wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Resubmissions

22/09/2023, 08:27

230922-kck5nsgg63 10

22/09/2023, 07:10

230922-hztdfsed7s 10

22/09/2023, 06:41

230922-hfy5lagb37 10

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCryptor v1.0.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4BC0.tmp	WannaCryptor v1.0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4BD7.tmp	WannaCryptor v1.0.exe

Executes dropped EXE 4 IoCs

pid	Process
5012	!WannaDecryptor!.exe
1764	!WannaDecryptor!.exe
1872	!WannaDecryptor!.exe
116	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCryptor v1.0.exe\" /r"	WannaCryptor v1.0.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Kills process with taskkill 4 IoCs

evasion

pid	Process
4112	taskkill.exe
2000	taskkill.exe
116	taskkill.exe
2568	taskkill.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4656	WINWORD.EXE
4656	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	4112	taskkill.exe
Token: SeDebugPrivilege	116	taskkill.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4980	WMIC.exe
Token: SeSecurityPrivilege	4980	WMIC.exe
Token: SeTakeOwnershipPrivilege	4980	WMIC.exe
Token: SeLoadDriverPrivilege	4980	WMIC.exe
Token: SeSystemProfilePrivilege	4980	WMIC.exe
Token: SeSystemtimePrivilege	4980	WMIC.exe
Token: SeProfSingleProcessPrivilege	4980	WMIC.exe
Token: SeIncBasePriorityPrivilege	4980	WMIC.exe
Token: SeCreatePagefilePrivilege	4980	WMIC.exe
Token: SeBackupPrivilege	4980	WMIC.exe
Token: SeRestorePrivilege	4980	WMIC.exe
Token: SeShutdownPrivilege	4980	WMIC.exe
Token: SeDebugPrivilege	4980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4980	WMIC.exe
Token: SeRemoteShutdownPrivilege	4980	WMIC.exe
Token: SeUndockPrivilege	4980	WMIC.exe
Token: SeManageVolumePrivilege	4980	WMIC.exe
Token: 33	4980	WMIC.exe
Token: 34	4980	WMIC.exe
Token: 35	4980	WMIC.exe
Token: 36	4980	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4980	WMIC.exe
Token: SeSecurityPrivilege	4980	WMIC.exe
Token: SeTakeOwnershipPrivilege	4980	WMIC.exe
Token: SeLoadDriverPrivilege	4980	WMIC.exe
Token: SeSystemProfilePrivilege	4980	WMIC.exe
Token: SeSystemtimePrivilege	4980	WMIC.exe
Token: SeProfSingleProcessPrivilege	4980	WMIC.exe
Token: SeIncBasePriorityPrivilege	4980	WMIC.exe
Token: SeCreatePagefilePrivilege	4980	WMIC.exe
Token: SeBackupPrivilege	4980	WMIC.exe
Token: SeRestorePrivilege	4980	WMIC.exe
Token: SeShutdownPrivilege	4980	WMIC.exe
Token: SeDebugPrivilege	4980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4980	WMIC.exe
Token: SeRemoteShutdownPrivilege	4980	WMIC.exe
Token: SeUndockPrivilege	4980	WMIC.exe
Token: SeManageVolumePrivilege	4980	WMIC.exe
Token: 33	4980	WMIC.exe
Token: 34	4980	WMIC.exe
Token: 35	4980	WMIC.exe
Token: 36	4980	WMIC.exe
Token: SeBackupPrivilege	2120	vssvc.exe
Token: SeRestorePrivilege	2120	vssvc.exe
Token: SeAuditPrivilege	2120	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
116	!WannaDecryptor!.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
5012	!WannaDecryptor!.exe
5012	!WannaDecryptor!.exe
1764	!WannaDecryptor!.exe
1764	!WannaDecryptor!.exe
1872	!WannaDecryptor!.exe
1872	!WannaDecryptor!.exe
116	!WannaDecryptor!.exe
116	!WannaDecryptor!.exe
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 4796	2732	WannaCryptor v1.0.exe	82
PID 2732 wrote to memory of 4796	2732	WannaCryptor v1.0.exe	82
PID 2732 wrote to memory of 4796	2732	WannaCryptor v1.0.exe	82
PID 4796 wrote to memory of 4416	4796	cmd.exe	84
PID 4796 wrote to memory of 4416	4796	cmd.exe	84
PID 4796 wrote to memory of 4416	4796	cmd.exe	84
PID 2732 wrote to memory of 5012	2732	WannaCryptor v1.0.exe	87
PID 2732 wrote to memory of 5012	2732	WannaCryptor v1.0.exe	87
PID 2732 wrote to memory of 5012	2732	WannaCryptor v1.0.exe	87
PID 2732 wrote to memory of 4112	2732	WannaCryptor v1.0.exe	88
PID 2732 wrote to memory of 4112	2732	WannaCryptor v1.0.exe	88
PID 2732 wrote to memory of 4112	2732	WannaCryptor v1.0.exe	88
PID 2732 wrote to memory of 2000	2732	WannaCryptor v1.0.exe	89
PID 2732 wrote to memory of 2000	2732	WannaCryptor v1.0.exe	89
PID 2732 wrote to memory of 2000	2732	WannaCryptor v1.0.exe	89
PID 2732 wrote to memory of 116	2732	WannaCryptor v1.0.exe	90
PID 2732 wrote to memory of 116	2732	WannaCryptor v1.0.exe	90
PID 2732 wrote to memory of 116	2732	WannaCryptor v1.0.exe	90
PID 2732 wrote to memory of 2568	2732	WannaCryptor v1.0.exe	95
PID 2732 wrote to memory of 2568	2732	WannaCryptor v1.0.exe	95
PID 2732 wrote to memory of 2568	2732	WannaCryptor v1.0.exe	95
PID 2732 wrote to memory of 1764	2732	WannaCryptor v1.0.exe	100
PID 2732 wrote to memory of 1764	2732	WannaCryptor v1.0.exe	100
PID 2732 wrote to memory of 1764	2732	WannaCryptor v1.0.exe	100
PID 2732 wrote to memory of 4076	2732	WannaCryptor v1.0.exe	101
PID 2732 wrote to memory of 4076	2732	WannaCryptor v1.0.exe	101
PID 2732 wrote to memory of 4076	2732	WannaCryptor v1.0.exe	101
PID 4076 wrote to memory of 1872	4076	cmd.exe	103
PID 4076 wrote to memory of 1872	4076	cmd.exe	103
PID 4076 wrote to memory of 1872	4076	cmd.exe	103
PID 2732 wrote to memory of 116	2732	WannaCryptor v1.0.exe	104
PID 2732 wrote to memory of 116	2732	WannaCryptor v1.0.exe	104
PID 2732 wrote to memory of 116	2732	WannaCryptor v1.0.exe	104
PID 1872 wrote to memory of 4968	1872	!WannaDecryptor!.exe	113
PID 1872 wrote to memory of 4968	1872	!WannaDecryptor!.exe	113
PID 1872 wrote to memory of 4968	1872	!WannaDecryptor!.exe	113
PID 4968 wrote to memory of 4980	4968	cmd.exe	115
PID 4968 wrote to memory of 4980	4968	cmd.exe	115
PID 4968 wrote to memory of 4980	4968	cmd.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCryptor v1.0.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCryptor v1.0.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 72451695371253.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    PID:4416
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5012
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1900

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\!Please Read Me!.txt
1⤵
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
3aa5313c904052e97f08a7a593e06033

SHA1
826deee409f13b6a44a0080978156324a9047e17

SHA256
d6a810b7195db75d28d32a608ebfcd74d96073785eb14fe99241d35db73fcefb

SHA512
e6e7d5e5ebe982d7e2b76a4714ed9418a266d60bd3306fc4d9dff06d26015f1d48c79d183be50e45da840fe28ce11c0cce703fd7e13261db6e302d50e11c7392

Download Submit
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
3aa5313c904052e97f08a7a593e06033

SHA1
826deee409f13b6a44a0080978156324a9047e17

SHA256
d6a810b7195db75d28d32a608ebfcd74d96073785eb14fe99241d35db73fcefb

SHA512
e6e7d5e5ebe982d7e2b76a4714ed9418a266d60bd3306fc4d9dff06d26015f1d48c79d183be50e45da840fe28ce11c0cce703fd7e13261db6e302d50e11c7392

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
0c7e727d8b51a955cf461793f7862e9a

SHA1
2fd634a778a3546d907cd783f388dcd68c2165c2

SHA256
428b27f1082d4a4bf2fd5ddd0875cf2a4c4a564e3f18578c658b0221eadc0f5f

SHA512
1f91c2be692b56c1620eb317874c6a334385ce95966310884bcca85974b0f1a15dde16fbde8b205e930eb909e23b6d54c384b753f6828da6a074774ac8c040ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
e96c1c4a1a52bcaa4a12bc63783ee79c

SHA1
d6bd9866c8ccdfed4550c365456e9c9df433f432

SHA256
d539913166aaf27e3aebcd04fffcc6eb405d140dd2f08e97b44f1a63457e399d

SHA512
df186854f9b624255c48c1fe8732f742d90ce26035dce437ec079afca0f1a6a9e240f363f7843a046941cff0f2ad49b96dd82f003e3821640e2450e01f3e6315

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
adbbe9026f8864f436ae479f51f6844a

SHA1
5d554a1bf8a51a2487d3909e7012ae6044dd1646

SHA256
8410c68549100d426d83e92031d94722b92d6b38524723587edc25a9fe958d63

SHA512
7f2f0d4b5865f26e30f2249e83c1f0bd2bcd66df0143b91d73f7783169f13d2b0120f95047cb05c68a1603a4144b4e2bb9fa323a23aebbd12c7c4bed65dfcacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
d3297b03cdd0fd2fcfdef63033277412

SHA1
d0eecd7b8da01699a943c154b163cc87f7a15286

SHA256
6acee249bb54c9d9c08a1201862023bda718d0f857e7fd7c12b2da9bacfa1e22

SHA512
4d3d90387a82cdb28fc257fc05b762eea4950273ae7ca2562521913c57c24379ec9627d680d260bdea651581f251f8e7910cae8fe22be2179d48305679381ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\72451695371253.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
7d8d67dcfee8e8b703e006279952db34

SHA1
1936165dfd6edc54b0dcfdd0637c3e14549ab769

SHA256
4d5565d4e6c3a9918d8567fba7183e2f43aa1f1b146ce5aa5b976da79d5b2f31

SHA512
e2810f3361d34c87c1c986d580ee509d577043a54116ccf29ea0c2730a1167978e09db6f2637f4e74cbd390c291387e746c922d439884da8f5bf095780b5e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
7d8d67dcfee8e8b703e006279952db34

SHA1
1936165dfd6edc54b0dcfdd0637c3e14549ab769

SHA256
4d5565d4e6c3a9918d8567fba7183e2f43aa1f1b146ce5aa5b976da79d5b2f31

SHA512
e2810f3361d34c87c1c986d580ee509d577043a54116ccf29ea0c2730a1167978e09db6f2637f4e74cbd390c291387e746c922d439884da8f5bf095780b5e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
18KB

MD5
3e2824a0499d882799197f2ed615aa8e

SHA1
4b2551bbe6e503dc328fa251fd7a32f18f6513cb

SHA256
8fe048758ad806c776bb453abaf935708710721606543eecf8a8f53c9ae76c20

SHA512
9224d426923a70455e8306166345aa8a04445347cc6a3ce32c01d2f423d1f14f989727566fac113d12168b38dbe4d017aac4ad3838e89ea2fe8505e443f812df

Download Submit
C:\Users\Admin\Documents\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
memory/2732-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4656-1357-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1401-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1361-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1363-0x00007FFB5E5B0000-0x00007FFB5E5C0000-memory.dmp

Filesize
64KB

Download
memory/4656-1364-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1362-0x00007FFB5E5B0000-0x00007FFB5E5C0000-memory.dmp

Filesize
64KB

Download
memory/4656-1365-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1360-0x00007FFB5E5B0000-0x00007FFB5E5C0000-memory.dmp

Filesize
64KB

Download
memory/4656-1366-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1367-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1368-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1372-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1371-0x00007FFB5C400000-0x00007FFB5C410000-memory.dmp

Filesize
64KB

Download
memory/4656-1370-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1373-0x00007FFB5C400000-0x00007FFB5C410000-memory.dmp

Filesize
64KB

Download
memory/4656-1358-0x00007FFB5E5B0000-0x00007FFB5E5C0000-memory.dmp

Filesize
64KB

Download
memory/4656-1380-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1355-0x00007FFB5E5B0000-0x00007FFB5E5C0000-memory.dmp

Filesize
64KB

Download
memory/4656-1400-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1359-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1402-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1403-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1404-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1405-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1406-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1407-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1408-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1412-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1416-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1417-0x00007FFB5E5B0000-0x00007FFB5E5C0000-memory.dmp

Filesize
64KB

Download
memory/4656-1418-0x00007FFB5E5B0000-0x00007FFB5E5C0000-memory.dmp

Filesize
64KB

Download
memory/4656-1419-0x00007FFB5E5B0000-0x00007FFB5E5C0000-memory.dmp

Filesize
64KB

Download
memory/4656-1421-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1422-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1420-0x00007FFB5E5B0000-0x00007FFB5E5C0000-memory.dmp

Filesize
64KB

Download
memory/4656-1423-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4656-1356-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads