wannacry | 45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1

General

Target

45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe
Size

289KB
MD5

7f142f5e800096af5de5160ba5caa91e
SHA1

6d5e1375311720b3f883d14e4e59cc251e8bb299
SHA256

45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1
SHA512

8be8d194267714433ff05d3981238963fbaf408fbc3d2473ca911573a235092fb8ec18e01fef618c7d61cd62dc82abe0ea04f40b2994e37bf81869828fbc5537

Score

10^/10

wannacry evasion ransomware upx worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Sets file to hidden 1 TTPs 7 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

3096 attrib.exe
3928 attrib.exe
4380 attrib.exe
2756 attrib.exe
2024 attrib.exe
1796 attrib.exe
3176 attrib.exe

pid	process
3096	attrib.exe
3928	attrib.exe
4380	attrib.exe
2756	attrib.exe
2024	attrib.exe
1796	attrib.exe
3176	attrib.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1680-130-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral2/memory/1680-137-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral2/memory/1680-183-0x0000000000400000-0x00000000004DB000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe

Drops file in Program Files directory 1 IoCs

Processes:

attrib.exe

description ioc process

File opened for modification C:\program files (x86)\stormii attrib.exe

description	ioc	process
File opened for modification	C:\program files (x86)\stormii	attrib.exe

Drops file in Windows directory 6 IoCs

Processes:

attrib.exeattrib.exe45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.exe	attrib.exe
File opened for modification	C:\Windows\tasksche.exe	attrib.exe
File created	\??\c:\windows\demo.bat	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe
File opened for modification	C:\Windows\SpeechsTracing\Microsoft	attrib.exe
File opened for modification	C:\Windows\SecureBootThemes	attrib.exe
File opened for modification	C:\Windows\sysprepthemes	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with WMI 13 IoCs

evasion

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid	process
2800	WMIC.exe
1936	WMIC.exe
4928	WMIC.exe
2408	WMIC.exe
4500	WMIC.exe
4372	WMIC.exe
4128	WMIC.exe
3648	WMIC.exe
4932	WMIC.exe
4740	WMIC.exe
3936	WMIC.exe
3080	WMIC.exe
5032	WMIC.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3332 taskkill.exe
732 taskkill.exe

pid	process
3332	taskkill.exe
732	taskkill.exe

Modifies registry class 1 IoCs

Processes:

45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3332	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1936	WMIC.exe
Token: SeSecurityPrivilege	1936	WMIC.exe
Token: SeTakeOwnershipPrivilege	1936	WMIC.exe
Token: SeLoadDriverPrivilege	1936	WMIC.exe
Token: SeSystemProfilePrivilege	1936	WMIC.exe
Token: SeSystemtimePrivilege	1936	WMIC.exe
Token: SeProfSingleProcessPrivilege	1936	WMIC.exe
Token: SeIncBasePriorityPrivilege	1936	WMIC.exe
Token: SeCreatePagefilePrivilege	1936	WMIC.exe
Token: SeBackupPrivilege	1936	WMIC.exe
Token: SeRestorePrivilege	1936	WMIC.exe
Token: SeShutdownPrivilege	1936	WMIC.exe
Token: SeDebugPrivilege	1936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1936	WMIC.exe
Token: SeRemoteShutdownPrivilege	1936	WMIC.exe
Token: SeUndockPrivilege	1936	WMIC.exe
Token: SeManageVolumePrivilege	1936	WMIC.exe
Token: 33	1936	WMIC.exe
Token: 34	1936	WMIC.exe
Token: 35	1936	WMIC.exe
Token: 36	1936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1936	WMIC.exe
Token: SeSecurityPrivilege	1936	WMIC.exe
Token: SeTakeOwnershipPrivilege	1936	WMIC.exe
Token: SeLoadDriverPrivilege	1936	WMIC.exe
Token: SeSystemProfilePrivilege	1936	WMIC.exe
Token: SeSystemtimePrivilege	1936	WMIC.exe
Token: SeProfSingleProcessPrivilege	1936	WMIC.exe
Token: SeIncBasePriorityPrivilege	1936	WMIC.exe
Token: SeCreatePagefilePrivilege	1936	WMIC.exe
Token: SeBackupPrivilege	1936	WMIC.exe
Token: SeRestorePrivilege	1936	WMIC.exe
Token: SeShutdownPrivilege	1936	WMIC.exe
Token: SeDebugPrivilege	1936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1936	WMIC.exe
Token: SeRemoteShutdownPrivilege	1936	WMIC.exe
Token: SeUndockPrivilege	1936	WMIC.exe
Token: SeManageVolumePrivilege	1936	WMIC.exe
Token: 33	1936	WMIC.exe
Token: 34	1936	WMIC.exe
Token: 35	1936	WMIC.exe
Token: 36	1936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4740	WMIC.exe
Token: SeSecurityPrivilege	4740	WMIC.exe
Token: SeTakeOwnershipPrivilege	4740	WMIC.exe
Token: SeLoadDriverPrivilege	4740	WMIC.exe
Token: SeSystemProfilePrivilege	4740	WMIC.exe
Token: SeSystemtimePrivilege	4740	WMIC.exe
Token: SeProfSingleProcessPrivilege	4740	WMIC.exe
Token: SeIncBasePriorityPrivilege	4740	WMIC.exe
Token: SeCreatePagefilePrivilege	4740	WMIC.exe
Token: SeBackupPrivilege	4740	WMIC.exe
Token: SeRestorePrivilege	4740	WMIC.exe
Token: SeShutdownPrivilege	4740	WMIC.exe
Token: SeDebugPrivilege	4740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4740	WMIC.exe
Token: SeRemoteShutdownPrivilege	4740	WMIC.exe
Token: SeUndockPrivilege	4740	WMIC.exe
Token: SeManageVolumePrivilege	4740	WMIC.exe
Token: 33	4740	WMIC.exe
Token: 34	4740	WMIC.exe
Token: 35	4740	WMIC.exe
Token: 36	4740	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe

pid	process
1680	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe
1680	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.execmd.exe

description	pid	process	target process
PID 1680 wrote to memory of 2232	1680	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe	cmd.exe
PID 1680 wrote to memory of 2232	1680	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe	cmd.exe
PID 1680 wrote to memory of 2232	1680	45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe	cmd.exe
PID 2232 wrote to memory of 3332	2232	cmd.exe	taskkill.exe
PID 2232 wrote to memory of 3332	2232	cmd.exe	taskkill.exe
PID 2232 wrote to memory of 3332	2232	cmd.exe	taskkill.exe
PID 2232 wrote to memory of 1936	2232	cmd.exe	WMIC.exe
PID 2232 wrote to memory of 1936	2232	cmd.exe	WMIC.exe
PID 2232 wrote to memory of 1936	2232	cmd.exe	WMIC.exe
PID 2232 wrote to memory of 4740	2232	cmd.exe	WMIC.exe
PID 2232 wrote to memory of 4740	2232	cmd.exe	WMIC.exe
PID 2232 wrote to memory of 4740	2232	cmd.exe	WMIC.exe
PID 2232 wrote to memory of 4928	2232	cmd.exe	WMIC.exe
PID 2232 wrote to memory of 4928	2232	cmd.exe	WMIC.exe
PID 2232 wrote to memory of 4928	2232	cmd.exe	WMIC.exe
PID 2232 wrote to memory of 2024	2232	cmd.exe	attrib.exe
PID 2232 wrote to memory of 2024	2232	cmd.exe	attrib.exe
PID 2232 wrote to memory of 2024	2232	cmd.exe	attrib.exe
PID 2232 wrote to memory of 5108	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 5108	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 5108	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 2764	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 2764	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 2764	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 2756	2232	cmd.exe	attrib.exe
PID 2232 wrote to memory of 2756	2232	cmd.exe	attrib.exe
PID 2232 wrote to memory of 2756	2232	cmd.exe	attrib.exe
PID 2232 wrote to memory of 4996	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 4996	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 4996	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 1000	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 1000	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 1000	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 4380	2232	cmd.exe	attrib.exe
PID 2232 wrote to memory of 4380	2232	cmd.exe	attrib.exe
PID 2232 wrote to memory of 4380	2232	cmd.exe	attrib.exe
PID 2232 wrote to memory of 4320	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 4320	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 4320	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 392	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 392	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 392	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 2352	2232	cmd.exe	attrib.exe
PID 2232 wrote to memory of 2352	2232	cmd.exe	attrib.exe
PID 2232 wrote to memory of 2352	2232	cmd.exe	attrib.exe
PID 2232 wrote to memory of 4992	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 4992	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 4992	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 5004	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 5004	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 5004	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 2904	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 2904	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 2904	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 1976	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 1976	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 1976	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 2936	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 2936	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 2936	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 4600	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 4600	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 4600	2232	cmd.exe	cacls.exe
PID 2232 wrote to memory of 4896	2232	cmd.exe	cmd.exe

Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2352 attrib.exe
4380 attrib.exe
2756 attrib.exe
2024 attrib.exe
1796 attrib.exe
3176 attrib.exe
3096 attrib.exe
3928 attrib.exe

pid	process
2352	attrib.exe
4380	attrib.exe
2756	attrib.exe
2024	attrib.exe
1796	attrib.exe
3176	attrib.exe
3096	attrib.exe
3928	attrib.exe

C:\Users\Admin\AppData\Local\Temp\45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe
"C:\Users\Admin\AppData\Local\Temp\45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\demo.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im rundll32.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\SecureBootThemes\\Microsoft\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\sysprepthemes\\microsoft\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\Windows\\SpeechsTracing\\Microsoft\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4928

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SecureBootThemes /e /p everyone:n /d administrators
3⤵
PID:1000

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\Microsoft\Natihial\cmd.exe /d everyone
3⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2524

C:\Windows\SysWOW64\Wbem\WMIC.exe
Wmic Process Where "Name='cmd.exe' And ExecutablePath='C:\\ProgramData\\Microsoft\\Natihial\\cmd.exe'" Call Terminate
3⤵
- Kills process with WMI
PID:3936

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\svchost.exe /d everyone
3⤵
PID:460

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\expl0rer.exe /d everyone
3⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2936

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\new\csrss.exe /d everyone
3⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2904

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\Natihial\svshostr.exe /d everyone
3⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4992

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\ProgramData
3⤵
- Views/modifies file attributes
PID:2352

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\sysprepthemes /e /p everyone:n /d administrators
3⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4320

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r +a C:\Windows\sysprepthemes
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4996

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r +a C:\Windows\SecureBootThemes
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2756

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SpeechsTracing\Microsoft /e /p everyone:n /d administrators
3⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5108

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r +a C:\Windows\SpeechsTracing\Microsoft
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2024

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\new\\csrss.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2408

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:3080

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updaters" /f
3⤵
PID:4264

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\dll\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4500

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\dll\\csrss.exe'" call Terminate
3⤵
- Kills process with WMI
PID:5032

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\Natioanl\\csrss..exe'" call Terminate
3⤵
- Kills process with WMI
PID:4372

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\Natioanl\\svchostr.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4128

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\nm\\winlogin.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2800

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im tasksche.exe
3⤵
- Kills process with taskkill
PID:732

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='server.exe' and ExecutablePath='C:\\program files (x86)\\stormii\\server.exe'" call Terminate
3⤵
- Kills process with WMI
PID:3648

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r +a C:\ProgramData
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1796

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\tasksche.exe /d everyone
3⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1340

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\tasksche.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:3176

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\svchost.exe /d everyone
3⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4820

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\svchost.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:3096

C:\Windows\SysWOW64\cacls.exe
cacls "C:\program files (x86)\stormii" /d everyone
3⤵
PID:4752

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='conhost.exe' and ExecutablePath='C:\\program files (x86)\\windows nt\\conhost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3852

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r +a "C:\program files (x86)\stormii"
3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:3928

C:\Windows\SysWOW64\cacls.exe
cacls "C:\program files (x86)\stormii\server.exe" /d everyone
3⤵
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4760

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
2⤵
PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs
Filesize
275B

MD5
805482b9089682ec0f82a29aaa1eb1bc

SHA1
5d9b6a5491f2854c6d48d1552a272f555bd033ac

SHA256
9b74ae442c953175ad499082ae5ac5a125f6fe8b8b513925b1b160352aaf813d

SHA512
34936334ca48b006c16615102119a528fb2f746eebf8e0186d902f5423da830832447a5236e883d19411f67a9238da7b9f2ecc3888de540683b5a35317d19920

Download Submit
\??\c:\windows\demo.bat
Filesize
4KB

MD5
7add4dd082e2e84ea7ea41a48a267450

SHA1
c382039ed13d239136e1ec4430bdd3343b28d8e8

SHA256
1b7a7b3df3a919c5e51a7f32cf5adc2fe1208dce454adf40864caad9912caa4c

SHA512
50a1ed761b48db3f6c9aeaabf1bfc169ec69dc97717d28d6cf0e612cdaa2661b0c06b8c1a375572511190b84d7952583f26cf0a2ff6f84b17bb89c260c7ab539

Download Submit
memory/316-155-0x0000000000000000-mapping.dmp

Download
memory/392-146-0x0000000000000000-mapping.dmp

Download
memory/460-157-0x0000000000000000-mapping.dmp

Download
memory/732-170-0x0000000000000000-mapping.dmp

Download
memory/808-177-0x0000000000000000-mapping.dmp

Download
memory/1000-143-0x0000000000000000-mapping.dmp

Download
memory/1340-172-0x0000000000000000-mapping.dmp

Download
memory/1476-182-0x0000000000000000-mapping.dmp

Download
memory/1680-137-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1680-183-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1680-130-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1796-174-0x0000000000000000-mapping.dmp

Download
memory/1936-134-0x0000000000000000-mapping.dmp

Download
memory/1976-151-0x0000000000000000-mapping.dmp

Download
memory/2024-138-0x0000000000000000-mapping.dmp

Download
memory/2232-131-0x0000000000000000-mapping.dmp

Download
memory/2352-147-0x0000000000000000-mapping.dmp

Download
memory/2408-160-0x0000000000000000-mapping.dmp

Download
memory/2524-156-0x0000000000000000-mapping.dmp

Download
memory/2756-141-0x0000000000000000-mapping.dmp

Download
memory/2764-140-0x0000000000000000-mapping.dmp

Download
memory/2800-166-0x0000000000000000-mapping.dmp

Download
memory/2904-150-0x0000000000000000-mapping.dmp

Download
memory/2936-152-0x0000000000000000-mapping.dmp

Download
memory/3080-161-0x0000000000000000-mapping.dmp

Download
memory/3096-167-0x0000000000000000-mapping.dmp

Download
memory/3176-171-0x0000000000000000-mapping.dmp

Download
memory/3332-133-0x0000000000000000-mapping.dmp

Download
memory/3628-169-0x0000000000000000-mapping.dmp

Download
memory/3648-175-0x0000000000000000-mapping.dmp

Download
memory/3852-179-0x0000000000000000-mapping.dmp

Download
memory/3928-178-0x0000000000000000-mapping.dmp

Download
memory/3936-158-0x0000000000000000-mapping.dmp

Download
memory/4128-164-0x0000000000000000-mapping.dmp

Download
memory/4136-173-0x0000000000000000-mapping.dmp

Download
memory/4264-159-0x0000000000000000-mapping.dmp

Download
memory/4320-145-0x0000000000000000-mapping.dmp

Download
memory/4372-165-0x0000000000000000-mapping.dmp

Download
memory/4380-144-0x0000000000000000-mapping.dmp

Download
memory/4500-162-0x0000000000000000-mapping.dmp

Download
memory/4600-153-0x0000000000000000-mapping.dmp

Download
memory/4740-135-0x0000000000000000-mapping.dmp

Download
memory/4752-180-0x0000000000000000-mapping.dmp

Download
memory/4760-176-0x0000000000000000-mapping.dmp

Download
memory/4820-168-0x0000000000000000-mapping.dmp

Download
memory/4896-154-0x0000000000000000-mapping.dmp

Download
memory/4928-136-0x0000000000000000-mapping.dmp

Download
memory/4932-181-0x0000000000000000-mapping.dmp

Download
memory/4992-148-0x0000000000000000-mapping.dmp

Download
memory/4996-142-0x0000000000000000-mapping.dmp

Download
memory/5004-149-0x0000000000000000-mapping.dmp

Download
memory/5032-163-0x0000000000000000-mapping.dmp

Download
memory/5108-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads