wannacry | 72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Resubmissions

13-11-2019 07:33

191113-s6xvalyd5a 0

12-11-2019 15:34

191112-9te2mt6rbs 0

04-11-2019 16:22

191104-pvpshym7va 0

Analysis

max time kernel
150s
max time network
147s
resource
win7v191014

Sharing

Copy URL

Twitter E-mail

General

Target

test.zip
Sample

191112-9te2mt6rbs
SHA256

72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Score

N/A

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Drops startup file 6 IoCs

description	ioc	pid	Process
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6D9E.tmp	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6D9E.tmp	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6D9E.tmp	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6E0F.tmp	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6E0F.tmp	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6E0F.tmp	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Uses Volume Shadow Copy Service COM API 18 IoCs

ransomware

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1360	vssadmin.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1360	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\TreatAs	1360	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\Progid	1360	vssadmin.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\ProgID	1360	vssadmin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\ProgID\	1360	vssadmin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\	1360	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler32	1360	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler	1360	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	316	vssvc.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	316	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\TreatAs	316	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\Progid	316	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\ProgID\	316	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\	316	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocServer32	316	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler32	316	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler	316	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	1952	@[email protected]

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1340	taskhsvc.exe

Deletes shadow copies 2 TTPs 2 IoCs

ransomware

Inhibit System Recovery

T1490

pid	Process
1360	vssadmin.exe
1096	WMIC.exe

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

pid	Process
1100	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs

File and Directory Permissions Modification

T1222

pid	Process
744	icacls.exe

Loads dropped DLL 5 IoCs

pid	Process
1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
384	cscript.exe
1952	cmd.exe
1964	@[email protected]
1340	taskhsvc.exe

Drops Office document 26 IoCs

dropper exploiter maldoc

description	ioc	pid	Process
File opened for modification	C:\Users\Admin\Desktop\DisableReceive.ppt	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\StopUnregister.docx	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ConvertSubmit.xls	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\LimitRead.ppt	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SplitAssert.xls	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\These.docx	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UnblockUnprotect.xlsx	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ExportPush.dotx	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\PopRevoke.potx	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UninstallClear.ppsm	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\WaitSelect.dotm	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\ImportOut.ppt	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SubmitConvertTo.ppsm	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SuspendEdit.xlt	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\UnlockConvertTo.potm	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\ApproveTest.xlt	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\LimitGet.xlt	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\MeasureSearch.xltm	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\RemoveOut.pot	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\RestoreConvertTo.xltm	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1292	@[email protected]
1964	@[email protected]
1952	@[email protected]
1996	@[email protected]
860	@[email protected]
1224	@[email protected]

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeBackupPrivilege	316	vssvc.exe
Token: SeRestorePrivilege	316	vssvc.exe
Token: SeAuditPrivilege	316	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1096	WMIC.exe
Token: SeSecurityPrivilege	1096	WMIC.exe
Token: SeTakeOwnershipPrivilege	1096	WMIC.exe
Token: SeLoadDriverPrivilege	1096	WMIC.exe
Token: SeSystemProfilePrivilege	1096	WMIC.exe
Token: SeSystemtimePrivilege	1096	WMIC.exe
Token: SeProfSingleProcessPrivilege	1096	WMIC.exe
Token: SeIncBasePriorityPrivilege	1096	WMIC.exe
Token: SeCreatePagefilePrivilege	1096	WMIC.exe
Token: SeBackupPrivilege	1096	WMIC.exe
Token: SeRestorePrivilege	1096	WMIC.exe
Token: SeShutdownPrivilege	1096	WMIC.exe
Token: SeDebugPrivilege	1096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1096	WMIC.exe
Token: SeRemoteShutdownPrivilege	1096	WMIC.exe
Token: SeUndockPrivilege	1096	WMIC.exe
Token: SeManageVolumePrivilege	1096	WMIC.exe
Token: 33	1096	WMIC.exe
Token: 34	1096	WMIC.exe
Token: 35	1096	WMIC.exe
Token: SeTcbPrivilege	1968	taskse.exe
Token: SeTcbPrivilege	1072	taskse.exe
Token: SeTcbPrivilege	764	taskse.exe
Token: SeTcbPrivilege	1948	taskse.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1320	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1952	@[email protected]

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1100	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	27
PID 1124 wrote to memory of 744	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	29
PID 1124 wrote to memory of 1952	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	31
PID 1124 wrote to memory of 1948	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	32
PID 1948 wrote to memory of 384	1948	cmd.exe	34
PID 1124 wrote to memory of 1964	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	36
PID 1124 wrote to memory of 1952	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	37
PID 1952 wrote to memory of 1292	1952	cmd.exe	39
PID 1964 wrote to memory of 1340	1964	@[email protected]	41
PID 1292 wrote to memory of 788	1292	@[email protected]	43
PID 788 wrote to memory of 1360	788	cmd.exe	45
PID 788 wrote to memory of 1096	788	cmd.exe	47
PID 1124 wrote to memory of 744	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	48
PID 1124 wrote to memory of 1968	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	49
PID 1124 wrote to memory of 1952	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	50
PID 1124 wrote to memory of 1464	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	51
PID 1464 wrote to memory of 1320	1464	cmd.exe	53
PID 1124 wrote to memory of 1320	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	55
PID 1124 wrote to memory of 1072	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	56
PID 1124 wrote to memory of 1996	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	57
PID 1124 wrote to memory of 1584	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	59
PID 1124 wrote to memory of 764	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	60
PID 1124 wrote to memory of 860	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	61
PID 1124 wrote to memory of 1076	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	64
PID 1124 wrote to memory of 1948	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	65
PID 1124 wrote to memory of 1224	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	66

Executes dropped EXE 16 IoCs

pid	Process
1952	taskdl.exe
1964	@[email protected]
1292	@[email protected]
1340	taskhsvc.exe
744	taskdl.exe
1968	taskse.exe
1952	@[email protected]
1320	taskdl.exe
1072	taskse.exe
1996	@[email protected]
1584	taskdl.exe
860	@[email protected]
764	taskse.exe
1076	taskdl.exe
1948	taskse.exe
1224	@[email protected]

Wannacry file encrypt 64 IoCs

description	ioc	pid	Process
File renamed	C:\Users\Admin\Desktop\DisableReceive.ppt.WNCRYT => C:\Users\Admin\Desktop\DisableReceive.ppt.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\DisableReceive.ppt.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\StopUnregister.docx.WNCRYT => C:\Users\Admin\Desktop\StopUnregister.docx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\StopUnregister.docx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\CompareRedo.js.WNCRYT => C:\Users\Admin\Desktop\CompareRedo.js.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\CompareRedo.js.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\ConvertToHide.cmd.WNCRYT => C:\Users\Admin\Desktop\ConvertToHide.cmd.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\ConvertToHide.cmd.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\GroupSkip.m3u.WNCRYT => C:\Users\Admin\Desktop\GroupSkip.m3u.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\GroupSkip.m3u.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\GroupWait.wma.WNCRYT => C:\Users\Admin\Desktop\GroupWait.wma.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\GroupWait.wma.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\OutDismount.bmp.WNCRYT => C:\Users\Admin\Desktop\OutDismount.bmp.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\OutDismount.bmp.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\PopCompress.bmp.WNCRYT => C:\Users\Admin\Desktop\PopCompress.bmp.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\PopCompress.bmp.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\ResetDebug.gif.WNCRYT => C:\Users\Admin\Desktop\ResetDebug.gif.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\ResetDebug.gif.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\UndoShow.wma.WNCRYT => C:\Users\Admin\Desktop\UndoShow.wma.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\UndoShow.wma.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\UnprotectPop.mov.WNCRYT => C:\Users\Admin\Desktop\UnprotectPop.mov.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\UnprotectPop.mov.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Are.docx.WNCRYT => C:\Users\Admin\Documents\Are.docx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ConvertSubmit.xls.WNCRYT => C:\Users\Admin\Documents\ConvertSubmit.xls.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ConvertSubmit.xls.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\DenyExpand.pdf.WNCRYT => C:\Users\Admin\Documents\DenyExpand.pdf.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DenyExpand.pdf.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Files.docx.WNCRYT => C:\Users\Admin\Documents\Files.docx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\LimitRead.ppt.WNCRYT => C:\Users\Admin\Documents\LimitRead.ppt.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\LimitRead.ppt.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Opened.docx.WNCRYT => C:\Users\Admin\Documents\Opened.docx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ReadDeny.csv.WNCRYT => C:\Users\Admin\Documents\ReadDeny.csv.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ReadDeny.csv.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Recently.docx.WNCRYT => C:\Users\Admin\Documents\Recently.docx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\SplitAssert.xls.WNCRYT => C:\Users\Admin\Documents\SplitAssert.xls.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SplitAssert.xls.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\These.docx.WNCRYT => C:\Users\Admin\Documents\These.docx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\These.docx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\UnblockUnprotect.xlsx.WNCRYT => C:\Users\Admin\Documents\UnblockUnprotect.xlsx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UnblockUnprotect.xlsx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ExitCompress.ods.WNCRYT => C:\Users\Admin\Documents\ExitCompress.ods.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ExitCompress.ods.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ExportPush.dotx.WNCRYT => C:\Users\Admin\Documents\ExportPush.dotx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ExportPush.dotx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\PopRevoke.potx.WNCRYT => C:\Users\Admin\Documents\PopRevoke.potx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\PopRevoke.potx.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\SaveSubmit.odp.WNCRYT => C:\Users\Admin\Documents\SaveSubmit.odp.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SaveSubmit.odp.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\SearchSet.odp.WNCRYT => C:\Users\Admin\Documents\SearchSet.odp.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SearchSet.odp.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\UninstallClear.ppsm.WNCRYT => C:\Users\Admin\Documents\UninstallClear.ppsm.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UninstallClear.ppsm.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\WaitSelect.dotm.WNCRYT => C:\Users\Admin\Documents\WaitSelect.dotm.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\WaitSelect.dotm.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY	1124	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ftqqepmlkbmm513 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	1320	reg.exe

wannacry family
family wannacry

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Loads dropped DLL
- Drops Office document
- Suspicious use of WriteProcessMemory
- Wannacry file encrypt
PID:1124

C:\Windows\SysWOW64\attrib.exe
attrib +h .
1⤵
- Views/modifies file attributes
PID:1100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3583843111383512432-1113263077-175300447714921053544202082261384648662-1637525138"
1⤵
PID:1108

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
1⤵
- Modifies file permissions
PID:744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1268569582-438529855764192498810975404-1701693950-531254547845399434-809310116"
1⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c 109171573632596.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "293857350-848254944-176060559716929450341159362763-1540286552-733150084-1243288814"
1⤵
PID:1112

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
1⤵
- Loads dropped DLL
PID:384

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3619499911886068175-132636488832469269407834187708434868-1560730387-924184480"
1⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1292

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Executes dropped EXE
PID:1340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17760724547140308897115922081824264928189017438-1354100418-1003799886-484436850"
1⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
1⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "115850573338316677620204110381749596226-131461653626547265519628818411086932748"
1⤵
PID:1504

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Uses Volume Shadow Copy Service COM API
- Deletes shadow copies
PID:1360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Uses Volume Shadow Copy Service COM API
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Deletes shadow copies
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:744

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1968

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: GetForegroundWindowSpam
- Executes dropped EXE
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "508741315229005796-6571425892037978565-1031645600-1169956058-316717434710672452"
1⤵
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Modifies registry key
- Adds Run entry to start application
PID:1320

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:1320

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1072

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:1996

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:764

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:860

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:1076

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1948

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

MITRE ATT&CK Additional techniques

T1107
T1158
T1060

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-44-0x0000000002830000-0x0000000002834000-memory.dmp

Filesize
16KB

Download
memory/1124-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1340-237-0x0000000002BB0000-0x0000000002BC1000-memory.dmp

Filesize
68KB

Download
memory/1340-69-0x0000000002FC0000-0x0000000002FD1000-memory.dmp

Filesize
68KB

Download
memory/1340-236-0x0000000002FC0000-0x0000000002FD1000-memory.dmp

Filesize
68KB

Download
memory/1340-402-0x0000000003410000-0x0000000003421000-memory.dmp

Filesize
68KB

Download
memory/1340-235-0x0000000002BB0000-0x0000000002BC1000-memory.dmp

Filesize
68KB

Download
memory/1340-403-0x0000000003820000-0x0000000003831000-memory.dmp

Filesize
68KB

Download
memory/1340-70-0x0000000002BB0000-0x0000000002BC1000-memory.dmp

Filesize
68KB

Download
memory/1340-68-0x0000000002BB0000-0x0000000002BC1000-memory.dmp

Filesize
68KB

Download
memory/1340-404-0x0000000003410000-0x0000000003421000-memory.dmp

Filesize
68KB

Download