Malware Analysis Report

2024-10-23 19:49

Sample ID 240308-mrr8msda36
Target 2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry
SHA256 7267439752d21c7856257c4a766b10d9d49301ee7207390d57025d1071bb080f
Tags
chaos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7267439752d21c7856257c4a766b10d9d49301ee7207390d57025d1071bb080f

Threat Level: Known bad

The file 2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry was found to be: Known bad.

Malicious Activity Summary

chaos evasion persistence ransomware spyware stealer

Detects command variations typically used by ransomware

Chaos family

Chaos

Detects executables containing many references to VEEAM. Observed in ransomware

Chaos Ransomware

Modifies boot configuration data using bcdedit

Renames multiple (171) files with added filename extension

Detects executables containing many references to VEEAM. Observed in ransomware

Renames multiple (162) files with added filename extension

Deletes shadow copies

Detects command variations typically used by ransomware

Disables Task Manager via registry modification

Deletes backup catalog

Drops startup file

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Suspicious behavior: AddClipboardFormatListener

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-08 10:42

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Detects command variations typically used by ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing many references to VEEAM. Observed in ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-08 10:42

Reported

2024-03-08 10:45

Platform

win7-20240221-en

Max time kernel

147s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Detects command variations typically used by ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing many references to VEEAM. Observed in ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (171) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\Micosoft Edge (7).exe" C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EESAQ4EF\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JF3RETYF\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2ZOR7ZBA\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1K3UA1EK\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\28B1FXQD\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S270D3YO\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T0AT35Q2\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x9jxuw76s.jpg" C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe
PID 1992 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe
PID 1992 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe
PID 2672 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 2944 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2944 wrote to memory of 3052 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2944 wrote to memory of 3052 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2944 wrote to memory of 3052 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2672 wrote to memory of 648 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 648 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 648 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 648 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 648 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 648 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 648 wrote to memory of 2264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 648 wrote to memory of 2264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 648 wrote to memory of 2264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2672 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 2128 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2128 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2128 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2672 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\system32\NOTEPAD.EXE
PID 2672 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\system32\NOTEPAD.EXE
PID 2672 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe"

C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe

"C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

N/A

Files

memory/1992-0-0x0000000000B40000-0x0000000000C56000-memory.dmp

memory/1992-1-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

memory/1992-2-0x000000001AFC0000-0x000000001B040000-memory.dmp

memory/1992-3-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

memory/1992-4-0x000000001AFC0000-0x000000001B040000-memory.dmp

C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe

MD5 619fc98c120d10c8b5be2215153d4b46
SHA1 72cec945d3e057ee27e9ff2b6ede6ac8ca127eb5
SHA256 7267439752d21c7856257c4a766b10d9d49301ee7207390d57025d1071bb080f
SHA512 c443c07685c63c2e9c2ef025e6ba6b4b49679acd8ee2c27fddc305e6d08182cd6647ae4b590b00d1f9c90792dcf8d5906ce3fcfa3aedb775559c29fb6e4728a9

memory/1992-11-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

memory/2672-13-0x000000001B080000-0x000000001B100000-memory.dmp

memory/2672-12-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

memory/2672-10-0x0000000000A00000-0x0000000000B16000-memory.dmp

C:\ProgramData\Adobe\Updater6\read_it.txt

MD5 f20c9e44f4ebffc60633fdda598d46df
SHA1 603231bca4cb23c096e8a9517cd62d4d1b7d087e
SHA256 c6f95cdd7ab574f945f41309157e15012a29fb998281a23c4edd378584625f10
SHA512 4446bec8f45f2251a927fae44304ecc47587f31c774ee0701090b5366c6aa3ce0197acbe52453d6348fc7e088bc62fe90e483e05847f8b6ba325849bc4c3abd5

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk

MD5 d1457b72c3fb323a2671125aef3eab5d
SHA1 5bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA256 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512 ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

memory/2672-883-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

memory/2672-884-0x000000001B080000-0x000000001B100000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-08 10:42

Reported

2024-03-08 10:44

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Detects command variations typically used by ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing many references to VEEAM. Observed in ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (162) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\Micosoft Edge (7).exe" C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe
PID 4068 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe
PID 1664 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 1664 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 3724 wrote to memory of 1708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3724 wrote to memory of 1708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3724 wrote to memory of 432 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3724 wrote to memory of 432 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1664 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 1664 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 5096 wrote to memory of 3612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5096 wrote to memory of 3612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5096 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5096 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1664 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 1664 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe C:\Windows\System32\cmd.exe
PID 1360 wrote to memory of 4736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1360 wrote to memory of 4736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe

"C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 191.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/4068-0-0x0000000000550000-0x0000000000666000-memory.dmp

memory/4068-1-0x00007FFED75A0000-0x00007FFED8061000-memory.dmp

memory/4068-2-0x000000001B200000-0x000000001B210000-memory.dmp

memory/4068-3-0x00007FFED75A0000-0x00007FFED8061000-memory.dmp

memory/4068-4-0x000000001B200000-0x000000001B210000-memory.dmp

C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe

MD5 619fc98c120d10c8b5be2215153d4b46
SHA1 72cec945d3e057ee27e9ff2b6ede6ac8ca127eb5
SHA256 7267439752d21c7856257c4a766b10d9d49301ee7207390d57025d1071bb080f
SHA512 c443c07685c63c2e9c2ef025e6ba6b4b49679acd8ee2c27fddc305e6d08182cd6647ae4b590b00d1f9c90792dcf8d5906ce3fcfa3aedb775559c29fb6e4728a9

C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe

MD5 0fb57bcd76bab482a24e0968e7b27968
SHA1 800b817d9c1e4f03643f75c7b8d7e3c53d78a34e
SHA256 ad685ddbba928c1979c7edab398fab4b4e9964b87c2178389c7b0f16b77d9d51
SHA512 5ecf5988407595bae7597e3b4eb1752c4eb65849d7bace244dbd1cb3a305aca3f8b4b9c9f4c20967e2b88917cbb4fd8ecc600a9838557809ab82cdfdbaecf04b

memory/1664-17-0x00007FFED75A0000-0x00007FFED8061000-memory.dmp

memory/1664-18-0x0000000002370000-0x0000000002380000-memory.dmp

memory/4068-19-0x00007FFED75A0000-0x00007FFED8061000-memory.dmp

C:\Users\Admin\3D Objects\read_it.txt

MD5 f20c9e44f4ebffc60633fdda598d46df
SHA1 603231bca4cb23c096e8a9517cd62d4d1b7d087e
SHA256 c6f95cdd7ab574f945f41309157e15012a29fb998281a23c4edd378584625f10
SHA512 4446bec8f45f2251a927fae44304ecc47587f31c774ee0701090b5366c6aa3ce0197acbe52453d6348fc7e088bc62fe90e483e05847f8b6ba325849bc4c3abd5

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk

MD5 d1457b72c3fb323a2671125aef3eab5d
SHA1 5bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA256 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512 ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545