Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07-05-2021 04:05
Static task
static1
Behavioral task
behavioral1
Sample
Compil by raminhk.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Compil by raminhk.exe
Resource
win10v20210408
General
-
Target
Compil by raminhk.exe
-
Size
11.7MB
-
MD5
cae9a30235cd1be5aba8f2969ad82573
-
SHA1
35a86c4eb38a60a22b102b2fb82b34e4126956d2
-
SHA256
24fa69380258da421941c711036a3f0a834ec6eb7919d0a4992b05ea0c549807
-
SHA512
2d50e3aed489f7e18bf076b056e2a5d66dd7cb235b3f0b5b5df96e89d3e7e31afa1d6ee9a37895717a700467b5c7516c9de5740ef990fdbdeb0efabb63ee0930
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Disables Task Manager via registry modification
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Compil by raminhk.exedescription ioc process File renamed C:\Users\Admin\Pictures\DebugCompare.tif => C:\Users\Admin\Pictures\DebugCompare.tif.GoNNaCry Compil by raminhk.exe File renamed C:\Users\Admin\Pictures\DismountReset.tif => C:\Users\Admin\Pictures\DismountReset.tif.GoNNaCry Compil by raminhk.exe File renamed C:\Users\Admin\Pictures\SkipMount.png => C:\Users\Admin\Pictures\SkipMount.png.GoNNaCry Compil by raminhk.exe File renamed C:\Users\Admin\Pictures\SuspendUnlock.tif => C:\Users\Admin\Pictures\SuspendUnlock.tif.GoNNaCry Compil by raminhk.exe File renamed C:\Users\Admin\Pictures\SyncDebug.tif => C:\Users\Admin\Pictures\SyncDebug.tif.GoNNaCry Compil by raminhk.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeCompil by raminhk.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Update = "C:\\Users\\Admin\\WindowsSecurityUpdate.exe /onboot" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Infected = "ed0ece1530a47e68a9c2d3c61f6b741c30f6bbd118f84870459fb078a91e923fed0ece1530a47e68a9c2d3c61f6b741c" Compil by raminhk.exe -
Drops desktop.ini file(s) 26 IoCs
Processes:
Compil by raminhk.exedescription ioc process File created C:\Users\Admin\Favorites\Links for United States\desktop.ini Compil by raminhk.exe File created C:\Users\Admin\Videos\desktop.ini Compil by raminhk.exe File created C:\Users\Public\Documents\desktop.ini Compil by raminhk.exe File created C:\Users\Public\Pictures\desktop.ini Compil by raminhk.exe File created C:\Users\Public\Recorded TV\Sample Media\desktop.ini Compil by raminhk.exe File created C:\Users\Admin\Contacts\desktop.ini Compil by raminhk.exe File created C:\Users\Admin\Favorites\Links\desktop.ini Compil by raminhk.exe File created C:\Users\Public\Downloads\desktop.ini Compil by raminhk.exe File created C:\Users\Public\Libraries\desktop.ini Compil by raminhk.exe File created C:\Users\Public\Music\Sample Music\desktop.ini Compil by raminhk.exe File created C:\Users\Public\desktop.ini Compil by raminhk.exe File created C:\Users\Admin\Desktop\desktop.ini Compil by raminhk.exe File created C:\Users\Admin\Searches\desktop.ini Compil by raminhk.exe File created C:\Users\Admin\Music\desktop.ini Compil by raminhk.exe File created C:\Users\Admin\Pictures\desktop.ini Compil by raminhk.exe File created C:\Users\Admin\Saved Games\desktop.ini Compil by raminhk.exe File created C:\Users\Public\Desktop\desktop.ini Compil by raminhk.exe File created C:\Users\Admin\Documents\desktop.ini Compil by raminhk.exe File created C:\Users\Admin\Links\desktop.ini Compil by raminhk.exe File created C:\Users\Public\Music\desktop.ini Compil by raminhk.exe File created C:\Users\Public\Pictures\Sample Pictures\desktop.ini Compil by raminhk.exe File created C:\Users\Public\Recorded TV\desktop.ini Compil by raminhk.exe File created C:\Users\Public\Videos\Sample Videos\desktop.ini Compil by raminhk.exe File created C:\Users\Public\Videos\desktop.ini Compil by raminhk.exe File created C:\Users\Admin\Downloads\desktop.ini Compil by raminhk.exe File created C:\Users\Admin\Favorites\desktop.ini Compil by raminhk.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 icanhazip.com 6 icanhazip.com -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CAA1FBD1-AEF9-11EB-BC8F-F6C7ED530D52} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000529101d5c9814b4eb0f580b37542e450000000000200000000001066000000010000200000006b14800dce61b4c87bed76466343caf5eb6a57541df4bd795df942d316d46ba6000000000e8000000002000020000000d7fa5391b48bbf9155ed2ef3f1dfc1ca60406ac8c0a8c6e6f301994d679dcc4b20000000beac6770660323169dbdc9a3ed470923b139277dad6711068dd2719863b070dd40000000e9a7e9073a99cd0616ceb5b5069d99ae0778b04833e92b6b95e6c280172529be7512be9f3ad7b1f7a7227918a7a99db7360149294aa7ce0b1e5ae8729733cb92 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e08ea4a10643d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000529101d5c9814b4eb0f580b37542e450000000000200000000001066000000010000200000006f17b63862aa2db1a933fd384301b64bc35b6f5c1843b79cc6fe75c321157707000000000e8000000002000020000000fc49ff50049c7b785914d017a9b2dd13104bfc43e20d7450d6a47448ec8ae4e090000000629c5513427f029abcd3f4f7ce1a69e699ba619f8dcf63be09c6afc5b941346aa17aa9a9bcef02aa8b264cfedb23d7db20425cb2f54fa94464169743fb4e06c5157d2649855acec3341338c2b50373abd20940d32910f8b99f2bd874bc1329db04e0c678ce7dd4fb9df3c30c565a48c68c8244720492f476525fa33f04f62c18fd91d9e66b13c247516718e2ac579e5740000000fd3c25428c3c4f4d339f50da1a40385a19d495140d4f67fc2464854248dd6cd3bc8ce4d3a14773ab227f5134d4557e64c04e3cf7a45ef55ecdeff1e1178947fb iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327132323" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Compil by raminhk.exepid process 1820 Compil by raminhk.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
tasklist.exeWMIC.exevssvc.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 2028 tasklist.exe Token: SeIncreaseQuotaPrivilege 968 WMIC.exe Token: SeSecurityPrivilege 968 WMIC.exe Token: SeTakeOwnershipPrivilege 968 WMIC.exe Token: SeLoadDriverPrivilege 968 WMIC.exe Token: SeSystemProfilePrivilege 968 WMIC.exe Token: SeSystemtimePrivilege 968 WMIC.exe Token: SeProfSingleProcessPrivilege 968 WMIC.exe Token: SeIncBasePriorityPrivilege 968 WMIC.exe Token: SeCreatePagefilePrivilege 968 WMIC.exe Token: SeBackupPrivilege 968 WMIC.exe Token: SeRestorePrivilege 968 WMIC.exe Token: SeShutdownPrivilege 968 WMIC.exe Token: SeDebugPrivilege 968 WMIC.exe Token: SeSystemEnvironmentPrivilege 968 WMIC.exe Token: SeRemoteShutdownPrivilege 968 WMIC.exe Token: SeUndockPrivilege 968 WMIC.exe Token: SeManageVolumePrivilege 968 WMIC.exe Token: 33 968 WMIC.exe Token: 34 968 WMIC.exe Token: 35 968 WMIC.exe Token: SeIncreaseQuotaPrivilege 968 WMIC.exe Token: SeSecurityPrivilege 968 WMIC.exe Token: SeTakeOwnershipPrivilege 968 WMIC.exe Token: SeLoadDriverPrivilege 968 WMIC.exe Token: SeSystemProfilePrivilege 968 WMIC.exe Token: SeSystemtimePrivilege 968 WMIC.exe Token: SeProfSingleProcessPrivilege 968 WMIC.exe Token: SeIncBasePriorityPrivilege 968 WMIC.exe Token: SeCreatePagefilePrivilege 968 WMIC.exe Token: SeBackupPrivilege 968 WMIC.exe Token: SeRestorePrivilege 968 WMIC.exe Token: SeShutdownPrivilege 968 WMIC.exe Token: SeDebugPrivilege 968 WMIC.exe Token: SeSystemEnvironmentPrivilege 968 WMIC.exe Token: SeRemoteShutdownPrivilege 968 WMIC.exe Token: SeUndockPrivilege 968 WMIC.exe Token: SeManageVolumePrivilege 968 WMIC.exe Token: 33 968 WMIC.exe Token: 34 968 WMIC.exe Token: 35 968 WMIC.exe Token: SeBackupPrivilege 812 vssvc.exe Token: SeRestorePrivilege 812 vssvc.exe Token: SeAuditPrivilege 812 vssvc.exe Token: 33 612 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 612 AUDIODG.EXE Token: 33 612 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 612 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1472 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1472 iexplore.exe 1472 iexplore.exe 936 IEXPLORE.EXE 936 IEXPLORE.EXE 936 IEXPLORE.EXE 936 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
Compil by raminhk.execmd.execmd.execmd.execmd.exeiexplore.exedescription pid process target process PID 1820 wrote to memory of 2028 1820 Compil by raminhk.exe tasklist.exe PID 1820 wrote to memory of 2028 1820 Compil by raminhk.exe tasklist.exe PID 1820 wrote to memory of 2028 1820 Compil by raminhk.exe tasklist.exe PID 1820 wrote to memory of 384 1820 Compil by raminhk.exe cmd.exe PID 1820 wrote to memory of 384 1820 Compil by raminhk.exe cmd.exe PID 1820 wrote to memory of 384 1820 Compil by raminhk.exe cmd.exe PID 384 wrote to memory of 1736 384 cmd.exe vssadmin.exe PID 384 wrote to memory of 1736 384 cmd.exe vssadmin.exe PID 384 wrote to memory of 1736 384 cmd.exe vssadmin.exe PID 384 wrote to memory of 968 384 cmd.exe WMIC.exe PID 384 wrote to memory of 968 384 cmd.exe WMIC.exe PID 384 wrote to memory of 968 384 cmd.exe WMIC.exe PID 1820 wrote to memory of 1376 1820 Compil by raminhk.exe cmd.exe PID 1820 wrote to memory of 1376 1820 Compil by raminhk.exe cmd.exe PID 1820 wrote to memory of 1376 1820 Compil by raminhk.exe cmd.exe PID 1376 wrote to memory of 2036 1376 cmd.exe bcdedit.exe PID 1376 wrote to memory of 2036 1376 cmd.exe bcdedit.exe PID 1376 wrote to memory of 2036 1376 cmd.exe bcdedit.exe PID 1820 wrote to memory of 1684 1820 Compil by raminhk.exe cmd.exe PID 1820 wrote to memory of 1684 1820 Compil by raminhk.exe cmd.exe PID 1820 wrote to memory of 1684 1820 Compil by raminhk.exe cmd.exe PID 1684 wrote to memory of 1448 1684 cmd.exe reg.exe PID 1684 wrote to memory of 1448 1684 cmd.exe reg.exe PID 1684 wrote to memory of 1448 1684 cmd.exe reg.exe PID 1820 wrote to memory of 1620 1820 Compil by raminhk.exe cmd.exe PID 1820 wrote to memory of 1620 1820 Compil by raminhk.exe cmd.exe PID 1820 wrote to memory of 1620 1820 Compil by raminhk.exe cmd.exe PID 1620 wrote to memory of 464 1620 cmd.exe reg.exe PID 1620 wrote to memory of 464 1620 cmd.exe reg.exe PID 1620 wrote to memory of 464 1620 cmd.exe reg.exe PID 1472 wrote to memory of 936 1472 iexplore.exe IEXPLORE.EXE PID 1472 wrote to memory of 936 1472 iexplore.exe IEXPLORE.EXE PID 1472 wrote to memory of 936 1472 iexplore.exe IEXPLORE.EXE PID 1472 wrote to memory of 936 1472 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Compil by raminhk.exe"C:\Users\Admin\AppData\Local\Temp\Compil by raminhk.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO csv2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadow /all /quiet3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} recoveryenabled No cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Windows\System32\cmd.exe /C vssadmin.exe Delete Shadows /All Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.execmd /c REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.execmd /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "C:\Users\Admin\WindowsSecurityUpdate.exe /onboot" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "C:\Users\Admin\WindowsSecurityUpdate.exe /onboot" /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2e81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\GoNNaCry.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1472 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\K353SR3F.txtMD5
cbad2747b769c828cf0613a06e9b5d44
SHA1c5d00e912f8100f552c11edef53a6d53153acd00
SHA256c0ac15bb09761468ec0e06088953c89f53b19e446b4d13ce3d33cd9437e47f02
SHA51210c6e5d9b2424819a7a394d112e955ee62b1f79803753f16432d6c76c4cdd496575d58cbc20e24343ee636e1820b9e120a539e539aa4eb2a1f26f698a1e8edce
-
C:\Users\Admin\Desktop\GoNNaCry.htmlMD5
45d6357c19ef6849597920bbe3a09cd1
SHA13b0b07ae7e49ccb144a95f435d4e4f2c5a943afe
SHA256f37f3978b0e8f92f3825b1c2a4d61863c8039acfb1752bf5a3b73115e41644b1
SHA512bcf3560714426edb826db665274b2c86fc54d7b205df2cfab88b277c3b7cfe9e849d4483cc220635e550b182166f73718ef6ac498837545665113bc0ad106b04
-
memory/384-62-0x0000000000000000-mapping.dmp
-
memory/464-70-0x0000000000000000-mapping.dmp
-
memory/564-71-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmpFilesize
8KB
-
memory/936-72-0x0000000000000000-mapping.dmp
-
memory/968-64-0x0000000000000000-mapping.dmp
-
memory/1376-65-0x0000000000000000-mapping.dmp
-
memory/1448-68-0x0000000000000000-mapping.dmp
-
memory/1620-69-0x0000000000000000-mapping.dmp
-
memory/1684-67-0x0000000000000000-mapping.dmp
-
memory/1736-63-0x0000000000000000-mapping.dmp
-
memory/1820-61-0x0000000077800000-0x0000000077802000-memory.dmpFilesize
8KB
-
memory/2028-60-0x0000000000000000-mapping.dmp
-
memory/2036-66-0x0000000000000000-mapping.dmp