wannacry | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Score

10^/10

ransomware persistence worm wannacry spyware discovery

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
1084	@[email protected]
820	@[email protected]
1084	@[email protected]
820	@[email protected]
808	@[email protected]
808	@[email protected]
1852	@[email protected]
1980	@[email protected]
1988	@[email protected]

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Suspicious use of WriteProcessMemory 104 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execmd.execmd.exe@[email protected]@[email protected]cmd.exe

description	pid	process	target process
PID 112 wrote to memory of 1616	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 112 wrote to memory of 1616	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 112 wrote to memory of 1616	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 112 wrote to memory of 1616	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 112 wrote to memory of 780	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 112 wrote to memory of 780	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 112 wrote to memory of 780	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 112 wrote to memory of 780	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 112 wrote to memory of 1880	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 112 wrote to memory of 1880	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 112 wrote to memory of 1880	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 112 wrote to memory of 1880	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 112 wrote to memory of 1912	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 112 wrote to memory of 1912	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 112 wrote to memory of 1912	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 112 wrote to memory of 1912	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1912 wrote to memory of 1792	1912	cmd.exe	cscript.exe
PID 1912 wrote to memory of 1792	1912	cmd.exe	cscript.exe
PID 1912 wrote to memory of 1792	1912	cmd.exe	cscript.exe
PID 1912 wrote to memory of 1792	1912	cmd.exe	cscript.exe
PID 112 wrote to memory of 1084	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 112 wrote to memory of 1084	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 112 wrote to memory of 1084	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 112 wrote to memory of 1084	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 112 wrote to memory of 528	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 112 wrote to memory of 528	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 112 wrote to memory of 528	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 112 wrote to memory of 528	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 528 wrote to memory of 820	528	cmd.exe	@[email protected]
PID 528 wrote to memory of 820	528	cmd.exe	@[email protected]
PID 528 wrote to memory of 820	528	cmd.exe	@[email protected]
PID 528 wrote to memory of 820	528	cmd.exe	@[email protected]
PID 1084 wrote to memory of 652	1084	@[email protected]	taskhsvc.exe
PID 1084 wrote to memory of 652	1084	@[email protected]	taskhsvc.exe
PID 1084 wrote to memory of 652	1084	@[email protected]	taskhsvc.exe
PID 1084 wrote to memory of 652	1084	@[email protected]	taskhsvc.exe
PID 820 wrote to memory of 1268	820	@[email protected]	cmd.exe
PID 820 wrote to memory of 1268	820	@[email protected]	cmd.exe
PID 820 wrote to memory of 1268	820	@[email protected]	cmd.exe
PID 820 wrote to memory of 1268	820	@[email protected]	cmd.exe
PID 1268 wrote to memory of 1904	1268	cmd.exe	vssadmin.exe
PID 1268 wrote to memory of 1904	1268	cmd.exe	vssadmin.exe
PID 1268 wrote to memory of 1904	1268	cmd.exe	vssadmin.exe
PID 1268 wrote to memory of 1904	1268	cmd.exe	vssadmin.exe
PID 1268 wrote to memory of 1656	1268	cmd.exe	WMIC.exe
PID 1268 wrote to memory of 1656	1268	cmd.exe	WMIC.exe
PID 1268 wrote to memory of 1656	1268	cmd.exe	WMIC.exe
PID 1268 wrote to memory of 1656	1268	cmd.exe	WMIC.exe
PID 112 wrote to memory of 2012	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 112 wrote to memory of 2012	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 112 wrote to memory of 2012	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 112 wrote to memory of 2012	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 112 wrote to memory of 2004	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 112 wrote to memory of 2004	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 112 wrote to memory of 2004	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 112 wrote to memory of 2004	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 112 wrote to memory of 808	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 112 wrote to memory of 808	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 112 wrote to memory of 808	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 112 wrote to memory of 808	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 112 wrote to memory of 1592	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 112 wrote to memory of 1592	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 112 wrote to memory of 1592	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 112 wrote to memory of 1592	112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1904 vssadmin.exe
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1616 attrib.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

780 icacls.exe

pid	process
1904	vssadmin.exe

pid	process
1616	attrib.exe

pid	process
780	icacls.exe

Executes dropped EXE 16 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]

pid	process
1880	taskdl.exe
1084	@[email protected]
820	@[email protected]
652	taskhsvc.exe
2012	taskdl.exe
2004	taskse.exe
808	@[email protected]
1840	taskdl.exe
1056	taskse.exe
1852	@[email protected]
1308	taskdl.exe
972	taskse.exe
1980	@[email protected]
1572	taskdl.exe
1504	taskse.exe
1988	@[email protected]

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

vssvc.exeWMIC.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeBackupPrivilege	1928	vssvc.exe
Token: SeRestorePrivilege	1928	vssvc.exe
Token: SeAuditPrivilege	1928	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1656	WMIC.exe
Token: SeSecurityPrivilege	1656	WMIC.exe
Token: SeTakeOwnershipPrivilege	1656	WMIC.exe
Token: SeLoadDriverPrivilege	1656	WMIC.exe
Token: SeSystemProfilePrivilege	1656	WMIC.exe
Token: SeSystemtimePrivilege	1656	WMIC.exe
Token: SeProfSingleProcessPrivilege	1656	WMIC.exe
Token: SeIncBasePriorityPrivilege	1656	WMIC.exe
Token: SeCreatePagefilePrivilege	1656	WMIC.exe
Token: SeBackupPrivilege	1656	WMIC.exe
Token: SeRestorePrivilege	1656	WMIC.exe
Token: SeShutdownPrivilege	1656	WMIC.exe
Token: SeDebugPrivilege	1656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1656	WMIC.exe
Token: SeRemoteShutdownPrivilege	1656	WMIC.exe
Token: SeUndockPrivilege	1656	WMIC.exe
Token: SeManageVolumePrivilege	1656	WMIC.exe
Token: 33	1656	WMIC.exe
Token: 34	1656	WMIC.exe
Token: 35	1656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1656	WMIC.exe
Token: SeSecurityPrivilege	1656	WMIC.exe
Token: SeTakeOwnershipPrivilege	1656	WMIC.exe
Token: SeLoadDriverPrivilege	1656	WMIC.exe
Token: SeSystemProfilePrivilege	1656	WMIC.exe
Token: SeSystemtimePrivilege	1656	WMIC.exe
Token: SeProfSingleProcessPrivilege	1656	WMIC.exe
Token: SeIncBasePriorityPrivilege	1656	WMIC.exe
Token: SeCreatePagefilePrivilege	1656	WMIC.exe
Token: SeBackupPrivilege	1656	WMIC.exe
Token: SeRestorePrivilege	1656	WMIC.exe
Token: SeShutdownPrivilege	1656	WMIC.exe
Token: SeDebugPrivilege	1656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1656	WMIC.exe
Token: SeRemoteShutdownPrivilege	1656	WMIC.exe
Token: SeUndockPrivilege	1656	WMIC.exe
Token: SeManageVolumePrivilege	1656	WMIC.exe
Token: 33	1656	WMIC.exe
Token: 34	1656	WMIC.exe
Token: 35	1656	WMIC.exe
Token: SeTcbPrivilege	2004	taskse.exe
Token: SeTcbPrivilege	2004	taskse.exe
Token: SeTcbPrivilege	1056	taskse.exe
Token: SeTcbPrivilege	1056	taskse.exe
Token: SeTcbPrivilege	972	taskse.exe
Token: SeTcbPrivilege	972	taskse.exe
Token: SeTcbPrivilege	1504	taskse.exe
Token: SeTcbPrivilege	1504	taskse.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2028 reg.exe

pid	process
2028	reg.exe

Loads dropped DLL 39 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execscript.execmd.exe@[email protected]taskhsvc.exe

pid	process
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1792	cscript.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
528	cmd.exe
528	cmd.exe
1084	@[email protected]
1084	@[email protected]
652	taskhsvc.exe
652	taskhsvc.exe
652	taskhsvc.exe
652	taskhsvc.exe
652	taskhsvc.exe
652	taskhsvc.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
112	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

taskhsvc.exe

pid process

652 taskhsvc.exe
652 taskhsvc.exe
652 taskhsvc.exe

pid	process
652	taskhsvc.exe
652	taskhsvc.exe
652	taskhsvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD241B.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD243E.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pzkqrqnhucon571 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Drops startup file
PID:112

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:1616

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:780

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c 88211594222137.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
- Loads dropped DLL
PID:1792

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Loads dropped DLL
PID:1084

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:652

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:528

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1904

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2012

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:808

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pzkqrqnhucon571" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
2⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pzkqrqnhucon571" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
3⤵
- Modifies registry key
- Adds Run entry to start application
PID:2028

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1840

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:1852

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1308

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:1980

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1572

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:1988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\16.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\17.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\18.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\19.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\20.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\21.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\23.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\24.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\25.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\26.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\27.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\28.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\88211594222137.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wnry

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\ssleay32.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
memory/112-4-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/528-55-0x0000000000000000-mapping.dmp

Download
memory/652-412-0x00000000033E0000-0x00000000033F1000-memory.dmp

Filesize
68KB

Download
memory/652-414-0x00000000033E0000-0x00000000033F1000-memory.dmp

Filesize
68KB

Download
memory/652-64-0x0000000000000000-mapping.dmp

Download
memory/652-78-0x0000000002AA0000-0x0000000002AB1000-memory.dmp

Filesize
68KB

Download
memory/652-79-0x0000000002EB0000-0x0000000002EC1000-memory.dmp

Filesize
68KB

Download
memory/652-80-0x0000000002AA0000-0x0000000002AB1000-memory.dmp

Filesize
68KB

Download
memory/652-246-0x0000000002EB0000-0x0000000002EC1000-memory.dmp

Filesize
68KB

Download
memory/652-245-0x0000000002AA0000-0x0000000002AB1000-memory.dmp

Filesize
68KB

Download
memory/652-247-0x0000000002AA0000-0x0000000002AB1000-memory.dmp

Filesize
68KB

Download
memory/652-413-0x00000000037F0000-0x0000000003801000-memory.dmp

Filesize
68KB

Download
memory/780-1-0x0000000000000000-mapping.dmp

Download
memory/808-719-0x0000000000000000-mapping.dmp

Download
memory/820-59-0x0000000000000000-mapping.dmp

Download
memory/820-58-0x0000000000000000-mapping.dmp

Download
memory/972-772-0x0000000000000000-mapping.dmp

Download
memory/1056-731-0x0000000000000000-mapping.dmp

Download
memory/1084-53-0x0000000000000000-mapping.dmp

Download
memory/1268-706-0x0000000000000000-mapping.dmp

Download
memory/1308-739-0x0000000000000000-mapping.dmp

Download
memory/1504-784-0x0000000000000000-mapping.dmp

Download
memory/1572-780-0x0000000000000000-mapping.dmp

Download
memory/1592-721-0x0000000000000000-mapping.dmp

Download
memory/1616-0-0x0000000000000000-mapping.dmp

Download
memory/1656-708-0x0000000000000000-mapping.dmp

Download
memory/1792-49-0x00000000026B0000-0x00000000026B4000-memory.dmp

Filesize
16KB

Download
memory/1792-45-0x0000000000000000-mapping.dmp

Download
memory/1840-727-0x0000000000000000-mapping.dmp

Download
memory/1852-735-0x0000000000000000-mapping.dmp

Download
memory/1880-41-0x0000000000000000-mapping.dmp

Download
memory/1904-707-0x0000000000000000-mapping.dmp

Download
memory/1912-43-0x0000000000000000-mapping.dmp

Download
memory/1980-776-0x0000000000000000-mapping.dmp

Download
memory/1988-788-0x0000000000000000-mapping.dmp

Download
memory/2004-715-0x0000000000000000-mapping.dmp

Download
memory/2012-712-0x0000000000000000-mapping.dmp

Download
memory/2028-724-0x0000000000000000-mapping.dmp

Download