wannacry | 761e037ee186880d5f7d1f112b839818056f160a9ba60c7fb8d23d926ac0621f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD59ED.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5A03.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 16 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exeBackgroundTransferHost.exetaskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
2840	taskdl.exe
2200	@[email protected]
1324	@[email protected]
1980	taskhsvc.exe
1696	taskdl.exe
2800	taskse.exe
3908	@[email protected]
1676	taskdl.exe
3916	taskse.exe
2804	@[email protected]
3576	taskse.exe
4360	BackgroundTransferHost.exe
3968	taskdl.exe
316	taskse.exe
2852	@[email protected]
4452	taskdl.exe

Loads dropped DLL 8 IoCs

Processes:

taskhsvc.exe

pid process

1980 taskhsvc.exe
1980 taskhsvc.exe
1980 taskhsvc.exe
1980 taskhsvc.exe
1980 taskhsvc.exe
1980 taskhsvc.exe
1980 taskhsvc.exe
1980 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

764 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1980	taskhsvc.exe
1980	taskhsvc.exe
1980	taskhsvc.exe
1980	taskhsvc.exe
1980	taskhsvc.exe
1980	taskhsvc.exe
1980	taskhsvc.exe
1980	taskhsvc.exe

pid	process
764	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xsnyluiav827 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2536 reg.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

taskhsvc.exe

pid process

1980 taskhsvc.exe
1980 taskhsvc.exe
1980 taskhsvc.exe
1980 taskhsvc.exe
1980 taskhsvc.exe
1980 taskhsvc.exe

pid	process
2536	reg.exe

pid	process
1980	taskhsvc.exe
1980	taskhsvc.exe
1980	taskhsvc.exe
1980	taskhsvc.exe
1980	taskhsvc.exe
1980	taskhsvc.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

WMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4592	WMIC.exe
Token: SeSecurityPrivilege	4592	WMIC.exe
Token: SeTakeOwnershipPrivilege	4592	WMIC.exe
Token: SeLoadDriverPrivilege	4592	WMIC.exe
Token: SeSystemProfilePrivilege	4592	WMIC.exe
Token: SeSystemtimePrivilege	4592	WMIC.exe
Token: SeProfSingleProcessPrivilege	4592	WMIC.exe
Token: SeIncBasePriorityPrivilege	4592	WMIC.exe
Token: SeCreatePagefilePrivilege	4592	WMIC.exe
Token: SeBackupPrivilege	4592	WMIC.exe
Token: SeRestorePrivilege	4592	WMIC.exe
Token: SeShutdownPrivilege	4592	WMIC.exe
Token: SeDebugPrivilege	4592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4592	WMIC.exe
Token: SeRemoteShutdownPrivilege	4592	WMIC.exe
Token: SeUndockPrivilege	4592	WMIC.exe
Token: SeManageVolumePrivilege	4592	WMIC.exe
Token: 33	4592	WMIC.exe
Token: 34	4592	WMIC.exe
Token: 35	4592	WMIC.exe
Token: 36	4592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4592	WMIC.exe
Token: SeSecurityPrivilege	4592	WMIC.exe
Token: SeTakeOwnershipPrivilege	4592	WMIC.exe
Token: SeLoadDriverPrivilege	4592	WMIC.exe
Token: SeSystemProfilePrivilege	4592	WMIC.exe
Token: SeSystemtimePrivilege	4592	WMIC.exe
Token: SeProfSingleProcessPrivilege	4592	WMIC.exe
Token: SeIncBasePriorityPrivilege	4592	WMIC.exe
Token: SeCreatePagefilePrivilege	4592	WMIC.exe
Token: SeBackupPrivilege	4592	WMIC.exe
Token: SeRestorePrivilege	4592	WMIC.exe
Token: SeShutdownPrivilege	4592	WMIC.exe
Token: SeDebugPrivilege	4592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4592	WMIC.exe
Token: SeRemoteShutdownPrivilege	4592	WMIC.exe
Token: SeUndockPrivilege	4592	WMIC.exe
Token: SeManageVolumePrivilege	4592	WMIC.exe
Token: 33	4592	WMIC.exe
Token: 34	4592	WMIC.exe
Token: 35	4592	WMIC.exe
Token: 36	4592	WMIC.exe
Token: SeBackupPrivilege	1216	vssvc.exe
Token: SeRestorePrivilege	1216	vssvc.exe
Token: SeAuditPrivilege	1216	vssvc.exe
Token: SeTcbPrivilege	2800	taskse.exe
Token: SeTcbPrivilege	2800	taskse.exe
Token: SeTcbPrivilege	3916	taskse.exe
Token: SeTcbPrivilege	3916	taskse.exe
Token: SeTcbPrivilege	3576	taskse.exe
Token: SeTcbPrivilege	3576	taskse.exe
Token: SeTcbPrivilege	316	taskse.exe
Token: SeTcbPrivilege	316	taskse.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]BackgroundTransferHost.exe@[email protected]

pid	process
2200	@[email protected]
2200	@[email protected]
1324	@[email protected]
1324	@[email protected]
3908	@[email protected]
3908	@[email protected]
2804	@[email protected]
4360	BackgroundTransferHost.exe
2852	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execmd.execmd.exe@[email protected]@[email protected]cmd.execmd.exe

description	pid	process	target process
PID 3448 wrote to memory of 1236	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 3448 wrote to memory of 1236	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 3448 wrote to memory of 1236	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 3448 wrote to memory of 764	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 3448 wrote to memory of 764	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 3448 wrote to memory of 764	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 3448 wrote to memory of 2840	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 3448 wrote to memory of 2840	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 3448 wrote to memory of 2840	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 3448 wrote to memory of 3484	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 3448 wrote to memory of 3484	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 3448 wrote to memory of 3484	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 3484 wrote to memory of 2984	3484	cmd.exe	cscript.exe
PID 3484 wrote to memory of 2984	3484	cmd.exe	cscript.exe
PID 3484 wrote to memory of 2984	3484	cmd.exe	cscript.exe
PID 3448 wrote to memory of 1440	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 3448 wrote to memory of 1440	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 3448 wrote to memory of 1440	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 3448 wrote to memory of 2200	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 3448 wrote to memory of 2200	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 3448 wrote to memory of 2200	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 3448 wrote to memory of 4392	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 3448 wrote to memory of 4392	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 3448 wrote to memory of 4392	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 4392 wrote to memory of 1324	4392	cmd.exe	@[email protected]
PID 4392 wrote to memory of 1324	4392	cmd.exe	@[email protected]
PID 4392 wrote to memory of 1324	4392	cmd.exe	@[email protected]
PID 2200 wrote to memory of 1980	2200	@[email protected]	taskhsvc.exe
PID 2200 wrote to memory of 1980	2200	@[email protected]	taskhsvc.exe
PID 2200 wrote to memory of 1980	2200	@[email protected]	taskhsvc.exe
PID 1324 wrote to memory of 4544	1324	@[email protected]	cmd.exe
PID 1324 wrote to memory of 4544	1324	@[email protected]	cmd.exe
PID 1324 wrote to memory of 4544	1324	@[email protected]	cmd.exe
PID 4544 wrote to memory of 4592	4544	cmd.exe	WMIC.exe
PID 4544 wrote to memory of 4592	4544	cmd.exe	WMIC.exe
PID 4544 wrote to memory of 4592	4544	cmd.exe	WMIC.exe
PID 3448 wrote to memory of 1696	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 3448 wrote to memory of 1696	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 3448 wrote to memory of 1696	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 3448 wrote to memory of 2800	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 3448 wrote to memory of 2800	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 3448 wrote to memory of 2800	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 3448 wrote to memory of 3908	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 3448 wrote to memory of 3908	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 3448 wrote to memory of 3908	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 3448 wrote to memory of 4456	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 3448 wrote to memory of 4456	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 3448 wrote to memory of 4456	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 4456 wrote to memory of 2536	4456	cmd.exe	reg.exe
PID 4456 wrote to memory of 2536	4456	cmd.exe	reg.exe
PID 4456 wrote to memory of 2536	4456	cmd.exe	reg.exe
PID 3448 wrote to memory of 1676	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 3448 wrote to memory of 1676	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 3448 wrote to memory of 1676	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 3448 wrote to memory of 3916	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 3448 wrote to memory of 3916	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 3448 wrote to memory of 3916	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 3448 wrote to memory of 2804	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 3448 wrote to memory of 2804	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 3448 wrote to memory of 2804	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 3448 wrote to memory of 3576	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 3448 wrote to memory of 3576	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 3448 wrote to memory of 3576	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 3448 wrote to memory of 4360	3448	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	BackgroundTransferHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1440 attrib.exe
1236 attrib.exe

pid	process
1440	attrib.exe
1236	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:3448

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 251121703379790.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:1440

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:764

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:1236

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xsnyluiav827" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:3908

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1696

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1676

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3968

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4452

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
1⤵
PID:2984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xsnyluiav827" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Adds Run key to start application
- Modifies registry key
PID:2536

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
36KB

MD5
e222d4897149de43ed7b96f1b9439ece

SHA1
8a8a596b502b8e967c2e6a080084d1ce2303e6ac

SHA256
ef047e0859aaabbe85e1921c06bab5a69b1b4c1659cf0a97e624fd7af590e072

SHA512
2f7d3e15d325255b7d193d091b126ce465d37b956ebcc69406dedf6c6df5f36ea38c386c0613a7adbe11ab6461c4a0e4639d418a14b823040322241dbd777acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Filesize
92KB

MD5
b39041e111d47ea90939abebc1abb705

SHA1
f9fe0cab3cd499685e7c43ebfc233031e9059c40

SHA256
d7c1efa253f742b8a79bd728870c57b0d5dfe10e5046251cc14fa7b36bb24b8d

SHA512
bc4a36590c37cdc2f5ca0a03258acc2ce599f82fbe9b2e38a519beb7d630fa9dc45d1ff3e1a75afe8a2b3fde6943c735e86d12ec1bbc7930bed99b0e43776f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
194d6bbc9ad722346c95e0dcb51c0a34

SHA1
3a02423d9b7ffbd2b1e733ca4c5eada46f098cc0

SHA256
24c0153832e22becc32e0abfcc70005a3169e83228d75acd7789d25dec104294

SHA512
66f65301e6d403de00b30e433d22c874e5b96dbe94e39a11ae12e604b558159bffea8b815724664d3ceff4ba6345ebc57c2314e6629fe3cdaa8638a774a5c09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry

Filesize
36KB

MD5
dabe6917a3d8bad0771b3fcffa6755a9

SHA1
a0ed3a72244313a213f125c6a039e5cc6a07af6a

SHA256
157a8da47f2541d6a6b540ec36b1df53fcea87937653f57d1d5ad877362c55f5

SHA512
962373812be13c8c28c12737ac9cb067b27967c26a5d7a15a3cd69ebd3d16d809f4d20b2575efa022334be3e1398ff319b7fe083196dc391c674b45e578a17ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry

Filesize
74KB

MD5
df8af56fbe73d2516938815dc251aaaf

SHA1
2989dc6c0423c137ca7e95c38ac8b09edec3f498

SHA256
aabe9e926ccd206e0d07e7ea5aa8c137ba80da0bddc35a8a9441547a24fcd501

SHA512
c73b456609adfe0c1d8cc538f7b559fc94dc692a9d94040dbbff70006d6d8f600c35f9c10ba0dc7d94a7964149cb46ba8aec773a3fc50b623f2801c3b42cd7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry

Filesize
5KB

MD5
c5ca964b539c45a6bc2cab1208e1a903

SHA1
37ef178f3b196c3f8bf79bcd14f23b1d57719d64

SHA256
740a85e1534501a1d88b2c7b29f40472298120be84511fb5e3ad23a789c73c95

SHA512
08cd81986f4696699b8ddf7c3345535b342ed3362d776017ebdac8949cf47ed26c2a9929df5a5bf482f446e132534640f84a3df6a307a076eac5ab5e5bf6b3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry

Filesize
32KB

MD5
57d4d8b3557644c59403ca035c404790

SHA1
4eebf1e57d9ab644bccd4b54dfb1c30acc40e010

SHA256
a3e308d8211706fd71197addd93d8f2ac4064222f7cfbcd19db1ad4fa0835337

SHA512
c038713fe3c4377dc919cea6a9adb768868e39a9462936cb506c7d1f45fc1aeb774baad6e1751f075a5edcc0aef8bd6f4e473c462229e52c6baf65e34c8301dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
32KB

MD5
48b8b40e16200d4440a36d8b87402c2a

SHA1
5d77b175ea34f8eafef12a375a7e0fc94ee014e7

SHA256
896684f2d551d161c1d5d6ced7ca5f73a714baec0affceb5f7d95d5113ba9428

SHA512
bbf60ab02a3e8bbeb3d059de3a24426011994f325e0b38a991da2c0595c8df34397c6b410c7275fdabbe109ef60ea16efe8512c3f2fcffd359bdea380802ca12

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
7.1MB

MD5
724f026e32164b67d74f8906a7fbaa08

SHA1
baf0d017d935692a56252af3549797ed6e270e71

SHA256
399ba5fb7bf44899ece85a1ff7f16663914b27164fae94a7bed56b20ad92fbcb

SHA512
850732f0797a4a091064ffb01ed663ebe6d828e079f55448119eaf172752ae0f240ae286c561189c0baf992c0ffbe7adcda9737b5b539695d5dc3fdb2a3c43ba

Download Submit
memory/1980-1452-0x0000000073830000-0x0000000073A4C000-memory.dmp

Filesize
2.1MB

Download
memory/1980-1454-0x0000000073BB0000-0x0000000073C32000-memory.dmp

Filesize
520KB

Download
memory/1980-1456-0x0000000073B60000-0x0000000073B82000-memory.dmp

Filesize
136KB

Download
memory/1980-1449-0x0000000073BB0000-0x0000000073C32000-memory.dmp

Filesize
520KB

Download
memory/1980-1448-0x0000000073830000-0x0000000073A4C000-memory.dmp

Filesize
2.1MB

Download
memory/1980-1447-0x0000000073AD0000-0x0000000073B52000-memory.dmp

Filesize
520KB

Download
memory/1980-1466-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/1980-1472-0x0000000073830000-0x0000000073A4C000-memory.dmp

Filesize
2.1MB

Download
memory/1980-1471-0x0000000073A50000-0x0000000073AC7000-memory.dmp

Filesize
476KB

Download
memory/1980-1470-0x0000000073AD0000-0x0000000073B52000-memory.dmp

Filesize
520KB

Download
memory/1980-1468-0x0000000073B90000-0x0000000073BAC000-memory.dmp

Filesize
112KB

Download
memory/1980-1467-0x0000000073BB0000-0x0000000073C32000-memory.dmp

Filesize
520KB

Download
memory/1980-1451-0x0000000073B60000-0x0000000073B82000-memory.dmp

Filesize
136KB

Download
memory/1980-1453-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/1980-1534-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/1980-1455-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/1980-1481-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/1980-1488-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/1980-1489-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/1980-1506-0x0000000073830000-0x0000000073A4C000-memory.dmp

Filesize
2.1MB

Download
memory/1980-1500-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/1980-1450-0x0000000073AD0000-0x0000000073B52000-memory.dmp

Filesize
520KB

Download
memory/1980-1543-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/1980-1557-0x0000000073830000-0x0000000073A4C000-memory.dmp

Filesize
2.1MB

Download
memory/1980-1551-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/1980-1558-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/3448-41-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download