wannacry | 72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1008	taskhsvc.exe

Uses Volume Shadow Copy Service COM API 13 IoCs

ransomware

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	3888	vssadmin.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}	3888	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\TreatAs	3888	vssadmin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\	3888	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler32	3888	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler	3888	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1864	vssvc.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}	1864	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\TreatAs	1864	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\	1864	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocServer32	1864	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler32	1864	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler	1864	vssvc.exe

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

pid	Process
4924	attrib.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4924	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	72
PID 4896 wrote to memory of 4932	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	73
PID 4896 wrote to memory of 1012	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	77
PID 4896 wrote to memory of 1908	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	78
PID 1908 wrote to memory of 3844	1908	cmd.exe	80
PID 4896 wrote to memory of 4500	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	88
PID 4980 wrote to memory of 5116	4980	SppExtComObj.exe	90
PID 4896 wrote to memory of 5048	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	91
PID 4896 wrote to memory of 5056	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	92
PID 5056 wrote to memory of 5088	5056	cmd.exe	94
PID 5048 wrote to memory of 1008	5048	@[email protected]	96
PID 5088 wrote to memory of 4268	5088	@[email protected]	99
PID 4268 wrote to memory of 3888	4268	cmd.exe	101
PID 4268 wrote to memory of 4204	4268	cmd.exe	103
PID 4896 wrote to memory of 512	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	105
PID 4896 wrote to memory of 520	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	106
PID 4896 wrote to memory of 568	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	107
PID 568 wrote to memory of 1904	568	cmd.exe	109
PID 4896 wrote to memory of 4936	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	110
PID 4896 wrote to memory of 2464	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	114
PID 4896 wrote to memory of 2496	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	115
PID 4896 wrote to memory of 4500	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	116
PID 4896 wrote to memory of 4016	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	122
PID 4896 wrote to memory of 4704	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	123
PID 4896 wrote to memory of 4628	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	124

Modifies file permissions 1 TTPs 1 IoCs

File and Directory Permissions Modification

T1222

pid	Process
4932	icacls.exe

Executes dropped EXE 14 IoCs

pid	Process
1012	taskdl.exe
4500	taskdl.exe
5048	@[email protected]
5088	@[email protected]
1008	taskhsvc.exe
512	taskse.exe
520	@[email protected]
4936	taskdl.exe
2464	taskse.exe
2496	@[email protected]
4500	taskdl.exe
4016	taskse.exe
4704	@[email protected]
4628	taskdl.exe

Wannacry file encrypt 64 IoCs

description	ioc	pid	Process
File renamed	C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRYT => C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\WritePop.pptx.WNCRYT => C:\Users\Admin\Desktop\WritePop.pptx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\WritePop.pptx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRYT => C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\DismountHide.php.WNCRYT => C:\Users\Admin\Desktop\DismountHide.php.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\DismountHide.php.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\JoinPush.wmv.WNCRYT => C:\Users\Admin\Desktop\JoinPush.wmv.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\JoinPush.wmv.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRYT => C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRYT => C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\StartLock.zip.WNCRYT => C:\Users\Admin\Desktop\StartLock.zip.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\StartLock.zip.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\StopBlock.bat.WNCRYT => C:\Users\Admin\Desktop\StopBlock.bat.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\StopBlock.bat.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRYT => C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Are.docx.WNCRYT => C:\Users\Admin\Documents\Are.docx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Files.docx.WNCRYT => C:\Users\Admin\Documents\Files.docx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\MergeStep.vsdx.WNCRYT => C:\Users\Admin\Documents\MergeStep.vsdx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\MergeStep.vsdx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Opened.docx.WNCRYT => C:\Users\Admin\Documents\Opened.docx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRYT => C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Recently.docx.WNCRYT => C:\Users\Admin\Documents\Recently.docx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRYT => C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\These.docx.WNCRYT => C:\Users\Admin\Documents\These.docx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\These.docx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\UnblockExport.csv.WNCRYT => C:\Users\Admin\Documents\UnblockExport.csv.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UnblockExport.csv.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRYT => C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\AddDismount.pptm.WNCRYT => C:\Users\Admin\Documents\AddDismount.pptm.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\AddDismount.pptm.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRYT => C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\CloseLock.potx.WNCRYT => C:\Users\Admin\Documents\CloseLock.potx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\CloseLock.potx.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRYT => C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\DismountUse.odp.WNCRYT => C:\Users\Admin\Documents\DismountUse.odp.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DismountUse.odp.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRYT => C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\OutConvert.docm.WNCRYT => C:\Users\Admin\Documents\OutConvert.docm.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\OutConvert.docm.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRYT => C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\UnregisterRead.ods.WNCRYT => C:\Users\Admin\Documents\UnregisterRead.ods.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UnregisterRead.ods.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRY	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Loads dropped DLL 1 IoCs

pid	Process
1008	taskhsvc.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	5056	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	5056	svchost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5088	@[email protected]
5048	@[email protected]
520	@[email protected]
2496	@[email protected]
4704	@[email protected]

Deletes shadow copies 2 TTPs 2 IoCs

ransomware

Inhibit System Recovery

T1490

pid	Process
3888	vssadmin.exe
4204	WMIC.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1904	reg.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nmsqcsinudawe237 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	1904	reg.exe

Drops file in system dir 5 IoCs

description	ioc	pid	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	1352	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	1352	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	1352	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	1352	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	1352	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

description	ioc	pid	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	4328	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	4328	svchost.exe

Drops Office document 29 IoCs

dropper exploiter maldoc

description	ioc	pid	Process
File opened for modification	C:\Users\Admin\Desktop\WritePop.pptx	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\OpenSplit.xltx	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SkipUnlock.xltx	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SuspendAssert.xlsm	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SubmitDebug.ppt	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\These.docx	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\WriteDismount.xlsx	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\AddDismount.pptm	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ApproveMeasure.docm	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\CloseLock.potx	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DisconnectCompare.xltm	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\NewUnprotect.xltm	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\OutConvert.docm	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ReceiveEnable.pot	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\ExpandPing.doc	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Downloads\SwitchLock.docx	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Downloads\TraceUninstall.xls	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\UninstallGet.docx	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\CompleteInvoke.ppsm	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\OpenTest.dotm	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\StopPop.xltm	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Downloads\TraceWatch.xlsb	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\RestartPublish.docm	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Drops startup file 6 IoCs

description	ioc	pid	Process
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDDA09.tmp	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDDA09.tmp	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDDA09.tmp	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDDB87.tmp	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDDB87.tmp	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDDB87.tmp	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	4896	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	520	@[email protected]

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeBackupPrivilege	1864	vssvc.exe
Token: SeRestorePrivilege	1864	vssvc.exe
Token: SeAuditPrivilege	1864	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4204	WMIC.exe
Token: SeSecurityPrivilege	4204	WMIC.exe
Token: SeTakeOwnershipPrivilege	4204	WMIC.exe
Token: SeLoadDriverPrivilege	4204	WMIC.exe
Token: SeSystemProfilePrivilege	4204	WMIC.exe
Token: SeSystemtimePrivilege	4204	WMIC.exe
Token: SeProfSingleProcessPrivilege	4204	WMIC.exe
Token: SeIncBasePriorityPrivilege	4204	WMIC.exe
Token: SeCreatePagefilePrivilege	4204	WMIC.exe
Token: SeBackupPrivilege	4204	WMIC.exe
Token: SeRestorePrivilege	4204	WMIC.exe
Token: SeShutdownPrivilege	4204	WMIC.exe
Token: SeDebugPrivilege	4204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4204	WMIC.exe
Token: SeRemoteShutdownPrivilege	4204	WMIC.exe
Token: SeUndockPrivilege	4204	WMIC.exe
Token: SeManageVolumePrivilege	4204	WMIC.exe
Token: 33	4204	WMIC.exe
Token: 34	4204	WMIC.exe
Token: 35	4204	WMIC.exe
Token: 36	4204	WMIC.exe
Token: SeTcbPrivilege	512	taskse.exe
Token: SeTcbPrivilege	2464	taskse.exe
Token: SeTcbPrivilege	4016	taskse.exe

wannacry family
family wannacry

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Wannacry file encrypt
- Drops Office document
- Drops startup file
- Sets desktop wallpaper using registry
PID:4896

C:\Windows\SysWOW64\attrib.exe
attrib +h .
1⤵
- Views/modifies file attributes
PID:4924

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
1⤵
- Modifies file permissions
PID:4932

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 291411574678040.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
1⤵
PID:3844

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s lfsvc
1⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5048

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
1⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Loads dropped DLL
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
1⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Uses Volume Shadow Copy Service COM API
- Deletes shadow copies
PID:3888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Uses Volume Shadow Copy Service COM API
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Deletes shadow copies
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Sets desktop wallpaper using registry
PID:520

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Modifies registry key
- Adds Run entry to start application
PID:1904

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:4936

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
PID:1352

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2496

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:4500

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:5056

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:4576

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:4328

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4704

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

MITRE ATT&CK Additional techniques

T1158
T1107
T1060
T1089

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-390-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/1008-62-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/1008-63-0x0000000003D80000-0x0000000003D81000-memory.dmp

Filesize
4KB

Download
memory/1008-64-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/1008-148-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/1008-226-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/1008-227-0x0000000003D80000-0x0000000003D81000-memory.dmp

Filesize
4KB

Download
memory/1008-228-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/1008-391-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/1008-392-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1008-393-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/1008-487-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/4896-36-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download