-11-2019 08:52

191113-bdf8dc3pq6 0

13-11-2019 07:11

191113-f1dft78f6s 0

13-11-2019 07:10

191113-591nb65hbx 0

30-10-2019 14:27

191030-9pe7klare6 0

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • resource
    win7v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test.zip

  • Sample

    191030-9pe7klare6

  • SHA256

    72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Score
N/A

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\Admin\AppData\Local\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\Admin\AppData\Roaming\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\Admin\Music\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\Admin\Pictures\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\All Users\Microsoft\User Account Pictures\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\All Users\Microsoft\Windows\Caches\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\All Users\Microsoft\Windows\Ringtones\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\All Users\Microsoft\Windows NT\MSScan\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\Public\Music\Sample Music\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\Public\Pictures\Sample Pictures\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Users\Public\Videos\Sample Videos\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

  • Drops startup file 6 IoCs
  • Deletes shadow copies 2 TTPs 2 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Wannacry file encrypt 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
    persistence
  • wannacry family
    familywannacry
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion
  • Modifies file permissions 1 TTPs 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Executes dropped EXE 16 IoCs
  • Drops Office document 26 IoCs
    dropperexploitermaldoc
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Uses Volume Shadow Copy Service COM API 18 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Modifies registry key 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
    "C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
    1⤵
    • Drops startup file
    • Wannacry file encrypt
    • Loads dropped DLL
    • Drops Office document
    • Sets desktop wallpaper using registry
    • Suspicious use of WriteProcessMemory
    PID:1468
  • C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    1⤵
    • Views/modifies file attributes
    PID:1744
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-1548836680-533666437-679457699-1403319995-15752893778627448631697681750379809567"
    1⤵
      PID:1624
    • C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      1⤵
      • Modifies file permissions
      PID:240
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "-8449848701674497554-269395519-758020550159963813271793361-327609566-847366106"
      1⤵
        PID:740
      • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        taskdl.exe
        1⤵
        • Executes dropped EXE
        PID:2012
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c 134121572449235.bat
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1948
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "-1917366722062954269687602685-177847297394799745561010335311191821001252967392"
        1⤵
          PID:780
        • C:\Windows\SysWOW64\cscript.exe
          cscript.exe //nologo m.vbs
          1⤵
          • Loads dropped DLL
          PID:792
        • C:\Users\Admin\AppData\Local\Temp\@[email protected]
          @[email protected] co
          1⤵
          • Loads dropped DLL
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          • Suspicious use of SetWindowsHookEx
          PID:1992
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c start /b @[email protected] vs
          1⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1264
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "-824873404-1445345944-1479974994-98875593-2055894955-1312886737398094850-1347903367"
          1⤵
            PID:1816
          • C:\Users\Admin\AppData\Local\Temp\@[email protected]
            @[email protected] vs
            1⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            • Suspicious use of SetWindowsHookEx
            PID:1856
          • C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
            TaskData\Tor\taskhsvc.exe
            1⤵
            • Suspicious behavior: EnumeratesProcesses
            • Loads dropped DLL
            • Executes dropped EXE
            PID:2040
          • C:\Windows\system32\conhost.exe
            \??\C:\Windows\system32\conhost.exe "-7243436452017189083-164981695614473952821623919055-1692878850-10167724731152447306"
            1⤵
              PID:1184
            • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
              taskdl.exe
              1⤵
              • Executes dropped EXE
              PID:1776
            • C:\Users\Admin\AppData\Local\Temp\taskse.exe
              taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1572
            • C:\Users\Admin\AppData\Local\Temp\@[email protected]
              @[email protected]
              1⤵
              • Suspicious behavior: GetForegroundWindowSpam
              • Executes dropped EXE
              • Sets desktop wallpaper using registry
              • Suspicious use of SetWindowsHookEx
              PID:1928
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1816
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1312
            • C:\Windows\system32\conhost.exe
              \??\C:\Windows\system32\conhost.exe "-977164687-149912063533978120614933617427283850701834945295-2080046974-1719948894"
              1⤵
                PID:1624
              • C:\Windows\system32\conhost.exe
                \??\C:\Windows\system32\conhost.exe "1999903305-1075050239-123496422517271750291523489521-53324319351140889-1373227449"
                1⤵
                  PID:456
                • C:\Windows\SysWOW64\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  1⤵
                  • Deletes shadow copies
                  • Uses Volume Shadow Copy Service COM API
                  PID:608
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
                  1⤵
                  • Adds Run entry to start application
                  • Modifies registry key
                  PID:1108
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Uses Volume Shadow Copy Service COM API
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1276
                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                  wmic shadowcopy delete
                  1⤵
                  • Deletes shadow copies
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1368
                • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
                  taskdl.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1112
                • C:\Users\Admin\AppData\Local\Temp\taskse.exe
                  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1432
                • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
                  taskdl.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1524
                • C:\Users\Admin\AppData\Local\Temp\taskse.exe
                  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:524
                • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
                  taskdl.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1524
                • C:\Users\Admin\AppData\Local\Temp\taskse.exe
                  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1144

                Network

                MITRE ATT&CK Enterprise v15

                MITRE ATT&CK Additional techniques

                • T1107
                • T1060
                • T1158

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/792-44-0x0000000002880000-0x0000000002884000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1468-2-0x0000000010000000-0x0000000010010000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2040-403-0x0000000003620000-0x0000000003631000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/2040-402-0x0000000003210000-0x0000000003221000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/2040-237-0x0000000002BB0000-0x0000000002BC1000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/2040-236-0x0000000002FC0000-0x0000000002FD1000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/2040-404-0x0000000003210000-0x0000000003221000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/2040-68-0x0000000002BB0000-0x0000000002BC1000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/2040-235-0x0000000002BB0000-0x0000000002BC1000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/2040-70-0x0000000002BB0000-0x0000000002BC1000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/2040-69-0x0000000002FC0000-0x0000000002FD1000-memory.dmp

                  Filesize

                  68KB

                  Download