Malware Analysis Report

2025-06-16 06:23

Sample ID 230910-qb1fvshc52
Target 2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe
SHA256 c42defa8a483d463bee75bb42e7095cff43ca12d56d7e1ddd235b64221cceae4
Tags
chaos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c42defa8a483d463bee75bb42e7095cff43ca12d56d7e1ddd235b64221cceae4

Threat Level: Known bad

The file 2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe was found to be: Known bad.

Malicious Activity Summary

chaos evasion persistence ransomware spyware stealer

Chaos Ransomware

Chaos

Chaos family

Modifies boot configuration data using bcdedit

Deletes shadow copies

Deletes backup catalog

Disables Task Manager via registry modification

Drops startup file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Modifies registry class

Uses Task Scheduler COM API

Interacts with shadow copies

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 13:05

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 13:05

Reported

2023-09-10 13:08

Platform

win7-20230831-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\you like cock.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OXRRPXTH\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2TCNB3QR\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JY0EDUNO\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-86725733-3001458681-3405935542-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PNLMEYHC\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8VE3RER5\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\87U71MEJ\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZM14P5Y5\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2F3386PL\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hkbgq5icm.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2808 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2808 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2672 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2440 wrote to memory of 2492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2440 wrote to memory of 2492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2440 wrote to memory of 2492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2440 wrote to memory of 1180 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2440 wrote to memory of 1180 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2440 wrote to memory of 1180 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2672 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2784 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2784 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2784 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2784 wrote to memory of 584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2784 wrote to memory of 584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2784 wrote to memory of 584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2672 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2444 wrote to memory of 2068 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2444 wrote to memory of 2068 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2444 wrote to memory of 2068 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2672 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2672 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2672 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe

"C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\you like cock.txt

Network

N/A

Files

memory/2808-0-0x00000000011E0000-0x0000000001206000-memory.dmp

memory/2808-1-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2808-2-0x0000000000D00000-0x0000000000D80000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 4470af286c52fe4f7899d46de8428018
SHA1 a99e8c7c1d6c76388809ec7d4e922f88b625f27e
SHA256 c42defa8a483d463bee75bb42e7095cff43ca12d56d7e1ddd235b64221cceae4
SHA512 c551112a10b1f48b61faa3e17de2d7b8aa2aefc9e9d5d40f44a797ebe7f0fa8cfa869866dc11a70c38e390be10358804ab8310261f973de7ed58db352b4f0510

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 4470af286c52fe4f7899d46de8428018
SHA1 a99e8c7c1d6c76388809ec7d4e922f88b625f27e
SHA256 c42defa8a483d463bee75bb42e7095cff43ca12d56d7e1ddd235b64221cceae4
SHA512 c551112a10b1f48b61faa3e17de2d7b8aa2aefc9e9d5d40f44a797ebe7f0fa8cfa869866dc11a70c38e390be10358804ab8310261f973de7ed58db352b4f0510

memory/2672-8-0x0000000000060000-0x0000000000086000-memory.dmp

memory/2808-9-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2672-11-0x0000000002110000-0x0000000002190000-memory.dmp

memory/2672-10-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

C:\Users\Admin\AppData\Local\you like cock.txt

MD5 8328a6078be1aa0f76d4e57be2189c39
SHA1 2cf09192be4716e74fcecfa0673e842b2e74dff6
SHA256 d2a3ba085304c3b342d3df1ad51e0e1cd7b50f3918a0970f64e45c6fd1c68fac
SHA512 cf7cc6494c7df08c585665fd062521dd26280efc922889cdaaf23c06c019688bca8d7a03cb56f1f67d6cf616b7c39b0e31484db16c8f1e588beee8f90acdf335

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk

MD5 d1457b72c3fb323a2671125aef3eab5d
SHA1 5bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA256 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512 ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

memory/2672-247-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

C:\Users\Admin\AppData\Roaming\you like cock.txt

MD5 8328a6078be1aa0f76d4e57be2189c39
SHA1 2cf09192be4716e74fcecfa0673e842b2e74dff6
SHA256 d2a3ba085304c3b342d3df1ad51e0e1cd7b50f3918a0970f64e45c6fd1c68fac
SHA512 cf7cc6494c7df08c585665fd062521dd26280efc922889cdaaf23c06c019688bca8d7a03cb56f1f67d6cf616b7c39b0e31484db16c8f1e588beee8f90acdf335

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-10 13:05

Reported

2023-09-10 13:08

Platform

win10v2004-20230831-en

Max time kernel

137s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\you like cock.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1980726966-773384374-2129981223-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9n4qv3ko5.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4780 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4316 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4316 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 3260 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3260 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3260 wrote to memory of 1172 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3260 wrote to memory of 1172 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4316 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4316 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4880 wrote to memory of 3996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4880 wrote to memory of 3996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4880 wrote to memory of 1828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4880 wrote to memory of 1828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4316 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4316 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4140 wrote to memory of 4516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4140 wrote to memory of 4516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 4316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe

"C:\Users\Admin\AppData\Local\Temp\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\you like cock.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/4780-0-0x00000000002E0000-0x0000000000306000-memory.dmp

memory/4780-1-0x00007FF857BC0000-0x00007FF858681000-memory.dmp

memory/4780-2-0x000000001AEE0000-0x000000001AEF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 4470af286c52fe4f7899d46de8428018
SHA1 a99e8c7c1d6c76388809ec7d4e922f88b625f27e
SHA256 c42defa8a483d463bee75bb42e7095cff43ca12d56d7e1ddd235b64221cceae4
SHA512 c551112a10b1f48b61faa3e17de2d7b8aa2aefc9e9d5d40f44a797ebe7f0fa8cfa869866dc11a70c38e390be10358804ab8310261f973de7ed58db352b4f0510

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 4470af286c52fe4f7899d46de8428018
SHA1 a99e8c7c1d6c76388809ec7d4e922f88b625f27e
SHA256 c42defa8a483d463bee75bb42e7095cff43ca12d56d7e1ddd235b64221cceae4
SHA512 c551112a10b1f48b61faa3e17de2d7b8aa2aefc9e9d5d40f44a797ebe7f0fa8cfa869866dc11a70c38e390be10358804ab8310261f973de7ed58db352b4f0510

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 4470af286c52fe4f7899d46de8428018
SHA1 a99e8c7c1d6c76388809ec7d4e922f88b625f27e
SHA256 c42defa8a483d463bee75bb42e7095cff43ca12d56d7e1ddd235b64221cceae4
SHA512 c551112a10b1f48b61faa3e17de2d7b8aa2aefc9e9d5d40f44a797ebe7f0fa8cfa869866dc11a70c38e390be10358804ab8310261f973de7ed58db352b4f0510

memory/4316-15-0x00007FF857BC0000-0x00007FF858681000-memory.dmp

memory/4780-16-0x00007FF857BC0000-0x00007FF858681000-memory.dmp

C:\Users\Admin\3D Objects\you like cock.txt

MD5 8328a6078be1aa0f76d4e57be2189c39
SHA1 2cf09192be4716e74fcecfa0673e842b2e74dff6
SHA256 d2a3ba085304c3b342d3df1ad51e0e1cd7b50f3918a0970f64e45c6fd1c68fac
SHA512 cf7cc6494c7df08c585665fd062521dd26280efc922889cdaaf23c06c019688bca8d7a03cb56f1f67d6cf616b7c39b0e31484db16c8f1e588beee8f90acdf335

C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk

MD5 d1457b72c3fb323a2671125aef3eab5d
SHA1 5bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA256 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512 ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2023-08-24_4470af286c52fe4f7899d46de8428018_wannacry_JC.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/4316-249-0x00007FF857BC0000-0x00007FF858681000-memory.dmp

C:\Users\Admin\AppData\Roaming\you like cock.txt

MD5 8328a6078be1aa0f76d4e57be2189c39
SHA1 2cf09192be4716e74fcecfa0673e842b2e74dff6
SHA256 d2a3ba085304c3b342d3df1ad51e0e1cd7b50f3918a0970f64e45c6fd1c68fac
SHA512 cf7cc6494c7df08c585665fd062521dd26280efc922889cdaaf23c06c019688bca8d7a03cb56f1f67d6cf616b7c39b0e31484db16c8f1e588beee8f90acdf335