Resubmissions
12-01-2020 03:05
200112-37f67sqp72 10Analysis
-
max time kernel
148s -
resource
win10v191014 -
submitted
12-01-2020 03:05
Task
task1
Sample
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win10v191014
0 signatures
General
-
Target
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
-
Sample
200112-37f67sqp72
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Signatures
-
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4936 wrote to memory of 4952 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 72 PID 4936 wrote to memory of 4972 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 74 PID 4936 wrote to memory of 3068 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 77 PID 4936 wrote to memory of 1984 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 78 PID 1984 wrote to memory of 4000 1984 cmd.exe 80 PID 4936 wrote to memory of 4244 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 85 PID 4936 wrote to memory of 4340 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 86 PID 4340 wrote to memory of 4156 4340 cmd.exe 88 PID 4936 wrote to memory of 3984 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 90 PID 4936 wrote to memory of 2064 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 91 PID 4936 wrote to memory of 4104 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 92 PID 4936 wrote to memory of 4152 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 94 PID 4104 wrote to memory of 4916 4104 cmd.exe 95 PID 4244 wrote to memory of 4848 4244 @[email protected] 96 PID 4156 wrote to memory of 1892 4156 @[email protected] 100 PID 1892 wrote to memory of 4572 1892 cmd.exe 102 PID 1892 wrote to memory of 2696 1892 cmd.exe 106 PID 4936 wrote to memory of 1788 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 108 PID 4936 wrote to memory of 4200 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 109 PID 4936 wrote to memory of 5020 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 110 PID 4936 wrote to memory of 3212 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 114 PID 4936 wrote to memory of 4208 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 115 PID 4936 wrote to memory of 4340 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 116 PID 4936 wrote to memory of 4136 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 122 PID 4936 wrote to memory of 1416 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 123 PID 4936 wrote to memory of 1504 4936 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 124 -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeTcbPrivilege 3984 taskse.exe Token: SeBackupPrivilege 2404 vssvc.exe Token: SeRestorePrivilege 2404 vssvc.exe Token: SeAuditPrivilege 2404 vssvc.exe Token: SeIncreaseQuotaPrivilege 2696 WMIC.exe Token: SeSecurityPrivilege 2696 WMIC.exe Token: SeTakeOwnershipPrivilege 2696 WMIC.exe Token: SeLoadDriverPrivilege 2696 WMIC.exe Token: SeSystemProfilePrivilege 2696 WMIC.exe Token: SeSystemtimePrivilege 2696 WMIC.exe Token: SeProfSingleProcessPrivilege 2696 WMIC.exe Token: SeIncBasePriorityPrivilege 2696 WMIC.exe Token: SeCreatePagefilePrivilege 2696 WMIC.exe Token: SeBackupPrivilege 2696 WMIC.exe Token: SeRestorePrivilege 2696 WMIC.exe Token: SeShutdownPrivilege 2696 WMIC.exe Token: SeDebugPrivilege 2696 WMIC.exe Token: SeSystemEnvironmentPrivilege 2696 WMIC.exe Token: SeRemoteShutdownPrivilege 2696 WMIC.exe Token: SeUndockPrivilege 2696 WMIC.exe Token: SeManageVolumePrivilege 2696 WMIC.exe Token: 33 2696 WMIC.exe Token: 34 2696 WMIC.exe Token: 35 2696 WMIC.exe Token: 36 2696 WMIC.exe Token: SeTcbPrivilege 4200 taskse.exe Token: SeTcbPrivilege 4208 taskse.exe Token: SeTcbPrivilege 4136 taskse.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4848 taskhsvc.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nmsqcsinudawe237 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" reg.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Deletes shadow copies 2 TTPs 2 IoCs
pid Process 4572 vssadmin.exe 2696 WMIC.exe -
Executes dropped EXE 16 IoCs
pid Process 3068 taskdl.exe 4244 @[email protected] 4156 @[email protected] 3984 taskse.exe 2064 @[email protected] 4152 taskdl.exe 4848 taskhsvc.exe 1788 taskdl.exe 4200 taskse.exe 5020 @[email protected] 3212 taskdl.exe 4208 taskse.exe 4340 @[email protected] 4136 taskse.exe 1416 @[email protected] 1504 taskdl.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4156 @[email protected] 4244 @[email protected] 2064 @[email protected] 5020 @[email protected] 4340 @[email protected] 1416 @[email protected] -
Loads dropped DLL 1 IoCs
pid Process 4848 taskhsvc.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4916 reg.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4972 icacls.exe 4972 icacls.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB568.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File deleted C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB568.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB57E.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB57E.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File deleted C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB57E.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB568.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4952 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"1⤵
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Drops startup file
PID:4936 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:4952
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 85771578801917.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:4000
-
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Loads dropped DLL
PID:4848
-
-
-
C:\Windows\SysWOW64\cmd.exePID:4340
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4156 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Deletes shadow copies
PID:4572
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes shadow copies
PID:2696
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:3984
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Sets desktop wallpaper using registry
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2064
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f3⤵
- Adds Run entry to start application
- Modifies registry key
PID:4916
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4152
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1788
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:4200
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3212
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:4208
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4340
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:4136
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1504
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404