Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22-02-2024 14:01
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
Resource
win10v2004-20240221-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
Malware Config
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops startup file 2 IoCs
Processes:
WannaCry.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD34E9.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD351E.tmp WannaCry.exe -
Executes dropped EXE 6 IoCs
Processes:
WannaCry.exe!WannaDecryptor!.exeWannaCry.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 2364 WannaCry.exe 220 !WannaDecryptor!.exe 4956 WannaCry.exe 3652 !WannaDecryptor!.exe 3388 !WannaDecryptor!.exe 4372 !WannaDecryptor!.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WannaCry.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r" WannaCry.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 64 raw.githubusercontent.com 65 raw.githubusercontent.com 66 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
!WannaDecryptor!.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1468 taskkill.exe 2292 taskkill.exe 4240 taskkill.exe 1012 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 620563.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 4808 msedge.exe 4808 msedge.exe 1608 msedge.exe 1608 msedge.exe 3452 identity_helper.exe 3452 identity_helper.exe 3552 msedge.exe 3552 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 4240 taskkill.exe Token: SeDebugPrivilege 1012 taskkill.exe Token: SeDebugPrivilege 1468 taskkill.exe Token: SeDebugPrivilege 2292 taskkill.exe Token: SeIncreaseQuotaPrivilege 3076 WMIC.exe Token: SeSecurityPrivilege 3076 WMIC.exe Token: SeTakeOwnershipPrivilege 3076 WMIC.exe Token: SeLoadDriverPrivilege 3076 WMIC.exe Token: SeSystemProfilePrivilege 3076 WMIC.exe Token: SeSystemtimePrivilege 3076 WMIC.exe Token: SeProfSingleProcessPrivilege 3076 WMIC.exe Token: SeIncBasePriorityPrivilege 3076 WMIC.exe Token: SeCreatePagefilePrivilege 3076 WMIC.exe Token: SeBackupPrivilege 3076 WMIC.exe Token: SeRestorePrivilege 3076 WMIC.exe Token: SeShutdownPrivilege 3076 WMIC.exe Token: SeDebugPrivilege 3076 WMIC.exe Token: SeSystemEnvironmentPrivilege 3076 WMIC.exe Token: SeRemoteShutdownPrivilege 3076 WMIC.exe Token: SeUndockPrivilege 3076 WMIC.exe Token: SeManageVolumePrivilege 3076 WMIC.exe Token: 33 3076 WMIC.exe Token: 34 3076 WMIC.exe Token: 35 3076 WMIC.exe Token: 36 3076 WMIC.exe Token: SeIncreaseQuotaPrivilege 3076 WMIC.exe Token: SeSecurityPrivilege 3076 WMIC.exe Token: SeTakeOwnershipPrivilege 3076 WMIC.exe Token: SeLoadDriverPrivilege 3076 WMIC.exe Token: SeSystemProfilePrivilege 3076 WMIC.exe Token: SeSystemtimePrivilege 3076 WMIC.exe Token: SeProfSingleProcessPrivilege 3076 WMIC.exe Token: SeIncBasePriorityPrivilege 3076 WMIC.exe Token: SeCreatePagefilePrivilege 3076 WMIC.exe Token: SeBackupPrivilege 3076 WMIC.exe Token: SeRestorePrivilege 3076 WMIC.exe Token: SeShutdownPrivilege 3076 WMIC.exe Token: SeDebugPrivilege 3076 WMIC.exe Token: SeSystemEnvironmentPrivilege 3076 WMIC.exe Token: SeRemoteShutdownPrivilege 3076 WMIC.exe Token: SeUndockPrivilege 3076 WMIC.exe Token: SeManageVolumePrivilege 3076 WMIC.exe Token: 33 3076 WMIC.exe Token: 34 3076 WMIC.exe Token: 35 3076 WMIC.exe Token: 36 3076 WMIC.exe Token: SeBackupPrivilege 2384 vssvc.exe Token: SeRestorePrivilege 2384 vssvc.exe Token: SeAuditPrivilege 2384 vssvc.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
msedge.exe!WannaDecryptor!.exepid process 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 4372 !WannaDecryptor!.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 220 !WannaDecryptor!.exe 220 !WannaDecryptor!.exe 3652 !WannaDecryptor!.exe 3652 !WannaDecryptor!.exe 3388 !WannaDecryptor!.exe 3388 !WannaDecryptor!.exe 4372 !WannaDecryptor!.exe 4372 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1608 wrote to memory of 1216 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1216 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 1116 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 4808 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 4808 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe PID 1608 wrote to memory of 2120 1608 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8728846f8,0x7ff872884708,0x7ff8728847182⤵PID:1216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:22⤵PID:1116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:82⤵PID:2120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:3716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:12⤵PID:4140
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:82⤵PID:4776
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3452 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:12⤵PID:4800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:12⤵PID:1144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:4992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4000 /prefetch:82⤵PID:1368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:12⤵PID:1812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:4604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6480 /prefetch:82⤵PID:3376
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:12⤵PID:4684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3552 -
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:2364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 194501708610537.bat3⤵PID:1840
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs4⤵PID:3524
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe f3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:220 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1468 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4240 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1012 -
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe c3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3652 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v3⤵PID:444
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe v4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3388 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵PID:4844
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3076 -
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4372 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5008 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1332
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1348
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5048
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4328
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"1⤵
- Executes dropped EXE
PID:4956
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\!Please Read Me!.txt1⤵PID:2036
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51f6d41bf10dc1ec1ca4e14d350bbc0b1
SHA17a62b23dc3c19e16930b5108d209c4ec937d7dfb
SHA25635947f71e9cd4bda79e78d028d025dff5fe99c07ea9c767e487ca45d33a5c770
SHA512046d6c2193a89f4b1b7f932730a0fc72e9fc95fbdb5514435a3e2a73415a105e4f6fa7d536ae6b24638a6aa97beb5c8777e03f597bb4bc928fa8b364b7192a13
-
Filesize
152B
MD54254f7a8438af12de575e00b22651d6c
SHA1a3c7bde09221129451a7bb42c1707f64b178e573
SHA2567f55f63c6b77511999eee973415c1f313f81bc0533a36b041820dd4e84f9879b
SHA512e6a3244139cd6e09cef7dab531bff674847c7ca77218bd1f971aa9bf733a253ac311571b8d6a3fe13e13da4f506fec413f3b345a3429e09d7ceb821a7017ec70
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5fe9ec3c5613d9b473c7c8e04c4bf3b12
SHA1161c2624a73e185df0cd0d57108c86f1dd41e597
SHA2568b66ad39891614eaea648a1ad8dc5d056ef6386da76f939648fe84ca723f115b
SHA51233af606b381835e5a35267ed0548ff7689e1729a77d892f1c75192fb3befa3eb3fffca5094d57382611d94792d23aa2ca402716f9f72b625e5e7632c9312dcef
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
579B
MD55c8391c97bdd0ff4b9b37f00a3f8bf58
SHA13e1338f2161f6a885d81a4f194cb9fe64ff9a824
SHA2562bfc160772af5ff7e3c318edeefdb85b014404dbf656a3ef52a6355cbb589fbd
SHA512a9d08563e69b14b4c99d7e0b73f98e3e56913f70850194eae691cc0f240c6a423ac7ffcd8c62ffcaa0f12a26118c76f1135c8a1c99e4fc70392f3bfc8600bc76
-
Filesize
6KB
MD5c6eea746e6bd0c7097cd7ede3a6e4d1f
SHA1d3d1f3c7fbb71cc0ac2b5a715aae271f432ed2e1
SHA2562eadd325475794201ec69b169b7165956dcac97bd2400fd699ac13df7dc5d913
SHA51256adb353cc91ce89dd549c5c3f06d97a09900633f6a3b384daa6cc7594e17988f1d8d6460d971da846e6160a502f1382305fc87dde021d4a74e5972fb06f1c90
-
Filesize
6KB
MD5e15d95133e077b3bad64564330eb12ea
SHA10d82f33990acb2106b9120718d5bd37f7d3dfc8b
SHA25697f85a5502cc129814ec389924fdaeb997943c746e3ccd1ca5593cd67b1dbc68
SHA512897485fd9eb3f9e2008d27c25d044910cc286c227be116d5d77b583bf7b907ead84f1f7e9b24aaedb37369cd37fb25d65919f2489749c9634895285efec67ba1
-
Filesize
6KB
MD5db80ccee4e3850463be0a8b970e0b499
SHA14e8d2c3429dd8f41912ada2836a95e557b7b56b9
SHA256f12a7ca34bad04f273d4b8bb7b286b33101f3ec5c09e02c6e87165570fa0837b
SHA51201c4a5bb303e2846c7689e6f3874571a4c1a649b53c27b199b4fdd3f36f02ab3a5311933509d2232de6f3dba4c8a78adb5117d330172058725b6ac57c91a6de9
-
Filesize
6KB
MD5a170f7226134fe3bfcbeb3027fd35bcb
SHA13fdd8b387ce74bb7a743e6bda1ac0214f2d0a9c8
SHA256d9d2f1ec573c810207a249f37c9e0374fcc3f3e713c0bfe9dd6468577c234f37
SHA512a83a580cccaefce0025d99a8779dd1ba3f6bf08d5b7332ca29f156cc1ff424b1e075cb92bcf173f6863433ad56cc304182fb39aacf97301e3ab14250054bdcf7
-
Filesize
1KB
MD5cc78f8dd36f3ff7c0306f64b3f69588b
SHA1bb295eb31ee1421d4d32a8a880bef6df9235fe35
SHA256953dac88680c07dbed20144053fcc5dc2349172e2022cac0ab8140e419412495
SHA512fa602a1ebeedec8aa3b7513ed31c08978eaeebff9834b32efa17079af884c85aee439dc64ec007af439ee01b64f71b2951172190085d9ceeb9c7a8771ad0eec0
-
Filesize
1KB
MD51a5171d863ba9cb333ece6124b18934a
SHA140d0bb5bbeb04aa67b8eca0fba3c28a41fc91bed
SHA256e1b3eff428c58bccb3aa5bd22ce5eacc3cfb2458b0686b889192abaea14c3a43
SHA512acd7d00b8be207a5d2f16cbc621c6232c079764dddf33880d01331ea0403dffa73777e743508809e0483cc60b86c3d1ef27b446b9cfddf55c5f6dfe2927c213d
-
Filesize
1KB
MD5df907e78297b22f487d9eb66c3b4b9bc
SHA1701d9949226622d89ed88c134c0a13ea32e0f7d4
SHA2569beebdd3d6614f44a60771e9a6b79711816677dfdf095fa7c2024de05f196573
SHA512d2e34708b66dc970c041120387d48a5ccfc52cefcca6404466718cb991895692ab372ccc40ebd1b7788602bc2c49050fa1ad6842b9e92d6582ad165d61ccb913
-
Filesize
874B
MD5d84b90bc41eca252a7d0800f4df86ee7
SHA11fbc84714cdf3255c11aafa3c555d96ed89b6530
SHA256ff2dab0c2795ad3828680bbcf5a0f90a3cf11f48148b8e2ef729cadb044f09b3
SHA512b693f076dbb5b46add8440e40acabd67a9f46fea4959f24861d0b103160000fc116fdc951e3e6956978cd21a4807d8724ed64648537449f6f716167aba7272ce
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD51dce81a41be5fb34f82b8a7fa1be5557
SHA13dbd49de0c18f55b880a213498ac4d15dacb091b
SHA256469dc5c2c58c629be03fb1155268f95a5f480dee04e5a9e9350c819e08e23837
SHA5123222e6a4d1d75d5646315c4352538059e91ec0bf635fc146af06cc73d896eb6801f863f91cb0317c72c9f8cd88360be1d45a13327e3b09d361e1e6515f6126bc
-
Filesize
11KB
MD5b4d28d29fce1fe386178974ca233dc59
SHA1aef7c48ce2ec8fe6db5a2fffdb57860cf8f86991
SHA2565a893468f1ed7b46bb65d41592eff77689572051f06bac61650c98473c6f9d30
SHA512e1c8a7e3332d30b704e6a1705ced43d3df259fb037d8f4754186f6284fa95a7cbe01f425953726bbeaea3193c1a1648623f3170acd01e3e0b45e2a990a99e3b8
-
Filesize
11KB
MD5d51192e1d82107907ac585b92e22eaf2
SHA1b79efb1e7e54c5fba8ba001f463acba441a016fb
SHA25691b975064410092444970c4c27583ea1a1e282cc21584abf5663f4dd59eeed15
SHA512c3ff73de88bb29f00c50dd7a23e7312a61c9f05c981992d8b1730b1f2b515c302d3264521041a5295d7cc95d2771b05fe05ae3be7d9d4e8b8decb9b0e99cc1f9
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
590B
MD5bf84d2127b17486912894d1338460605
SHA1597dfb9e74a7a04d457ecce6fdcb9e55f849ef3f
SHA256111df945cc492e31c30039f990a55acfabf9e335c28837a6d16cf509cf456141
SHA51279fa650ad8e52578a26cefb8d9361fa2a2802349e9d6e04ca52fa5a9141191e7e9a986f2f7ea4a6964e597fe041d843aa16f704ba36f2b5313464b2c7d3e4b89
-
Filesize
1KB
MD5626a8ffb6464d366c5c74b6f780c53f4
SHA1b021e404558715d0b0953bf193fa97448ce96265
SHA2564717e2eec3ea98db21b2f34f8a1eb76beebf671457db75a5894aaf4c39741043
SHA512ae88b5b47529475f80eadf6d571f369a945d47d0af29a7fb2a24632633efc151df86a6594884050d45f239e421858a177815c860026125c5624a9553fc97b026
-
Filesize
136B
MD5d5011eda42f77592b97f2cf43c2c7b8f
SHA146feb5d87e84ccdf18af1b72bd386ec4d047b9e1
SHA25659b3905d72793b8d4b048f2c325cc86744d2f6160ddd62128c0c7543e803885c
SHA5124ae6aa873929a1f35b736908a223a0cf0584297f589d0dc6fccd8bc79f33473e60dd6dcd0892c5cd2befba1bae44eec4034f9995304aa137a48222f7ca071457
-
Filesize
136B
MD55c4c30157f01d15704ff85484462cdaf
SHA1a090b18ff0be100ab761b14c3d1a34654d30f66f
SHA256dc23f8551ffb7bc23fc8547b4708a1166a0d7d297c67ed87123ec68f1f5f89c1
SHA512cf2c6076d0453917e4abb6467566c8430f687fdc70816168c95a0ab97042591e36ce6a8474c1b8c966e6c9f4db66b77778ff43624e15077f557414d5fb1e350a
-
Filesize
136B
MD549c8ad4a68732e2cd39c71b3f93203b8
SHA1096b7f5be9b6666db23745f7dda9b4e81949cbdf
SHA256121ec6bf7e94a7aa097004ed8d67da059859863d72d9d15f0212cc9cadcfbddf
SHA512e58c76c6c11f3da53bd22760c3a6d1a5a99b7428b2eafca9ee91aca6304448d458ae3a292007d8b3f6122f2bcfb2ddd0d6654cdae2b34a507df2d99d7de41dd4
-
Filesize
318B
MD5a261428b490a45438c0d55781a9c6e75
SHA1e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e
SHA2564288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44
SHA512304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40
-
Filesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
Filesize
201B
MD502b937ceef5da308c5689fcdb3fb12e9
SHA1fa5490ea513c1b0ee01038c18cb641a51f459507
SHA2565d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1
SHA512843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653
-
Filesize
628B
MD5b35836eb81e5c5bc3d4bfc46d59e19d2
SHA1d5af4d2e8cc93ab4267ed18e90aff9c472399d19
SHA25670dd412f7aababcb32be29fe6068b28e7160490a0044a7a830610b4185ce5e72
SHA512b78a8edfd8876b7d0e033077531fde0956e790c89682afa5d475ec3c6281747b197e0631301b2c1578c26f8a348669b7677464764348bdd9654910111a4c732a
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
729B
MD5880e6a619106b3def7e1255f67cb8099
SHA18b3a90b2103a92d9facbfb1f64cb0841d97b4de7
SHA256c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35
SHA512c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243
-
Filesize
68KB
MD55557ee73699322602d9ae8294e64ce10
SHA11759643cf8bfd0fb8447fd31c5b616397c27be96
SHA256a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825
SHA51277740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e