wannacry | 72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

description	ioc	pid	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	5116	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	5116	svchost.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nmsqcsinudawe237 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	3400	reg.exe

wannacry family
family wannacry

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

pid	Process
4948	attrib.exe

Drops Office document 29 IoCs

dropper exploiter maldoc

description	ioc	pid	Process
File opened for modification	C:\Users\Admin\Desktop\WritePop.pptx	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\OpenSplit.xltx	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SkipUnlock.xltx	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SuspendAssert.xlsm	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SubmitDebug.ppt	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\These.docx	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\WriteDismount.xlsx	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\AddDismount.pptm	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ApproveMeasure.docm	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\CloseLock.potx	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DisconnectCompare.xltm	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\NewUnprotect.xltm	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\OutConvert.docm	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ReceiveEnable.pot	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\ExpandPing.doc	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Downloads\SwitchLock.docx	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Downloads\TraceUninstall.xls	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\UninstallGet.docx	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\CompleteInvoke.ppsm	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\OpenTest.dotm	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\StopPop.xltm	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Downloads\TraceWatch.xlsb	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\RestartPublish.docm	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Drops file in system dir 5 IoCs

description	ioc	pid	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	2584	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	2584	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	2584	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	2584	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	2584	svchost.exe

Uses Volume Shadow Copy Service COM API 13 IoCs

ransomware

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	2280	vssadmin.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}	2280	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\TreatAs	2280	vssadmin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\	2280	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler32	2280	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler	2280	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	4092	vssvc.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}	4092	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\TreatAs	4092	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\	4092	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocServer32	4092	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler32	4092	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler	4092	vssvc.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeBackupPrivilege	4092	vssvc.exe
Token: SeRestorePrivilege	4092	vssvc.exe
Token: SeAuditPrivilege	4092	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2560	WMIC.exe
Token: SeSecurityPrivilege	2560	WMIC.exe
Token: SeTakeOwnershipPrivilege	2560	WMIC.exe
Token: SeLoadDriverPrivilege	2560	WMIC.exe
Token: SeSystemProfilePrivilege	2560	WMIC.exe
Token: SeSystemtimePrivilege	2560	WMIC.exe
Token: SeProfSingleProcessPrivilege	2560	WMIC.exe
Token: SeIncBasePriorityPrivilege	2560	WMIC.exe
Token: SeCreatePagefilePrivilege	2560	WMIC.exe
Token: SeBackupPrivilege	2560	WMIC.exe
Token: SeRestorePrivilege	2560	WMIC.exe
Token: SeShutdownPrivilege	2560	WMIC.exe
Token: SeDebugPrivilege	2560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2560	WMIC.exe
Token: SeRemoteShutdownPrivilege	2560	WMIC.exe
Token: SeUndockPrivilege	2560	WMIC.exe
Token: SeManageVolumePrivilege	2560	WMIC.exe
Token: 33	2560	WMIC.exe
Token: 34	2560	WMIC.exe
Token: 35	2560	WMIC.exe
Token: 36	2560	WMIC.exe
Token: SeTcbPrivilege	4224	taskse.exe
Token: SeTcbPrivilege	4832	taskse.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	772	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	772	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 4948	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	72
PID 4864 wrote to memory of 4956	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	73
PID 4864 wrote to memory of 372	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	76
PID 4864 wrote to memory of 1896	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	77
PID 1896 wrote to memory of 4344	1896	cmd.exe	79
PID 4864 wrote to memory of 4284	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	83
PID 3468 wrote to memory of 772	3468	SppExtComObj.exe	87
PID 4864 wrote to memory of 2556	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	89
PID 4864 wrote to memory of 4520	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	91
PID 4864 wrote to memory of 4908	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	92
PID 4908 wrote to memory of 4980	4908	cmd.exe	94
PID 4520 wrote to memory of 5056	4520	@[email protected]	95
PID 4980 wrote to memory of 4176	4980	@[email protected]	99
PID 4176 wrote to memory of 2280	4176	cmd.exe	101
PID 4176 wrote to memory of 2560	4176	cmd.exe	103
PID 4864 wrote to memory of 4224	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	109
PID 4864 wrote to memory of 3604	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	110
PID 4864 wrote to memory of 3180	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	111
PID 4864 wrote to memory of 4320	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	113
PID 3180 wrote to memory of 3400	3180	cmd.exe	114
PID 4864 wrote to memory of 4832	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	115
PID 4864 wrote to memory of 524	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	116
PID 4864 wrote to memory of 696	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	117

Modifies file permissions 1 TTPs 1 IoCs

File and Directory Permissions Modification

T1222

pid	Process
4956	icacls.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	3604	@[email protected]

Deletes shadow copies 2 TTPs 2 IoCs

ransomware

Inhibit System Recovery

T1490

pid	Process
2280	vssadmin.exe
2560	WMIC.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3400	reg.exe

Executes dropped EXE 12 IoCs

pid	Process
372	taskdl.exe
4284	taskdl.exe
2556	taskdl.exe
4520	@[email protected]
4980	@[email protected]
5056	taskhsvc.exe
4224	taskse.exe
3604	@[email protected]
4320	taskdl.exe
4832	taskse.exe
524	@[email protected]
696	taskdl.exe

Wannacry file encrypt 64 IoCs

description	ioc	pid	Process
File renamed	C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRYT => C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\WritePop.pptx.WNCRYT => C:\Users\Admin\Desktop\WritePop.pptx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\WritePop.pptx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRYT => C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\DismountHide.php.WNCRYT => C:\Users\Admin\Desktop\DismountHide.php.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\DismountHide.php.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\JoinPush.wmv.WNCRYT => C:\Users\Admin\Desktop\JoinPush.wmv.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\JoinPush.wmv.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRYT => C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRYT => C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\StartLock.zip.WNCRYT => C:\Users\Admin\Desktop\StartLock.zip.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\StartLock.zip.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\StopBlock.bat.WNCRYT => C:\Users\Admin\Desktop\StopBlock.bat.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\StopBlock.bat.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRYT => C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Are.docx.WNCRYT => C:\Users\Admin\Documents\Are.docx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Files.docx.WNCRYT => C:\Users\Admin\Documents\Files.docx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\MergeStep.vsdx.WNCRYT => C:\Users\Admin\Documents\MergeStep.vsdx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\MergeStep.vsdx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Opened.docx.WNCRYT => C:\Users\Admin\Documents\Opened.docx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRYT => C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Recently.docx.WNCRYT => C:\Users\Admin\Documents\Recently.docx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRYT => C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\These.docx.WNCRYT => C:\Users\Admin\Documents\These.docx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\These.docx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\UnblockExport.csv.WNCRYT => C:\Users\Admin\Documents\UnblockExport.csv.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UnblockExport.csv.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRYT => C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\AddDismount.pptm.WNCRYT => C:\Users\Admin\Documents\AddDismount.pptm.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\AddDismount.pptm.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRYT => C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\CloseLock.potx.WNCRYT => C:\Users\Admin\Documents\CloseLock.potx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\CloseLock.potx.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRYT => C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\DismountUse.odp.WNCRYT => C:\Users\Admin\Documents\DismountUse.odp.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DismountUse.odp.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRYT => C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\OutConvert.docm.WNCRYT => C:\Users\Admin\Documents\OutConvert.docm.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\OutConvert.docm.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRYT => C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\UnregisterRead.ods.WNCRYT => C:\Users\Admin\Documents\UnregisterRead.ods.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UnregisterRead.ods.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRY	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Drops startup file 6 IoCs

description	ioc	pid	Process
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5793.tmp	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5793.tmp	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5793.tmp	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5827.tmp	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5827.tmp	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5827.tmp	4864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4520	@[email protected]
4980	@[email protected]
3604	@[email protected]
524	@[email protected]

Loads dropped DLL 1 IoCs

pid	Process
5056	taskhsvc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
5056	taskhsvc.exe

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops Office document
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Wannacry file encrypt
- Drops startup file
PID:4864

C:\Windows\SysWOW64\attrib.exe
attrib +h .
1⤵
- Views/modifies file attributes
PID:4948

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
1⤵
- Modifies file permissions
PID:4956

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 211721573632688.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
1⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4520

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
1⤵
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4980

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5056

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
PID:2584

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
1⤵
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Uses Volume Shadow Copy Service COM API
- Deletes shadow copies
PID:2280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Uses Volume Shadow Copy Service COM API
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes shadow copies
PID:2560

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:772

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:5044

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:5116

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:4224

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Sets desktop wallpaper using registry
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:3180

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Adds Run entry to start application
- Modifies registry key
PID:3400

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:4832

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:524

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

MITRE ATT&CK Additional techniques

T1089
T1060
T1158
T1107

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4864-36-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5056-227-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/5056-226-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/5056-62-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/5056-64-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/5056-228-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/5056-63-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/5056-392-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/5056-393-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/5056-395-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/5056-495-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/5056-541-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download