wannacry | 45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1

General

Target

45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe
Size

289KB
MD5

7f142f5e800096af5de5160ba5caa91e
SHA1

6d5e1375311720b3f883d14e4e59cc251e8bb299
SHA256

45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1
SHA512

8be8d194267714433ff05d3981238963fbaf408fbc3d2473ca911573a235092fb8ec18e01fef618c7d61cd62dc82abe0ea04f40b2994e37bf81869828fbc5537

Score

10^/10

wannacry evasion ransomware upx worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Sets file to hidden 1 TTPs 7 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

908 attrib.exe
628 attrib.exe
708 attrib.exe
1624 attrib.exe
1904 attrib.exe
1036 attrib.exe
1800 attrib.exe

pid	process
908	attrib.exe
628	attrib.exe
708	attrib.exe
1624	attrib.exe
1904	attrib.exe
1036	attrib.exe
1800	attrib.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/480-55-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral1/memory/480-63-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral1/memory/480-108-0x0000000000400000-0x00000000004DB000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

1900 WScript.exe
Drops file in Program Files directory 1 IoCs

Processes:

attrib.exe

description ioc process

File opened for modification C:\program files (x86)\stormii attrib.exe

pid	process
1900	WScript.exe

description	ioc	process
File opened for modification	C:\program files (x86)\stormii	attrib.exe

Drops file in Windows directory 6 IoCs

Processes:

attrib.exe45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\tasksche.exe	attrib.exe
File created	\??\c:\windows\demo.bat	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe
File opened for modification	C:\Windows\SpeechsTracing\Microsoft	attrib.exe
File opened for modification	C:\Windows\SecureBootThemes	attrib.exe
File opened for modification	C:\Windows\sysprepthemes	attrib.exe
File opened for modification	C:\Windows\svchost.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with WMI 13 IoCs

evasion

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid	process
1852	WMIC.exe
300	WMIC.exe
1556	WMIC.exe
1548	WMIC.exe
1068	WMIC.exe
1504	WMIC.exe
1904	WMIC.exe
840	WMIC.exe
1980	WMIC.exe
1676	WMIC.exe
608	WMIC.exe
916	WMIC.exe
1880	WMIC.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1352 taskkill.exe
1612 taskkill.exe

pid	process
1352	taskkill.exe
1612	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeIncreaseQuotaPrivilege	300	WMIC.exe
Token: SeSecurityPrivilege	300	WMIC.exe
Token: SeTakeOwnershipPrivilege	300	WMIC.exe
Token: SeLoadDriverPrivilege	300	WMIC.exe
Token: SeSystemProfilePrivilege	300	WMIC.exe
Token: SeSystemtimePrivilege	300	WMIC.exe
Token: SeProfSingleProcessPrivilege	300	WMIC.exe
Token: SeIncBasePriorityPrivilege	300	WMIC.exe
Token: SeCreatePagefilePrivilege	300	WMIC.exe
Token: SeBackupPrivilege	300	WMIC.exe
Token: SeRestorePrivilege	300	WMIC.exe
Token: SeShutdownPrivilege	300	WMIC.exe
Token: SeDebugPrivilege	300	WMIC.exe
Token: SeSystemEnvironmentPrivilege	300	WMIC.exe
Token: SeRemoteShutdownPrivilege	300	WMIC.exe
Token: SeUndockPrivilege	300	WMIC.exe
Token: SeManageVolumePrivilege	300	WMIC.exe
Token: 33	300	WMIC.exe
Token: 34	300	WMIC.exe
Token: 35	300	WMIC.exe
Token: SeIncreaseQuotaPrivilege	300	WMIC.exe
Token: SeSecurityPrivilege	300	WMIC.exe
Token: SeTakeOwnershipPrivilege	300	WMIC.exe
Token: SeLoadDriverPrivilege	300	WMIC.exe
Token: SeSystemProfilePrivilege	300	WMIC.exe
Token: SeSystemtimePrivilege	300	WMIC.exe
Token: SeProfSingleProcessPrivilege	300	WMIC.exe
Token: SeIncBasePriorityPrivilege	300	WMIC.exe
Token: SeCreatePagefilePrivilege	300	WMIC.exe
Token: SeBackupPrivilege	300	WMIC.exe
Token: SeRestorePrivilege	300	WMIC.exe
Token: SeShutdownPrivilege	300	WMIC.exe
Token: SeDebugPrivilege	300	WMIC.exe
Token: SeSystemEnvironmentPrivilege	300	WMIC.exe
Token: SeRemoteShutdownPrivilege	300	WMIC.exe
Token: SeUndockPrivilege	300	WMIC.exe
Token: SeManageVolumePrivilege	300	WMIC.exe
Token: 33	300	WMIC.exe
Token: 34	300	WMIC.exe
Token: 35	300	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1556	WMIC.exe
Token: SeSecurityPrivilege	1556	WMIC.exe
Token: SeTakeOwnershipPrivilege	1556	WMIC.exe
Token: SeLoadDriverPrivilege	1556	WMIC.exe
Token: SeSystemProfilePrivilege	1556	WMIC.exe
Token: SeSystemtimePrivilege	1556	WMIC.exe
Token: SeProfSingleProcessPrivilege	1556	WMIC.exe
Token: SeIncBasePriorityPrivilege	1556	WMIC.exe
Token: SeCreatePagefilePrivilege	1556	WMIC.exe
Token: SeBackupPrivilege	1556	WMIC.exe
Token: SeRestorePrivilege	1556	WMIC.exe
Token: SeShutdownPrivilege	1556	WMIC.exe
Token: SeDebugPrivilege	1556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1556	WMIC.exe
Token: SeRemoteShutdownPrivilege	1556	WMIC.exe
Token: SeUndockPrivilege	1556	WMIC.exe
Token: SeManageVolumePrivilege	1556	WMIC.exe
Token: 33	1556	WMIC.exe
Token: 34	1556	WMIC.exe
Token: 35	1556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1556	WMIC.exe
Token: SeSecurityPrivilege	1556	WMIC.exe
Token: SeTakeOwnershipPrivilege	1556	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe

pid	process
480	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe
480	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.execmd.exe

description	pid	process	target process
PID 480 wrote to memory of 964	480	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe	cmd.exe
PID 480 wrote to memory of 964	480	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe	cmd.exe
PID 480 wrote to memory of 964	480	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe	cmd.exe
PID 480 wrote to memory of 964	480	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe	cmd.exe
PID 964 wrote to memory of 1352	964	cmd.exe	taskkill.exe
PID 964 wrote to memory of 1352	964	cmd.exe	taskkill.exe
PID 964 wrote to memory of 1352	964	cmd.exe	taskkill.exe
PID 964 wrote to memory of 1352	964	cmd.exe	taskkill.exe
PID 964 wrote to memory of 300	964	cmd.exe	WMIC.exe
PID 964 wrote to memory of 300	964	cmd.exe	WMIC.exe
PID 964 wrote to memory of 300	964	cmd.exe	WMIC.exe
PID 964 wrote to memory of 300	964	cmd.exe	WMIC.exe
PID 964 wrote to memory of 1556	964	cmd.exe	WMIC.exe
PID 964 wrote to memory of 1556	964	cmd.exe	WMIC.exe
PID 964 wrote to memory of 1556	964	cmd.exe	WMIC.exe
PID 964 wrote to memory of 1556	964	cmd.exe	WMIC.exe
PID 964 wrote to memory of 840	964	cmd.exe	WMIC.exe
PID 964 wrote to memory of 840	964	cmd.exe	WMIC.exe
PID 964 wrote to memory of 840	964	cmd.exe	WMIC.exe
PID 964 wrote to memory of 840	964	cmd.exe	WMIC.exe
PID 964 wrote to memory of 1624	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1624	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1624	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1624	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1420	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1420	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1420	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1420	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1940	964	cmd.exe	cacls.exe
PID 964 wrote to memory of 1940	964	cmd.exe	cacls.exe
PID 964 wrote to memory of 1940	964	cmd.exe	cacls.exe
PID 964 wrote to memory of 1940	964	cmd.exe	cacls.exe
PID 964 wrote to memory of 1904	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1904	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1904	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1904	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1952	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1952	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1952	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1952	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1336	964	cmd.exe	cacls.exe
PID 964 wrote to memory of 1336	964	cmd.exe	cacls.exe
PID 964 wrote to memory of 1336	964	cmd.exe	cacls.exe
PID 964 wrote to memory of 1336	964	cmd.exe	cacls.exe
PID 964 wrote to memory of 1036	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1036	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1036	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1036	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1096	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1096	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1096	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1096	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 916	964	cmd.exe	cacls.exe
PID 964 wrote to memory of 916	964	cmd.exe	cacls.exe
PID 964 wrote to memory of 916	964	cmd.exe	cacls.exe
PID 964 wrote to memory of 916	964	cmd.exe	cacls.exe
PID 964 wrote to memory of 1696	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1696	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1696	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1696	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1708	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1708	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1708	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 1708	964	cmd.exe	cmd.exe

Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

628 attrib.exe
708 attrib.exe
1624 attrib.exe
1904 attrib.exe
1036 attrib.exe
1696 attrib.exe
1800 attrib.exe
908 attrib.exe

pid	process
628	attrib.exe
708	attrib.exe
1624	attrib.exe
1904	attrib.exe
1036	attrib.exe
1696	attrib.exe
1800	attrib.exe
908	attrib.exe

C:\Users\Admin\AppData\Local\Temp\45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe
"C:\Users\Admin\AppData\Local\Temp\45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\demo.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im rundll32.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\SecureBootThemes\\Microsoft\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:300

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\sysprepthemes\\microsoft\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\Windows\\SpeechsTracing\\Microsoft\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:840

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r +a C:\Windows\SpeechsTracing\Microsoft
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1420

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SpeechsTracing\Microsoft /e /p everyone:n /d administrators
3⤵
PID:1940

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r +a C:\Windows\SecureBootThemes
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1904

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SecureBootThemes /e /p everyone:n /d administrators
3⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1952

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r +a C:\Windows\sysprepthemes
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1096

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\ProgramData
3⤵
- Views/modifies file attributes
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1708

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\Natihial\svshostr.exe /d everyone
3⤵
PID:1800

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\new\csrss.exe /d everyone
3⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2020

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\svchost.exe /d everyone
3⤵
PID:1592

C:\Windows\SysWOW64\Wbem\WMIC.exe
Wmic Process Where "Name='cmd.exe' And ExecutablePath='C:\\ProgramData\\Microsoft\\Natihial\\cmd.exe'" Call Terminate
3⤵
- Kills process with WMI
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1352

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\expl0rer.exe /d everyone
3⤵
PID:2012

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\Microsoft\Natihial\cmd.exe /d everyone
3⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1528

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\sysprepthemes /e /p everyone:n /d administrators
3⤵
PID:916

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updaters" /f
3⤵
PID:568

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\new\\csrss.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1548

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1068

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\dll\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1504

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\dll\\csrss.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1904

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\Natioanl\\svchostr.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1676

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\Natioanl\\csrss..exe'" call Terminate
3⤵
- Kills process with WMI
PID:608

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\nm\\winlogin.exe'" call Terminate
3⤵
- Kills process with WMI
PID:916

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\svchost.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1800

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\svchost.exe /d everyone
3⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1432

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im tasksche.exe
3⤵
- Kills process with taskkill
PID:1612

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\tasksche.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:908

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\tasksche.exe /d everyone
3⤵
PID:2036

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='server.exe' and ExecutablePath='C:\\program files (x86)\\stormii\\server.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1880

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r +a C:\ProgramData
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1980

C:\Windows\SysWOW64\cacls.exe
cacls "C:\program files (x86)\stormii\server.exe" /d everyone
3⤵
PID:588

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='conhost.exe' and ExecutablePath='C:\\program files (x86)\\windows nt\\conhost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1852

C:\Windows\SysWOW64\cacls.exe
cacls "C:\program files (x86)\stormii" /d everyone
3⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1152

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r +a "C:\program files (x86)\stormii"
3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1176

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
2⤵
- Deletes itself
PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs
Filesize
275B

MD5
805482b9089682ec0f82a29aaa1eb1bc

SHA1
5d9b6a5491f2854c6d48d1552a272f555bd033ac

SHA256
9b74ae442c953175ad499082ae5ac5a125f6fe8b8b513925b1b160352aaf813d

SHA512
34936334ca48b006c16615102119a528fb2f746eebf8e0186d902f5423da830832447a5236e883d19411f67a9238da7b9f2ecc3888de540683b5a35317d19920

Download Submit
\??\c:\windows\demo.bat
Filesize
4KB

MD5
7add4dd082e2e84ea7ea41a48a267450

SHA1
c382039ed13d239136e1ec4430bdd3343b28d8e8

SHA256
1b7a7b3df3a919c5e51a7f32cf5adc2fe1208dce454adf40864caad9912caa4c

SHA512
50a1ed761b48db3f6c9aeaabf1bfc169ec69dc97717d28d6cf0e612cdaa2661b0c06b8c1a375572511190b84d7952583f26cf0a2ff6f84b17bb89c260c7ab539

Download Submit
memory/300-59-0x0000000000000000-mapping.dmp

Download
memory/480-108-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/480-55-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/480-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/480-63-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/568-84-0x0000000000000000-mapping.dmp

Download
memory/588-102-0x0000000000000000-mapping.dmp

Download
memory/608-90-0x0000000000000000-mapping.dmp

Download
memory/628-99-0x0000000000000000-mapping.dmp

Download
memory/708-103-0x0000000000000000-mapping.dmp

Download
memory/840-61-0x0000000000000000-mapping.dmp

Download
memory/908-96-0x0000000000000000-mapping.dmp

Download
memory/916-71-0x0000000000000000-mapping.dmp

Download
memory/916-91-0x0000000000000000-mapping.dmp

Download
memory/956-78-0x0000000000000000-mapping.dmp

Download
memory/964-56-0x0000000000000000-mapping.dmp

Download
memory/1036-69-0x0000000000000000-mapping.dmp

Download
memory/1068-86-0x0000000000000000-mapping.dmp

Download
memory/1096-70-0x0000000000000000-mapping.dmp

Download
memory/1152-104-0x0000000000000000-mapping.dmp

Download
memory/1176-97-0x0000000000000000-mapping.dmp

Download
memory/1336-68-0x0000000000000000-mapping.dmp

Download
memory/1352-81-0x0000000000000000-mapping.dmp

Download
memory/1352-58-0x0000000000000000-mapping.dmp

Download
memory/1420-64-0x0000000000000000-mapping.dmp

Download
memory/1432-93-0x0000000000000000-mapping.dmp

Download
memory/1504-87-0x0000000000000000-mapping.dmp

Download
memory/1528-75-0x0000000000000000-mapping.dmp

Download
memory/1548-105-0x0000000000000000-mapping.dmp

Download
memory/1548-85-0x0000000000000000-mapping.dmp

Download
memory/1556-60-0x0000000000000000-mapping.dmp

Download
memory/1592-82-0x0000000000000000-mapping.dmp

Download
memory/1612-95-0x0000000000000000-mapping.dmp

Download
memory/1624-62-0x0000000000000000-mapping.dmp

Download
memory/1632-76-0x0000000000000000-mapping.dmp

Download
memory/1676-89-0x0000000000000000-mapping.dmp

Download
memory/1684-77-0x0000000000000000-mapping.dmp

Download
memory/1696-72-0x0000000000000000-mapping.dmp

Download
memory/1708-73-0x0000000000000000-mapping.dmp

Download
memory/1724-94-0x0000000000000000-mapping.dmp

Download
memory/1800-92-0x0000000000000000-mapping.dmp

Download
memory/1800-74-0x0000000000000000-mapping.dmp

Download
memory/1852-106-0x0000000000000000-mapping.dmp

Download
memory/1880-100-0x0000000000000000-mapping.dmp

Download
memory/1900-107-0x0000000000000000-mapping.dmp

Download
memory/1904-66-0x0000000000000000-mapping.dmp

Download
memory/1904-88-0x0000000000000000-mapping.dmp

Download
memory/1940-65-0x0000000000000000-mapping.dmp

Download
memory/1952-67-0x0000000000000000-mapping.dmp

Download
memory/1980-101-0x0000000000000000-mapping.dmp

Download
memory/1980-83-0x0000000000000000-mapping.dmp

Download
memory/2012-80-0x0000000000000000-mapping.dmp

Download
memory/2020-79-0x0000000000000000-mapping.dmp

Download
memory/2036-98-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads