wannacry | 283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

Analysis

max time kernel
206s
max time network
189s
platform
windows7_x64
resource
win7-20231215-es
resource tags

arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows
submitted
24-01-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

[email protected]

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD209C.tmp	[email protected]

Executes dropped EXE 22 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exetaskdl.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
2604	taskdl.exe
1968	@[email protected]
2960	@[email protected]
1008	taskhsvc.exe
2008	taskdl.exe
2820	taskse.exe
1532	@[email protected]
1896	taskdl.exe
2508	taskse.exe
1192	@[email protected]
2224	taskse.exe
1236	taskdl.exe
2956	@[email protected]
1028	taskse.exe
340	@[email protected]
2912	taskdl.exe
1488	taskse.exe
1836	@[email protected]
696	taskdl.exe
1768	taskse.exe
2004	@[email protected]
2404	taskdl.exe

Loads dropped DLL 51 IoCs

Processes:

[email protected]cscript.execmd.exe@[email protected]taskhsvc.exe

pid	process
3044	[email protected]
3044	[email protected]
1552	cscript.exe
3044	[email protected]
3044	[email protected]
1764	cmd.exe
1764	cmd.exe
1968	@[email protected]
1968	@[email protected]
1008	taskhsvc.exe
1008	taskhsvc.exe
1008	taskhsvc.exe
1008	taskhsvc.exe
1008	taskhsvc.exe
1008	taskhsvc.exe
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]
3044	[email protected]

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2860 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2860	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nnzzsvcjqe067 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

@[email protected][email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1816 vssadmin.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2704 reg.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

taskhsvc.exe

pid process

1008 taskhsvc.exe
1008 taskhsvc.exe
1008 taskhsvc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

@[email protected]

pid process

1532 @[email protected]

pid	process
1816	vssadmin.exe

pid	process
2704	reg.exe

pid	process
1008	taskhsvc.exe
1008	taskhsvc.exe
1008	taskhsvc.exe

pid	process
1532	@[email protected]

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

vssvc.exeWMIC.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeBackupPrivilege	1300	vssvc.exe
Token: SeRestorePrivilege	1300	vssvc.exe
Token: SeAuditPrivilege	1300	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2528	WMIC.exe
Token: SeSecurityPrivilege	2528	WMIC.exe
Token: SeTakeOwnershipPrivilege	2528	WMIC.exe
Token: SeLoadDriverPrivilege	2528	WMIC.exe
Token: SeSystemProfilePrivilege	2528	WMIC.exe
Token: SeSystemtimePrivilege	2528	WMIC.exe
Token: SeProfSingleProcessPrivilege	2528	WMIC.exe
Token: SeIncBasePriorityPrivilege	2528	WMIC.exe
Token: SeCreatePagefilePrivilege	2528	WMIC.exe
Token: SeBackupPrivilege	2528	WMIC.exe
Token: SeRestorePrivilege	2528	WMIC.exe
Token: SeShutdownPrivilege	2528	WMIC.exe
Token: SeDebugPrivilege	2528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2528	WMIC.exe
Token: SeRemoteShutdownPrivilege	2528	WMIC.exe
Token: SeUndockPrivilege	2528	WMIC.exe
Token: SeManageVolumePrivilege	2528	WMIC.exe
Token: 33	2528	WMIC.exe
Token: 34	2528	WMIC.exe
Token: 35	2528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2528	WMIC.exe
Token: SeSecurityPrivilege	2528	WMIC.exe
Token: SeTakeOwnershipPrivilege	2528	WMIC.exe
Token: SeLoadDriverPrivilege	2528	WMIC.exe
Token: SeSystemProfilePrivilege	2528	WMIC.exe
Token: SeSystemtimePrivilege	2528	WMIC.exe
Token: SeProfSingleProcessPrivilege	2528	WMIC.exe
Token: SeIncBasePriorityPrivilege	2528	WMIC.exe
Token: SeCreatePagefilePrivilege	2528	WMIC.exe
Token: SeBackupPrivilege	2528	WMIC.exe
Token: SeRestorePrivilege	2528	WMIC.exe
Token: SeShutdownPrivilege	2528	WMIC.exe
Token: SeDebugPrivilege	2528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2528	WMIC.exe
Token: SeRemoteShutdownPrivilege	2528	WMIC.exe
Token: SeUndockPrivilege	2528	WMIC.exe
Token: SeManageVolumePrivilege	2528	WMIC.exe
Token: 33	2528	WMIC.exe
Token: 34	2528	WMIC.exe
Token: 35	2528	WMIC.exe
Token: SeTcbPrivilege	2820	taskse.exe
Token: SeTcbPrivilege	2820	taskse.exe
Token: SeTcbPrivilege	2508	taskse.exe
Token: SeTcbPrivilege	2508	taskse.exe
Token: SeTcbPrivilege	2224	taskse.exe
Token: SeTcbPrivilege	2224	taskse.exe
Token: SeTcbPrivilege	1028	taskse.exe
Token: SeTcbPrivilege	1028	taskse.exe
Token: SeTcbPrivilege	1488	taskse.exe
Token: SeTcbPrivilege	1488	taskse.exe
Token: SeTcbPrivilege	1768	taskse.exe
Token: SeTcbPrivilege	1768	taskse.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
1968	@[email protected]
2960	@[email protected]
2960	@[email protected]
1968	@[email protected]
1532	@[email protected]
1532	@[email protected]
1192	@[email protected]
2956	@[email protected]
340	@[email protected]
1836	@[email protected]
2004	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

[email protected]cmd.execmd.exe@[email protected]@[email protected]cmd.exe

description	pid	process	target process
PID 3044 wrote to memory of 2856	3044	[email protected]	attrib.exe
PID 3044 wrote to memory of 2856	3044	[email protected]	attrib.exe
PID 3044 wrote to memory of 2856	3044	[email protected]	attrib.exe
PID 3044 wrote to memory of 2856	3044	[email protected]	attrib.exe
PID 3044 wrote to memory of 2860	3044	[email protected]	icacls.exe
PID 3044 wrote to memory of 2860	3044	[email protected]	icacls.exe
PID 3044 wrote to memory of 2860	3044	[email protected]	icacls.exe
PID 3044 wrote to memory of 2860	3044	[email protected]	icacls.exe
PID 3044 wrote to memory of 2604	3044	[email protected]	taskdl.exe
PID 3044 wrote to memory of 2604	3044	[email protected]	taskdl.exe
PID 3044 wrote to memory of 2604	3044	[email protected]	taskdl.exe
PID 3044 wrote to memory of 2604	3044	[email protected]	taskdl.exe
PID 3044 wrote to memory of 2612	3044	[email protected]	cmd.exe
PID 3044 wrote to memory of 2612	3044	[email protected]	cmd.exe
PID 3044 wrote to memory of 2612	3044	[email protected]	cmd.exe
PID 3044 wrote to memory of 2612	3044	[email protected]	cmd.exe
PID 2612 wrote to memory of 1552	2612	cmd.exe	cscript.exe
PID 2612 wrote to memory of 1552	2612	cmd.exe	cscript.exe
PID 2612 wrote to memory of 1552	2612	cmd.exe	cscript.exe
PID 2612 wrote to memory of 1552	2612	cmd.exe	cscript.exe
PID 3044 wrote to memory of 1448	3044	[email protected]	attrib.exe
PID 3044 wrote to memory of 1448	3044	[email protected]	attrib.exe
PID 3044 wrote to memory of 1448	3044	[email protected]	attrib.exe
PID 3044 wrote to memory of 1448	3044	[email protected]	attrib.exe
PID 3044 wrote to memory of 1968	3044	[email protected]	@[email protected]
PID 3044 wrote to memory of 1968	3044	[email protected]	@[email protected]
PID 3044 wrote to memory of 1968	3044	[email protected]	@[email protected]
PID 3044 wrote to memory of 1968	3044	[email protected]	@[email protected]
PID 3044 wrote to memory of 1764	3044	[email protected]	cmd.exe
PID 3044 wrote to memory of 1764	3044	[email protected]	cmd.exe
PID 3044 wrote to memory of 1764	3044	[email protected]	cmd.exe
PID 3044 wrote to memory of 1764	3044	[email protected]	cmd.exe
PID 1764 wrote to memory of 2960	1764	cmd.exe	@[email protected]
PID 1764 wrote to memory of 2960	1764	cmd.exe	@[email protected]
PID 1764 wrote to memory of 2960	1764	cmd.exe	@[email protected]
PID 1764 wrote to memory of 2960	1764	cmd.exe	@[email protected]
PID 1968 wrote to memory of 1008	1968	@[email protected]	taskhsvc.exe
PID 1968 wrote to memory of 1008	1968	@[email protected]	taskhsvc.exe
PID 1968 wrote to memory of 1008	1968	@[email protected]	taskhsvc.exe
PID 1968 wrote to memory of 1008	1968	@[email protected]	taskhsvc.exe
PID 2960 wrote to memory of 1480	2960	@[email protected]	cmd.exe
PID 2960 wrote to memory of 1480	2960	@[email protected]	cmd.exe
PID 2960 wrote to memory of 1480	2960	@[email protected]	cmd.exe
PID 2960 wrote to memory of 1480	2960	@[email protected]	cmd.exe
PID 1480 wrote to memory of 1816	1480	cmd.exe	vssadmin.exe
PID 1480 wrote to memory of 1816	1480	cmd.exe	vssadmin.exe
PID 1480 wrote to memory of 1816	1480	cmd.exe	vssadmin.exe
PID 1480 wrote to memory of 1816	1480	cmd.exe	vssadmin.exe
PID 1480 wrote to memory of 2528	1480	cmd.exe	WMIC.exe
PID 1480 wrote to memory of 2528	1480	cmd.exe	WMIC.exe
PID 1480 wrote to memory of 2528	1480	cmd.exe	WMIC.exe
PID 1480 wrote to memory of 2528	1480	cmd.exe	WMIC.exe
PID 3044 wrote to memory of 2008	3044	[email protected]	taskdl.exe
PID 3044 wrote to memory of 2008	3044	[email protected]	taskdl.exe
PID 3044 wrote to memory of 2008	3044	[email protected]	taskdl.exe
PID 3044 wrote to memory of 2008	3044	[email protected]	taskdl.exe
PID 3044 wrote to memory of 2820	3044	[email protected]	taskse.exe
PID 3044 wrote to memory of 2820	3044	[email protected]	taskse.exe
PID 3044 wrote to memory of 2820	3044	[email protected]	taskse.exe
PID 3044 wrote to memory of 2820	3044	[email protected]	taskse.exe
PID 3044 wrote to memory of 1532	3044	[email protected]	@[email protected]
PID 3044 wrote to memory of 1532	3044	[email protected]	@[email protected]
PID 3044 wrote to memory of 1532	3044	[email protected]	@[email protected]
PID 3044 wrote to memory of 1532	3044	[email protected]	@[email protected]

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2856 attrib.exe
1448 attrib.exe

pid	process
2856	attrib.exe
1448	attrib.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2860

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:2856

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c 19721706111635.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
- Loads dropped DLL
PID:1552

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:1448

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nnzzsvcjqe067" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
2⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1896

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1236

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2956

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:340

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2912

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:696

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:1816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nnzzsvcjqe067" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Adds Run key to start application
- Modifies registry key
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
9dfda85072531fffb25f40c6e904d40e

SHA1
8dcf056fd296542e1f4ab3fbba0cc77dedef9ae9

SHA256
e73cb50b5081888269d559905c13aea6e15cc7b35a5ab72e0ca8efae58bf54ef

SHA512
a215ca9dd1c6d2552e3719123116915cf987d8e54efe51b539d833aff17bc8ec9fffdf84e8cc544a3958c571c0ed505ecef861636f51aced86bcfb2f1eca7750

Download Submit
C:\Users\Admin\AppData\Local\Temp\19721706111635.bat

Filesize
340B

MD5
3867f2ec82a7d77c9ffefb1aac8b7903

SHA1
06fccf19b9c498b5afa2b35da00e3ab28d56f785

SHA256
4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f

SHA512
b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
916B

MD5
7d95dbff75dde982788e630e11f9e850

SHA1
fb692478078ae1a6db1d44f718561de464331c95

SHA256
afe1d5dcaec40c8d23120b0ac020de2001232adedcbc7c7375a2c8ffef958446

SHA512
308197ff6d12a43653213e6a032f231f79dd554c96e1dede648e936b33a7eefe32460b6e3b01cda18598eaeb957132956a7017f78d32f84ede132349741c0c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll

Filesize
24KB

MD5
dbaaf169e0361dae7ab7d384a7790bec

SHA1
c61228664ff063d8baebf13d52b5cee449357d99

SHA256
a5478e0539f478092924f06da55c1efa473a69054e449bf177b93621c1dc7d28

SHA512
a1bc375ca3b27855c9627f8d058c92043bb0a899fc8eab84c13694219902048ca735ab6446292d69671d3072a707d088c09574f75de448e85d9ee253ad79b2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll

Filesize
56KB

MD5
b22f39c23c4cfd89e2382d002ce3a47d

SHA1
ec0e67a9430f0196e9a1aa84c07e01e7eaaa2779

SHA256
8faabce319e08411eb7d2704306e2997b7559d6418c1f9692e454dc6d1ce5647

SHA512
a1ea16796fb7778dd5529965f4f9a36edadbf0f95b1d1b5c66c742c7088ef2fd57fcebd06d27b9608137d8defb36fd8e012cc1ea3b7733877bfb7cdd9c0a8676

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Filesize
528KB

MD5
f1ece72d1f3b7c8dfc3fd387cf9882eb

SHA1
b5e87a21236be6d5efca7f7fb5e857e8da93d7e7

SHA256
5138688d36454d856182283ebab8b17dd1ae5fcd54a824034d8831625e4403e2

SHA512
7d0219a596ffeac7903173138f2e13b10b38df28f58808536f81128f66763bb1d83aef28dfcd23661e4e73b1d8817745494313e7cc1760f309c9377f4556ca55

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Filesize
510KB

MD5
73d4823075762ee2837950726baa2af9

SHA1
ebce3532ed94ad1df43696632ab8cf8da8b9e221

SHA256
9aeccf88253d4557a90793e22414868053caaab325842c0d7acb0365e88cd53b

SHA512
8f4a65bd35ed69f331769aaf7505f76dd3c64f3fa05cf01d83431ec93a7b1331f3c818ac7008e65b6f1278d7e365ed5940c8c6b8502e77595e112f1faca558b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
554KB

MD5
cd6e42d3fe8d1977e425a1ca5e424f65

SHA1
908af8b00a291917f1716d32bc79d7bb21c58f89

SHA256
3e9d0f47e25d53cd873ba57ab4921fe4e42b1be935aef6f8c10f215cb53c0104

SHA512
fc620cf861cdfa9b52cbfdd64d7e8946f73e290f94f87bd20aa19e2d8b7833dacbbdd9a5dff4256728ea84fa9d118471fba2efd254250e15e90972f14da5ecfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
737KB

MD5
b78c093182b01660adb0ef73cbcafcc0

SHA1
afd4638f7ea8f479dd7f337f215b806baf1db9e3

SHA256
ea03a399fcec905e37340188df4a3212867d2f59b9893b6c51e6bc367ef27b2e

SHA512
14e8c4201b86975c2b7df0e47e6a616cd97be77965cd71b09f2599184cdc60272937b4b5f18ddb3c0b21b70eceb2752a3986cdc77d4d9f212c822550aa3b2f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Filesize
12KB

MD5
74f2323d0c1cb33316a38267630103c8

SHA1
d9ea7ff7ed1d8aafb979f4ce1289cf7053cdea6d

SHA256
ff064dd232cc6f3fe1c468b1125781ef185b571e6aa6e063234bbeee06a8f78f

SHA512
c4dfd13ab11efe2824c1c72aeaf725a94abdaf59b0cce17a48a9c05a76c8b62f905b08a32e8c15594d669a44dc2e553563b8d28f3a5ae94bb6a4b971ecb279b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Filesize
374KB

MD5
b3913bb36bc2fbecd71b3b7ad9d77507

SHA1
8ded74e2e5d326b54f72f56485219d273cf34b83

SHA256
41233e610e0e8027f5bc39e4511ebe437f726603b366af1eb9b825eaeaa1b235

SHA512
2893b906ea20c7004f54ae4296022291f0604052f015301430fb6c056de4b927d5604b1f0caa408f8e6fd5caa47f86a4c6eada3f66bc61d89c5810940e943d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
1cb01ba95fa88a954248648b6d95e607

SHA1
07f6db7f48ba4f78f8fb48dc3d49d7deb10b02a0

SHA256
ba9d8da5a32e4fc3ca31e7ec6ece7461451353ad48612cc939be4fa8a817fd88

SHA512
692196be544217eb6afd5b82cf6adcd13254f1c63b343641cc13e4df7ef59e36afc9c7cc5641eb48491257686e0800ddc0185a5ebd6896f98aec1397e292fcc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Filesize
219B

MD5
82a1fc4089755cb0b5a498ffdd52f20f

SHA1
0a8c0da8ef0354f37241e2901cf82ec9ce6474aa

SHA256
7fbdc49f4b4ba21949eca0b16c534b4882da97e94e5ca131cec1629e60439dfa

SHA512
1573a0c7333accef2695efefe1b57cba8f8d66a0061c24420ee0a183343a9a319995267d306ee85084c95580f9855bcdf9dee559b28a200b27fc3cc353315e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_Spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry

Filesize
138KB

MD5
eb2f4354c1515f315ab67773602742c5

SHA1
f4f52a2c077650c2527368027b31073f2264c93e

SHA256
5ba115cb516e02aec580cfeae93c9558a10fa450a873d78c09fa7519cf3d5ce4

SHA512
dd92866def27bc00fc699faa8387fbaa5349ddd3011436660489c6c62c0e2f994a7811ad14cdd2683c9bc5758cdcbbce46d1e1e40027894419ba2a2b81b1664e

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
158KB

MD5
147e56c367ce63d12ed1c6fa8bc74e19

SHA1
90c8bf7c69d756490e205265a8841c8202b21946

SHA256
6783069a18376a3a7fe782996658b96841d341ec31ca1d7ca012fa49912daa8a

SHA512
75e55e352a35a1d43ab959e6dc4ce5e6b8da64e720e0f540ff56eace6d83f196a8f3ee75d650fc95888c714ad92d2d542627ef39e2987c177e6b9fe156600130

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
265KB

MD5
61826ac0a172f58184a759d4597f6617

SHA1
7942e36b80e7655fdeb9b13c5e57662848b8fe1e

SHA256
90303530f55925f7b6176d650c3af42f4156bbfc68f321067a15bebb1bd1e1f2

SHA512
4a47ffeee1b32ed46dd1254e9341800df14847c9b5740439beaaa108d878ed3851e0adc6ea5ce6e30c2331304a8483c8b4a7b4880400964eb8f9447ea043583f

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

Filesize
846KB

MD5
615f8e0446a490d3e821cd21b268310e

SHA1
490fc1604079a9ab83a7414a34112755cd37af65

SHA256
9100f91e47278043fa69adec3dd512d82dade1da87459c0e461b7342c8b94c4b

SHA512
9a331b1c00d8af6d669b0fbf21c71399f3e85f9b5ba84bdde2d9cd0eed868e30d9772560d74887a8f0659b16128d5d3781024965cd3c612123926babc6d81c72

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Filesize
215KB

MD5
939330ea2676b2d9ecb270d77512a633

SHA1
6263b1942bf14a53a7a30ef27cb4205a75fa34db

SHA256
697124e0ceb88bf9d735c45071d58b637113ead8c52dc4e6c7ef22bbedaf786a

SHA512
7721cefb8d9911aaab674afa721a09e6c380379db42d43daed1b1e651f4baf78c70798f2c57a9a577e89d7bf16630891e8dc2a21a88cb469c1200f7b1fae822a

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Filesize
62KB

MD5
a228b9ae33ff6e6e90c6ac5e3d7fe85f

SHA1
c8ee9bb81f6a3fb4c4b41669d850f33443d2d4f1

SHA256
293f7e3c69e0501de856877e4c54675f31951c9d6827dfe9bfc86dbf7446a0ff

SHA512
196b9e2c6a69877e137e14da8f0923a2627396e3ef9f8aa2539c01e25f01f20a81c310dd69b24f1a092922b6dd4881e72014ea0a1b536172f1cda2ff2de8ee99

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Filesize
90KB

MD5
78581e243e2b41b17452da8d0b5b2a48

SHA1
eaefb59c31cf07e60a98af48c5348759586a61bb

SHA256
f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f

SHA512
332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\ssleay32.dll

Filesize
16KB

MD5
2e1fe72caba71200c6fc30a3a3491329

SHA1
3367d84dd1f91c46ac0bd981f72aecea929d74bf

SHA256
9734d7974679070c4696e3e9065889f47f426db7d0ec9fac54a05b2ef757c1d3

SHA512
4ac3e4a93d1faef85dc8e27cb5603c62d9c8efc7aecf48bc661edc80529315c910222c3ce02ed9159b5071b6924d33b714deb8fffc03f967fe6ad72fc54e9e9c

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
892KB

MD5
842baf0d7bbc4927bab9c3a7872a268b

SHA1
b81f29ace4a8fdb65d661690fd308de265b4a33d

SHA256
089c98b029ef2cb5c9c7f11c6b88abd993f19ba1bf9b1d0000cf2bcc3b71e018

SHA512
95d7c8e29503fc4b280f3fafc5386eb1520960b0e582162ea0bd672a91464e2d036d83d8a0c072eff2ac81f9f023d7361c26eb4c47a171b4d075c27b4f9819ad

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
904KB

MD5
812407d6c522fbb42eb4c80b7d97bee7

SHA1
64dde6ed0090d43bdb8b2c4f51b49e5c29a775ff

SHA256
2af3837dd53b65cc18c891736fea667be538a8618c18eeff0ad93698256b6cbd

SHA512
93a100dbb03e19fbacd900d3cf38332ba1c65bf0a58d14d7268fe7637b785a57306ff7c4b4d2c08ee6fa5d8b6b983a9f6b74e2714007c54b00c56cade8a68013

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Filesize
51KB

MD5
e0d18e0444fd70b31fb88a7f2814d11e

SHA1
f0934bec848dbedd99045006050895a6fcec1f00

SHA256
6bd31901723f3a2208c99d49867175e2ef9babf6108e36df52ac05f5f906d447

SHA512
42dcc11d4e7419895782bd08e45893ba690cb682b038a647cedcb05fcdbbbd5b6ad85b0cf17a27cad2e650338c86259584a71b00934d81440e75976c473421a0

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
memory/1008-916-0x00000000742A0000-0x00000000744BC000-memory.dmp

Filesize
2.1MB

Download
memory/1008-920-0x00000000741E0000-0x0000000074202000-memory.dmp

Filesize
136KB

Download
memory/1008-938-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/1008-946-0x00000000741E0000-0x0000000074202000-memory.dmp

Filesize
136KB

Download
memory/1008-945-0x0000000074210000-0x0000000074292000-memory.dmp

Filesize
520KB

Download
memory/1008-944-0x00000000742A0000-0x00000000744BC000-memory.dmp

Filesize
2.1MB

Download
memory/1008-943-0x00000000744C0000-0x0000000074537000-memory.dmp

Filesize
476KB

Download
memory/1008-942-0x00000000749C0000-0x00000000749DC000-memory.dmp

Filesize
112KB

Download
memory/1008-941-0x0000000074540000-0x00000000745C2000-memory.dmp

Filesize
520KB

Download
memory/1008-918-0x0000000074210000-0x0000000074292000-memory.dmp

Filesize
520KB

Download
memory/1008-958-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/1008-914-0x0000000074540000-0x00000000745C2000-memory.dmp

Filesize
520KB

Download
memory/1008-922-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/1008-913-0x0000000074540000-0x00000000745C2000-memory.dmp

Filesize
520KB

Download
memory/1008-921-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/1008-1077-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/1008-990-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/1008-1000-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/1008-1004-0x00000000742A0000-0x00000000744BC000-memory.dmp

Filesize
2.1MB

Download
memory/1008-1008-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/1008-1061-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/1008-1069-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/1008-1073-0x00000000742A0000-0x00000000744BC000-memory.dmp

Filesize
2.1MB

Download
memory/3044-39-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download