Resubmissions
18-07-2022 04:40
220718-faqj6ahdd3 109-07-2022 10:37
220709-mn992sgcd4 1008-07-2022 15:34
220708-sz77qaadf8 1020-06-2022 11:39
220620-nsq8eacgfk 1013-06-2022 10:07
220613-l5wmjsbff6 1012-06-2022 12:47
220612-p1kw2acbbp 1012-06-2022 07:39
220612-jg55zagca5 1011-06-2022 20:25
220611-y7pcgabdf5 1011-06-2022 20:25
220611-y7fekabde7 1011-06-2022 20:24
220611-y642jafber 1Analysis
-
max time kernel
4266753s -
max time network
1790s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17-01-2022 10:08
General
-
Target
WannaCry.EXE
-
Size
3.4MB
-
MD5
84c82835a5d21bbcf75a61706d8ab549
-
SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-
SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
Modifies system executable filetype association 2 TTPs 2 IoCs
-
Registers COM server for autorun 1 TTPs
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 64 IoCs
-
Modifies extensions of user files 24 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 22 IoCs
-
Loads dropped DLL 7 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\WannaCry.EXE"C:\Users\Admin\AppData\Local\Temp\WannaCry.EXE"1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3211642256821.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "jkdklrylw922" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "jkdklrylw922" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mysqld.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlwriter.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlserver.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im MSExchange*2⤵
- Kills process with taskkill
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"1⤵
- Modifies system executable filetype association
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Hidden Files and Directories
1Registry Run Keys / Startup Folder
2Defense Evasion
File Deletion
1File and Directory Permissions Modification
1Hidden Files and Directories
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
520KB
-
Filesize
136KB
-
Filesize
2.1MB
-
Filesize
520KB
-
Filesize
2.1MB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
24KB
-
Filesize
8KB
-
Filesize
8KB