Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
17-09-2020 22:07
Static task
static1
Behavioral task
behavioral1
Sample
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe
Resource
win10v200722
General
-
Target
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe
-
Size
3.6MB
-
MD5
d5dcd28612f4d6ffca0cfeaefd606bcf
-
SHA1
cf60fa60d2f461dddfdfcebf16368e6b539cd9ba
-
SHA256
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf
-
SHA512
dbfcf464c3211b7454c406a9f9532c416910ac24ea862d7061e3503f294d690b4957020dcc703984449e0934c7a595cf9061412fa25383850dd86235648ac23b
Malware Config
Extracted
C:\ProgramData\mpvxsxzo192\@Please_Read_Me@.txt
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 18 IoCs
Processes:
tasksche.exetasksche.exetaskdl.exe@WanaDecryptor@.exe@WanaDecryptor@.exetaskhsvc.exetaskse.exetaskdl.exe@WanaDecryptor@.exetaskse.exetaskdl.exe@WanaDecryptor@.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exepid process 1828 tasksche.exe 268 tasksche.exe 744 taskdl.exe 1112 @WanaDecryptor@.exe 1344 @WanaDecryptor@.exe 1420 taskhsvc.exe 1828 taskse.exe 1300 taskdl.exe 1860 @WanaDecryptor@.exe 1500 taskse.exe 1300 taskdl.exe 1524 @WanaDecryptor@.exe 1012 taskse.exe 1828 @WanaDecryptor@.exe 704 taskdl.exe 240 taskse.exe 996 @WanaDecryptor@.exe 1824 taskdl.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
tasksche.exedescription ioc process File created C:\Users\Admin\Pictures\CompressOptimize.raw.WNCRYT tasksche.exe File renamed C:\Users\Admin\Pictures\CompressOptimize.raw.WNCRYT => C:\Users\Admin\Pictures\CompressOptimize.raw.WNCRY tasksche.exe File opened for modification C:\Users\Admin\Pictures\CompressOptimize.raw.WNCRY tasksche.exe File created C:\Users\Admin\Pictures\GrantSelect.png.WNCRYT tasksche.exe File renamed C:\Users\Admin\Pictures\GrantSelect.png.WNCRYT => C:\Users\Admin\Pictures\GrantSelect.png.WNCRY tasksche.exe File opened for modification C:\Users\Admin\Pictures\GrantSelect.png.WNCRY tasksche.exe -
Drops startup file 2 IoCs
Processes:
tasksche.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD95CB.tmp tasksche.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD95A7.tmp tasksche.exe -
Loads dropped DLL 27 IoCs
Processes:
tasksche.execscript.execmd.exe@WanaDecryptor@.exetaskhsvc.exetaskse.exetaskse.exetaskse.exetaskse.exepid process 268 tasksche.exe 268 tasksche.exe 1880 cscript.exe 268 tasksche.exe 268 tasksche.exe 1392 cmd.exe 1112 @WanaDecryptor@.exe 1112 @WanaDecryptor@.exe 1420 taskhsvc.exe 1420 taskhsvc.exe 1420 taskhsvc.exe 1420 taskhsvc.exe 1420 taskhsvc.exe 1420 taskhsvc.exe 268 tasksche.exe 268 tasksche.exe 268 tasksche.exe 1828 taskse.exe 268 tasksche.exe 268 tasksche.exe 1500 taskse.exe 268 tasksche.exe 1012 taskse.exe 268 tasksche.exe 268 tasksche.exe 240 taskse.exe 268 tasksche.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mpvxsxzo192 = "\"C:\\ProgramData\\mpvxsxzo192\\tasksche.exe\"" reg.exe -
JavaScript code in executable 5 IoCs
Processes:
resource yara_rule \ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exe js \ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exe js C:\ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exe js C:\ProgramData\mpvxsxzo192\TaskData\Tor\LIBEAY32.dll js \ProgramData\mpvxsxzo192\TaskData\Tor\libeay32.dll js -
Drops file in System32 directory 7 IoCs
Processes:
taskhsvc.exe32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp taskhsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new taskhsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tor\lock taskhsvc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tor\state.tmp taskhsvc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp taskhsvc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp taskhsvc.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
@WanaDecryptor@.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp" @WanaDecryptor@.exe -
Drops file in Windows directory 1 IoCs
Processes:
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exedescription ioc process File created C:\WINDOWS\tasksche.exe 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 908 vssadmin.exe -
Modifies data under HKEY_USERS 29 IoCs
Processes:
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.execscript.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07009c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3} 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecisionTime = 90e1a34a4f8dd601 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host cscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\32-e2-17-db-d2-77 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadNetworkName = "Network" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecision = "0" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecisionReason = "1" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 90e1a34a4f8dd601 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
tasksche.exepid process 268 tasksche.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
taskhsvc.exepid process 1420 taskhsvc.exe 1420 taskhsvc.exe 1420 taskhsvc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
@WanaDecryptor@.exepid process 1860 @WanaDecryptor@.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
vssvc.exeWMIC.exetaskse.exetaskse.exetaskse.exetaskse.exedescription pid process Token: SeBackupPrivilege 1608 vssvc.exe Token: SeRestorePrivilege 1608 vssvc.exe Token: SeAuditPrivilege 1608 vssvc.exe Token: SeAssignPrimaryTokenPrivilege 1548 WMIC.exe Token: SeIncreaseQuotaPrivilege 1548 WMIC.exe Token: SeSecurityPrivilege 1548 WMIC.exe Token: SeTakeOwnershipPrivilege 1548 WMIC.exe Token: SeLoadDriverPrivilege 1548 WMIC.exe Token: SeSystemtimePrivilege 1548 WMIC.exe Token: SeBackupPrivilege 1548 WMIC.exe Token: SeRestorePrivilege 1548 WMIC.exe Token: SeShutdownPrivilege 1548 WMIC.exe Token: SeSystemEnvironmentPrivilege 1548 WMIC.exe Token: SeUndockPrivilege 1548 WMIC.exe Token: SeManageVolumePrivilege 1548 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1548 WMIC.exe Token: SeIncreaseQuotaPrivilege 1548 WMIC.exe Token: SeSecurityPrivilege 1548 WMIC.exe Token: SeTakeOwnershipPrivilege 1548 WMIC.exe Token: SeLoadDriverPrivilege 1548 WMIC.exe Token: SeSystemtimePrivilege 1548 WMIC.exe Token: SeBackupPrivilege 1548 WMIC.exe Token: SeRestorePrivilege 1548 WMIC.exe Token: SeShutdownPrivilege 1548 WMIC.exe Token: SeSystemEnvironmentPrivilege 1548 WMIC.exe Token: SeUndockPrivilege 1548 WMIC.exe Token: SeManageVolumePrivilege 1548 WMIC.exe Token: SeTcbPrivilege 1828 taskse.exe Token: SeTcbPrivilege 1828 taskse.exe Token: SeTcbPrivilege 1500 taskse.exe Token: SeTcbPrivilege 1500 taskse.exe Token: SeTcbPrivilege 1012 taskse.exe Token: SeTcbPrivilege 1012 taskse.exe Token: SeTcbPrivilege 240 taskse.exe Token: SeTcbPrivilege 240 taskse.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exepid process 1344 @WanaDecryptor@.exe 1112 @WanaDecryptor@.exe 1344 @WanaDecryptor@.exe 1112 @WanaDecryptor@.exe 1860 @WanaDecryptor@.exe 1860 @WanaDecryptor@.exe 1524 @WanaDecryptor@.exe 1828 @WanaDecryptor@.exe 996 @WanaDecryptor@.exe -
Suspicious use of WriteProcessMemory 112 IoCs
Processes:
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.execmd.exetasksche.execmd.execmd.exe@WanaDecryptor@.exe@WanaDecryptor@.execmd.exedescription pid process target process PID 1516 wrote to memory of 1828 1516 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe tasksche.exe PID 1516 wrote to memory of 1828 1516 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe tasksche.exe PID 1516 wrote to memory of 1828 1516 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe tasksche.exe PID 1516 wrote to memory of 1828 1516 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe tasksche.exe PID 1856 wrote to memory of 268 1856 cmd.exe tasksche.exe PID 1856 wrote to memory of 268 1856 cmd.exe tasksche.exe PID 1856 wrote to memory of 268 1856 cmd.exe tasksche.exe PID 1856 wrote to memory of 268 1856 cmd.exe tasksche.exe PID 268 wrote to memory of 1656 268 tasksche.exe attrib.exe PID 268 wrote to memory of 1656 268 tasksche.exe attrib.exe PID 268 wrote to memory of 1656 268 tasksche.exe attrib.exe PID 268 wrote to memory of 1656 268 tasksche.exe attrib.exe PID 268 wrote to memory of 1568 268 tasksche.exe icacls.exe PID 268 wrote to memory of 1568 268 tasksche.exe icacls.exe PID 268 wrote to memory of 1568 268 tasksche.exe icacls.exe PID 268 wrote to memory of 1568 268 tasksche.exe icacls.exe PID 268 wrote to memory of 744 268 tasksche.exe taskdl.exe PID 268 wrote to memory of 744 268 tasksche.exe taskdl.exe PID 268 wrote to memory of 744 268 tasksche.exe taskdl.exe PID 268 wrote to memory of 744 268 tasksche.exe taskdl.exe PID 268 wrote to memory of 1456 268 tasksche.exe cmd.exe PID 268 wrote to memory of 1456 268 tasksche.exe cmd.exe PID 268 wrote to memory of 1456 268 tasksche.exe cmd.exe PID 268 wrote to memory of 1456 268 tasksche.exe cmd.exe PID 1456 wrote to memory of 1880 1456 cmd.exe cscript.exe PID 1456 wrote to memory of 1880 1456 cmd.exe cscript.exe PID 1456 wrote to memory of 1880 1456 cmd.exe cscript.exe PID 1456 wrote to memory of 1880 1456 cmd.exe cscript.exe PID 268 wrote to memory of 1112 268 tasksche.exe @WanaDecryptor@.exe PID 268 wrote to memory of 1112 268 tasksche.exe @WanaDecryptor@.exe PID 268 wrote to memory of 1112 268 tasksche.exe @WanaDecryptor@.exe PID 268 wrote to memory of 1112 268 tasksche.exe @WanaDecryptor@.exe PID 268 wrote to memory of 1392 268 tasksche.exe cmd.exe PID 268 wrote to memory of 1392 268 tasksche.exe cmd.exe PID 268 wrote to memory of 1392 268 tasksche.exe cmd.exe PID 268 wrote to memory of 1392 268 tasksche.exe cmd.exe PID 1392 wrote to memory of 1344 1392 cmd.exe @WanaDecryptor@.exe PID 1392 wrote to memory of 1344 1392 cmd.exe @WanaDecryptor@.exe PID 1392 wrote to memory of 1344 1392 cmd.exe @WanaDecryptor@.exe PID 1392 wrote to memory of 1344 1392 cmd.exe @WanaDecryptor@.exe PID 1112 wrote to memory of 1420 1112 @WanaDecryptor@.exe taskhsvc.exe PID 1112 wrote to memory of 1420 1112 @WanaDecryptor@.exe taskhsvc.exe PID 1112 wrote to memory of 1420 1112 @WanaDecryptor@.exe taskhsvc.exe PID 1112 wrote to memory of 1420 1112 @WanaDecryptor@.exe taskhsvc.exe PID 1344 wrote to memory of 2020 1344 @WanaDecryptor@.exe cmd.exe PID 1344 wrote to memory of 2020 1344 @WanaDecryptor@.exe cmd.exe PID 1344 wrote to memory of 2020 1344 @WanaDecryptor@.exe cmd.exe PID 1344 wrote to memory of 2020 1344 @WanaDecryptor@.exe cmd.exe PID 2020 wrote to memory of 908 2020 cmd.exe vssadmin.exe PID 2020 wrote to memory of 908 2020 cmd.exe vssadmin.exe PID 2020 wrote to memory of 908 2020 cmd.exe vssadmin.exe PID 2020 wrote to memory of 908 2020 cmd.exe vssadmin.exe PID 2020 wrote to memory of 1548 2020 cmd.exe WMIC.exe PID 2020 wrote to memory of 1548 2020 cmd.exe WMIC.exe PID 2020 wrote to memory of 1548 2020 cmd.exe WMIC.exe PID 2020 wrote to memory of 1548 2020 cmd.exe WMIC.exe PID 268 wrote to memory of 1828 268 tasksche.exe taskse.exe PID 268 wrote to memory of 1828 268 tasksche.exe taskse.exe PID 268 wrote to memory of 1828 268 tasksche.exe taskse.exe PID 268 wrote to memory of 1828 268 tasksche.exe taskse.exe PID 268 wrote to memory of 1624 268 tasksche.exe cmd.exe PID 268 wrote to memory of 1624 268 tasksche.exe cmd.exe PID 268 wrote to memory of 1624 268 tasksche.exe cmd.exe PID 268 wrote to memory of 1624 268 tasksche.exe cmd.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe"C:\Users\Admin\AppData\Local\Temp\32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exeC:\Users\Admin\AppData\Local\Temp\32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe -m security1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.execmd.exe /c "C:\ProgramData\mpvxsxzo192\tasksche.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\mpvxsxzo192\tasksche.exeC:\ProgramData\mpvxsxzo192\tasksche.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
C:\ProgramData\mpvxsxzo192\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c 247171600387476.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs4⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe@WanaDecryptor@.exe co3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @WanaDecryptor@.exe vs3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe@WanaDecryptor@.exe vs4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\mpvxsxzo192\taskse.exetaskse.exe C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"4⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "mpvxsxzo192" /t REG_SZ /d "\"C:\ProgramData\mpvxsxzo192\tasksche.exe\"" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "mpvxsxzo192" /t REG_SZ /d "\"C:\ProgramData\mpvxsxzo192\tasksche.exe\"" /f4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\ProgramData\mpvxsxzo192\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\mpvxsxzo192\taskse.exetaskse.exe C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\mpvxsxzo192\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\mpvxsxzo192\taskse.exetaskse.exe C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\mpvxsxzo192\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\mpvxsxzo192\taskse.exetaskse.exe C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\mpvxsxzo192\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mpvxsxzo192\00000000.res
-
C:\ProgramData\mpvxsxzo192\247171600387476.bat
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe.lnk
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\LIBEAY32.dll
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\SSLEAY32.dll
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\libevent-2-0-5.dll
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\libgcc_s_sjlj-1.dll
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\libssp-0.dll
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exe
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\zlib1.dll
-
C:\ProgramData\mpvxsxzo192\b.wnry
-
C:\ProgramData\mpvxsxzo192\c.wnry
-
C:\ProgramData\mpvxsxzo192\c.wnry
-
C:\ProgramData\mpvxsxzo192\m.vbs
-
C:\ProgramData\mpvxsxzo192\msg\m_bulgarian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_chinese (simplified).wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_chinese (traditional).wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_croatian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_czech.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_danish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_dutch.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_english.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_filipino.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_finnish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_french.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_german.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_greek.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_indonesian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_italian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_japanese.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_korean.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_latvian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_norwegian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_polish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_portuguese.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_romanian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_russian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_slovak.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_spanish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_swedish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_turkish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_vietnamese.wnry
-
C:\ProgramData\mpvxsxzo192\r.wnry
-
C:\ProgramData\mpvxsxzo192\s.wnry
-
C:\ProgramData\mpvxsxzo192\t.wnry
-
C:\ProgramData\mpvxsxzo192\taskdl.exe
-
C:\ProgramData\mpvxsxzo192\taskdl.exe
-
C:\ProgramData\mpvxsxzo192\taskdl.exe
-
C:\ProgramData\mpvxsxzo192\taskdl.exe
-
C:\ProgramData\mpvxsxzo192\taskdl.exe
-
C:\ProgramData\mpvxsxzo192\taskdl.exe
-
C:\ProgramData\mpvxsxzo192\tasksche.exe
-
C:\ProgramData\mpvxsxzo192\tasksche.exe
-
C:\ProgramData\mpvxsxzo192\taskse.exe
-
C:\ProgramData\mpvxsxzo192\taskse.exe
-
C:\ProgramData\mpvxsxzo192\taskse.exe
-
C:\ProgramData\mpvxsxzo192\taskse.exe
-
C:\ProgramData\mpvxsxzo192\taskse.exe
-
C:\ProgramData\mpvxsxzo192\u.wnry
-
C:\Users\Admin\Desktop\@WanaDecryptor@.bmp
-
C:\WINDOWS\tasksche.exe
-
C:\Windows\TEMP\0.WNCRYT
-
C:\Windows\TEMP\1.WNCRYT
-
C:\Windows\TEMP\10.WNCRYT
-
C:\Windows\TEMP\11.WNCRYT
-
C:\Windows\TEMP\12.WNCRYT
-
C:\Windows\TEMP\13.WNCRYT
-
C:\Windows\TEMP\14.WNCRYT
-
C:\Windows\TEMP\15.WNCRYT
-
C:\Windows\TEMP\16.WNCRYT
-
C:\Windows\TEMP\17.WNCRYT
-
C:\Windows\TEMP\18.WNCRYT
-
C:\Windows\TEMP\19.WNCRYT
-
C:\Windows\TEMP\2.WNCRYT
-
C:\Windows\TEMP\20.WNCRYT
-
C:\Windows\TEMP\21.WNCRYT
-
C:\Windows\TEMP\22.WNCRYT
-
C:\Windows\TEMP\23.WNCRYT
-
C:\Windows\TEMP\24.WNCRYT
-
C:\Windows\TEMP\25.WNCRYT
-
C:\Windows\TEMP\26.WNCRYT
-
C:\Windows\TEMP\27.WNCRYT
-
C:\Windows\TEMP\28.WNCRYT
-
C:\Windows\TEMP\29.WNCRYT
-
C:\Windows\TEMP\3.WNCRYT
-
C:\Windows\TEMP\30.WNCRYT
-
C:\Windows\TEMP\31.WNCRYT
-
C:\Windows\TEMP\4.WNCRYT
-
C:\Windows\TEMP\5.WNCRYT
-
C:\Windows\TEMP\6.WNCRYT
-
C:\Windows\TEMP\7.WNCRYT
-
C:\Windows\TEMP\8.WNCRYT
-
C:\Windows\TEMP\9.WNCRYT
-
C:\Windows\tasksche.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\TaskData\Tor\libeay32.dll
-
\ProgramData\mpvxsxzo192\TaskData\Tor\libevent-2-0-5.dll
-
\ProgramData\mpvxsxzo192\TaskData\Tor\libgcc_s_sjlj-1.dll
-
\ProgramData\mpvxsxzo192\TaskData\Tor\libssp-0.dll
-
\ProgramData\mpvxsxzo192\TaskData\Tor\ssleay32.dll
-
\ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exe
-
\ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exe
-
\ProgramData\mpvxsxzo192\TaskData\Tor\zlib1.dll
-
\ProgramData\mpvxsxzo192\taskdl.exe
-
\ProgramData\mpvxsxzo192\taskdl.exe
-
\ProgramData\mpvxsxzo192\taskdl.exe
-
\ProgramData\mpvxsxzo192\taskdl.exe
-
\ProgramData\mpvxsxzo192\taskdl.exe
-
\ProgramData\mpvxsxzo192\taskdl.exe
-
\ProgramData\mpvxsxzo192\taskse.exe
-
\ProgramData\mpvxsxzo192\taskse.exe
-
\ProgramData\mpvxsxzo192\taskse.exe
-
\ProgramData\mpvxsxzo192\taskse.exe
-
\ProgramData\mpvxsxzo192\taskse.exe
-
memory/240-700-0x0000000000000000-mapping.dmp
-
memory/268-9-0x0000000010000000-0x0000000010010000-memory.dmpFilesize
64KB
-
memory/268-5-0x0000000000000000-mapping.dmp
-
memory/704-665-0x0000000000000000-mapping.dmp
-
memory/744-48-0x0000000000000000-mapping.dmp
-
memory/908-633-0x0000000000000000-mapping.dmp
-
memory/996-703-0x0000000000000000-mapping.dmp
-
memory/1012-659-0x0000000000000000-mapping.dmp
-
memory/1112-60-0x0000000000000000-mapping.dmp
-
memory/1300-653-0x0000000000000000-mapping.dmp
-
memory/1300-641-0x0000000000000000-mapping.dmp
-
memory/1344-631-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/1344-64-0x0000000000000000-mapping.dmp
-
memory/1344-65-0x0000000000000000-mapping.dmp
-
memory/1392-62-0x0000000000000000-mapping.dmp
-
memory/1420-252-0x0000000001C50000-0x0000000001C61000-memory.dmpFilesize
68KB
-
memory/1420-418-0x0000000001F10000-0x0000000001F21000-memory.dmpFilesize
68KB
-
memory/1420-253-0x0000000001840000-0x0000000001851000-memory.dmpFilesize
68KB
-
memory/1420-419-0x0000000002320000-0x0000000002331000-memory.dmpFilesize
68KB
-
memory/1420-251-0x0000000001840000-0x0000000001851000-memory.dmpFilesize
68KB
-
memory/1420-86-0x0000000001840000-0x0000000001851000-memory.dmpFilesize
68KB
-
memory/1420-85-0x0000000001C50000-0x0000000001C61000-memory.dmpFilesize
68KB
-
memory/1420-84-0x0000000001840000-0x0000000001851000-memory.dmpFilesize
68KB
-
memory/1420-70-0x0000000000000000-mapping.dmp
-
memory/1420-420-0x0000000001F10000-0x0000000001F21000-memory.dmpFilesize
68KB
-
memory/1456-50-0x0000000000000000-mapping.dmp
-
memory/1500-650-0x0000000000000000-mapping.dmp
-
memory/1524-656-0x0000000000000000-mapping.dmp
-
memory/1548-634-0x0000000000000000-mapping.dmp
-
memory/1568-8-0x0000000000000000-mapping.dmp
-
memory/1624-639-0x0000000000000000-mapping.dmp
-
memory/1656-7-0x0000000000000000-mapping.dmp
-
memory/1824-706-0x0000000000000000-mapping.dmp
-
memory/1828-637-0x0000000000000000-mapping.dmp
-
memory/1828-662-0x0000000000000000-mapping.dmp
-
memory/1828-1-0x0000000000000000-mapping.dmp
-
memory/1852-643-0x0000000000000000-mapping.dmp
-
memory/1860-645-0x0000000000000000-mapping.dmp
-
memory/1880-56-0x0000000001360000-0x0000000001364000-memory.dmpFilesize
16KB
-
memory/1880-52-0x0000000000000000-mapping.dmp
-
memory/1900-0-0x000007FEF8560000-0x000007FEF87DA000-memory.dmpFilesize
2.5MB
-
memory/2020-632-0x0000000000000000-mapping.dmp