Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/07/2022, 04:40
220718-faqj6ahdd3 109/07/2022, 10:37
220709-mn992sgcd4 1008/07/2022, 15:34
220708-sz77qaadf8 1020/06/2022, 11:39
220620-nsq8eacgfk 1013/06/2022, 10:07
220613-l5wmjsbff6 1012/06/2022, 12:47
220612-p1kw2acbbp 1012/06/2022, 07:39
220612-jg55zagca5 1011/06/2022, 20:25
220611-y7pcgabdf5 1011/06/2022, 20:25
220611-y7fekabde7 1011/06/2022, 20:24
220611-y642jafber 1Analysis
-
max time kernel
1800s -
max time network
1790s -
platform
windows10_x64 -
resource
win10-ja-20211208 -
submitted
12/01/2022, 10:01
General
-
Target
WannaCry.EXE
-
Size
3.4MB
-
MD5
84c82835a5d21bbcf75a61706d8ab549
-
SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-
SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
Modifies system executable filetype association 2 TTPs 3 IoCs
-
Registers COM server for autorun 1 TTPs
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 64 IoCs
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 26 IoCs
-
Loads dropped DLL 14 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Drops file in Windows directory 14 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 11 IoCs
-
Modifies data under HKEY_USERS 23 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\WannaCry.EXE"C:\Users\Admin\AppData\Local\Temp\WannaCry.EXE"1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 315571639240049.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "exvqpukpdbbhw483" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "exvqpukpdbbhw483" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlwriter.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mysqld.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlserver.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im MSExchange*2⤵
- Kills process with taskkill
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "http://www.bing.com/search?q=tasksche.exe Tasksche"1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
-
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\msfeedssync.exeC:\Windows\system32\msfeedssync.exe sync1⤵
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Hidden Files and Directories
1Registry Run Keys / Startup Folder
2Defense Evasion
File Deletion
2File and Directory Permissions Modification
1Hidden Files and Directories
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
20KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
2.1MB
-
Filesize
520KB
-
Filesize
136KB
-
Filesize
3.0MB
-
Filesize
520KB
-
Filesize
2.1MB
-
Filesize
3.0MB
-
Filesize
136KB