wannacry | 72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeTcbPrivilege	1120	taskse.exe
Token: SeBackupPrivilege	1452	vssvc.exe
Token: SeRestorePrivilege	1452	vssvc.exe
Token: SeAuditPrivilege	1452	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1584	WMIC.exe
Token: SeSecurityPrivilege	1584	WMIC.exe
Token: SeTakeOwnershipPrivilege	1584	WMIC.exe
Token: SeLoadDriverPrivilege	1584	WMIC.exe
Token: SeSystemProfilePrivilege	1584	WMIC.exe
Token: SeSystemtimePrivilege	1584	WMIC.exe
Token: SeProfSingleProcessPrivilege	1584	WMIC.exe
Token: SeIncBasePriorityPrivilege	1584	WMIC.exe
Token: SeCreatePagefilePrivilege	1584	WMIC.exe
Token: SeBackupPrivilege	1584	WMIC.exe
Token: SeRestorePrivilege	1584	WMIC.exe
Token: SeShutdownPrivilege	1584	WMIC.exe
Token: SeDebugPrivilege	1584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1584	WMIC.exe
Token: SeRemoteShutdownPrivilege	1584	WMIC.exe
Token: SeUndockPrivilege	1584	WMIC.exe
Token: SeManageVolumePrivilege	1584	WMIC.exe
Token: 33	1584	WMIC.exe
Token: 34	1584	WMIC.exe
Token: 35	1584	WMIC.exe
Token: SeTcbPrivilege	2020	taskse.exe
Token: SeTcbPrivilege	556	taskse.exe
Token: SeTcbPrivilege	2032	taskse.exe

Deletes shadow copies 2 TTPs 2 IoCs

ransomware

Inhibit System Recovery

T1490

pid	Process
1520	vssadmin.exe
1584	WMIC.exe

Loads dropped DLL 5 IoCs

pid	Process
1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1112	cscript.exe
1092	cmd.exe
1860	@[email protected]
1984	taskhsvc.exe

Wannacry file encrypt 64 IoCs

description	ioc	pid	Process
File renamed	C:\Users\Admin\Desktop\DisableReceive.ppt.WNCRYT => C:\Users\Admin\Desktop\DisableReceive.ppt.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\DisableReceive.ppt.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\StopUnregister.docx.WNCRYT => C:\Users\Admin\Desktop\StopUnregister.docx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\StopUnregister.docx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\CompareRedo.js.WNCRYT => C:\Users\Admin\Desktop\CompareRedo.js.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\CompareRedo.js.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\ConvertToHide.cmd.WNCRYT => C:\Users\Admin\Desktop\ConvertToHide.cmd.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\ConvertToHide.cmd.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\GroupSkip.m3u.WNCRYT => C:\Users\Admin\Desktop\GroupSkip.m3u.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\GroupSkip.m3u.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\GroupWait.wma.WNCRYT => C:\Users\Admin\Desktop\GroupWait.wma.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\GroupWait.wma.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\OutDismount.bmp.WNCRYT => C:\Users\Admin\Desktop\OutDismount.bmp.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\OutDismount.bmp.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\PopCompress.bmp.WNCRYT => C:\Users\Admin\Desktop\PopCompress.bmp.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\PopCompress.bmp.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\ResetDebug.gif.WNCRYT => C:\Users\Admin\Desktop\ResetDebug.gif.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\ResetDebug.gif.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\UndoShow.wma.WNCRYT => C:\Users\Admin\Desktop\UndoShow.wma.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\UndoShow.wma.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\UnprotectPop.mov.WNCRYT => C:\Users\Admin\Desktop\UnprotectPop.mov.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\UnprotectPop.mov.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Are.docx.WNCRYT => C:\Users\Admin\Documents\Are.docx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ConvertSubmit.xls.WNCRYT => C:\Users\Admin\Documents\ConvertSubmit.xls.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ConvertSubmit.xls.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\DenyExpand.pdf.WNCRYT => C:\Users\Admin\Documents\DenyExpand.pdf.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DenyExpand.pdf.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Files.docx.WNCRYT => C:\Users\Admin\Documents\Files.docx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\LimitRead.ppt.WNCRYT => C:\Users\Admin\Documents\LimitRead.ppt.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\LimitRead.ppt.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Opened.docx.WNCRYT => C:\Users\Admin\Documents\Opened.docx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ReadDeny.csv.WNCRYT => C:\Users\Admin\Documents\ReadDeny.csv.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ReadDeny.csv.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Recently.docx.WNCRYT => C:\Users\Admin\Documents\Recently.docx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\SplitAssert.xls.WNCRYT => C:\Users\Admin\Documents\SplitAssert.xls.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SplitAssert.xls.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\These.docx.WNCRYT => C:\Users\Admin\Documents\These.docx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\These.docx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\UnblockUnprotect.xlsx.WNCRYT => C:\Users\Admin\Documents\UnblockUnprotect.xlsx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UnblockUnprotect.xlsx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ExitCompress.ods.WNCRYT => C:\Users\Admin\Documents\ExitCompress.ods.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ExitCompress.ods.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ExportPush.dotx.WNCRYT => C:\Users\Admin\Documents\ExportPush.dotx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ExportPush.dotx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\PopRevoke.potx.WNCRYT => C:\Users\Admin\Documents\PopRevoke.potx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\PopRevoke.potx.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\SaveSubmit.odp.WNCRYT => C:\Users\Admin\Documents\SaveSubmit.odp.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SaveSubmit.odp.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\SearchSet.odp.WNCRYT => C:\Users\Admin\Documents\SearchSet.odp.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SearchSet.odp.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\UninstallClear.ppsm.WNCRYT => C:\Users\Admin\Documents\UninstallClear.ppsm.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UninstallClear.ppsm.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\WaitSelect.dotm.WNCRYT => C:\Users\Admin\Documents\WaitSelect.dotm.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\WaitSelect.dotm.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	880	@[email protected]

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1984	taskhsvc.exe

Uses Volume Shadow Copy Service COM API 18 IoCs

ransomware

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1520	vssadmin.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1520	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\TreatAs	1520	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\Progid	1520	vssadmin.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\ProgID	1520	vssadmin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\ProgID\	1520	vssadmin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\	1520	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler32	1520	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler	1520	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1452	vssvc.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1452	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\TreatAs	1452	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\Progid	1452	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\ProgID\	1452	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\	1452	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocServer32	1452	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler32	1452	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler	1452	vssvc.exe

wannacry family
family wannacry

Modifies file permissions 1 TTPs 1 IoCs

File and Directory Permissions Modification

T1222

pid	Process
1092	icacls.exe

Executes dropped EXE 16 IoCs

pid	Process
1784	taskdl.exe
1860	@[email protected]
1448	@[email protected]
1984	taskhsvc.exe
1120	taskse.exe
880	@[email protected]
832	taskdl.exe
2024	taskdl.exe
2020	taskse.exe
1096	@[email protected]
796	taskdl.exe
1064	@[email protected]
556	taskse.exe
2004	taskdl.exe
2032	taskse.exe
1596	@[email protected]

Drops Office document 26 IoCs

dropper exploiter maldoc

description	ioc	pid	Process
File opened for modification	C:\Users\Admin\Desktop\DisableReceive.ppt	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\StopUnregister.docx	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ConvertSubmit.xls	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\LimitRead.ppt	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SplitAssert.xls	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\These.docx	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UnblockUnprotect.xlsx	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ExportPush.dotx	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\PopRevoke.potx	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UninstallClear.ppsm	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\WaitSelect.dotm	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\ImportOut.ppt	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SubmitConvertTo.ppsm	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SuspendEdit.xlt	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\UnlockConvertTo.potm	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\ApproveTest.xlt	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\LimitGet.xlt	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\MeasureSearch.xltm	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\RemoveOut.pot	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\RestoreConvertTo.xltm	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ftqqepmlkbmm513 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	1092	reg.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1120	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	27
PID 1304 wrote to memory of 1092	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	29
PID 1304 wrote to memory of 1784	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	31
PID 1304 wrote to memory of 1780	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	32
PID 1780 wrote to memory of 1112	1780	cmd.exe	34
PID 1304 wrote to memory of 1860	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	36
PID 1304 wrote to memory of 1092	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	37
PID 1092 wrote to memory of 1448	1092	cmd.exe	39
PID 1860 wrote to memory of 1984	1860	@[email protected]	41
PID 1304 wrote to memory of 1120	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	43
PID 1304 wrote to memory of 880	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	44
PID 1304 wrote to memory of 832	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	45
PID 1304 wrote to memory of 1016	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	46
PID 1016 wrote to memory of 1092	1016	cmd.exe	48
PID 1448 wrote to memory of 2028	1448	@[email protected]	49
PID 2028 wrote to memory of 1520	2028	cmd.exe	51
PID 2028 wrote to memory of 1584	2028	cmd.exe	53
PID 1304 wrote to memory of 2024	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	55
PID 1304 wrote to memory of 2020	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	56
PID 1304 wrote to memory of 1096	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	57
PID 1304 wrote to memory of 796	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	59
PID 1304 wrote to memory of 556	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	60
PID 1304 wrote to memory of 1064	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	61
PID 1304 wrote to memory of 2004	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	64
PID 1304 wrote to memory of 2032	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	65
PID 1304 wrote to memory of 1596	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	66

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1448	@[email protected]
1860	@[email protected]
880	@[email protected]
1096	@[email protected]
1064	@[email protected]
1596	@[email protected]

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1092	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

pid	Process
1120	attrib.exe

Drops startup file 6 IoCs

description	ioc	pid	Process
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8063.tmp	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8063.tmp	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8063.tmp	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD80A5.tmp	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD80A5.tmp	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD80A5.tmp	1304	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
880	@[email protected]

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Loads dropped DLL
- Wannacry file encrypt
- Sets desktop wallpaper using registry
- Drops Office document
- Suspicious use of WriteProcessMemory
- Drops startup file
PID:1304

C:\Windows\SysWOW64\attrib.exe
attrib +h .
1⤵
- Views/modifies file attributes
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-115038910015188956801145298583-1479397551652332624-1907009593-191511810289101129"
1⤵
PID:1112

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
1⤵
- Modifies file permissions
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1503606354-1328961248-1799969095-1440278469335985464225133632-968814611-494505845"
1⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c 182511573632655.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1460936501-1624471481-18514003891831949252-88739017-1042894813-1805403345973570257"
1⤵
PID:2004

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
1⤵
- Loads dropped DLL
PID:1112

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
1⤵
- Loads dropped DLL
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "145057907017855359601991710479519299250-701119678-375623424-1011126018-271459683"
1⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1448

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-198005571219478652-14241811188247391-965170452-2060096372-991020182-1828240507"
1⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1120

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Sets desktop wallpaper using registry
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: GetForegroundWindowSpam
PID:880

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2073671560-5282589371172192220-33082403-1097180908123252613-383683611-725571740"
1⤵
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Adds Run entry to start application
- Modifies registry key
PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "102711263126397308791628991118843825-1897584038213223323-283780711009128675"
1⤵
PID:1040

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Deletes shadow copies
- Uses Volume Shadow Copy Service COM API
PID:1520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Uses Volume Shadow Copy Service COM API
PID:1452

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes shadow copies
PID:1584

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:2024

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:2020

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:796

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:556

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:2004

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:2032

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

MITRE ATT&CK Additional techniques

T1107
T1060
T1158

Replay Monitor

Loading Replay Monitor...

Downloads

memory/880-67-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1112-44-0x00000000027C0000-0x00000000027C4000-memory.dmp

Filesize
16KB

Download
memory/1304-30-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1984-249-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1984-248-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1984-247-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1984-82-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1984-416-0x0000000003620000-0x0000000003631000-memory.dmp

Filesize
68KB

Download
memory/1984-81-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1984-80-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download