Analysis Overview
SHA256
7267439752d21c7856257c4a766b10d9d49301ee7207390d57025d1071bb080f
Threat Level: Known bad
The file 2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry was found to be: Known bad.
Malicious Activity Summary
Detects command variations typically used by ransomware
Chaos family
Chaos
Detects executables containing many references to VEEAM. Observed in ransomware
Chaos Ransomware
Modifies boot configuration data using bcdedit
Renames multiple (171) files with added filename extension
Detects executables containing many references to VEEAM. Observed in ransomware
Renames multiple (162) files with added filename extension
Deletes shadow copies
Detects command variations typically used by ransomware
Disables Task Manager via registry modification
Deletes backup catalog
Drops startup file
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Adds Run key to start application
Sets desktop wallpaper using registry
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Suspicious behavior: AddClipboardFormatListener
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-08 10:42
Signatures
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Chaos family
Detects command variations typically used by ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing many references to VEEAM. Observed in ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-08 10:42
Reported
2024-03-08 10:45
Platform
win7-20240221-en
Max time kernel
147s
Max time network
139s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes shadow copies
Detects command variations typically used by ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing many references to VEEAM. Observed in ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (171) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Disables Task Manager via registry modification
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\Micosoft Edge (7).exe" | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EESAQ4EF\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JF3RETYF\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2ZOR7ZBA\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1K3UA1EK\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\28B1FXQD\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S270D3YO\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T0AT35Q2\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x9jxuw76s.jpg" | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe"
C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe
"C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
Network
Files
memory/1992-0-0x0000000000B40000-0x0000000000C56000-memory.dmp
memory/1992-1-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
memory/1992-2-0x000000001AFC0000-0x000000001B040000-memory.dmp
memory/1992-3-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
memory/1992-4-0x000000001AFC0000-0x000000001B040000-memory.dmp
C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe
| MD5 | 619fc98c120d10c8b5be2215153d4b46 |
| SHA1 | 72cec945d3e057ee27e9ff2b6ede6ac8ca127eb5 |
| SHA256 | 7267439752d21c7856257c4a766b10d9d49301ee7207390d57025d1071bb080f |
| SHA512 | c443c07685c63c2e9c2ef025e6ba6b4b49679acd8ee2c27fddc305e6d08182cd6647ae4b590b00d1f9c90792dcf8d5906ce3fcfa3aedb775559c29fb6e4728a9 |
memory/1992-11-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
memory/2672-13-0x000000001B080000-0x000000001B100000-memory.dmp
memory/2672-12-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
memory/2672-10-0x0000000000A00000-0x0000000000B16000-memory.dmp
C:\ProgramData\Adobe\Updater6\read_it.txt
| MD5 | f20c9e44f4ebffc60633fdda598d46df |
| SHA1 | 603231bca4cb23c096e8a9517cd62d4d1b7d087e |
| SHA256 | c6f95cdd7ab574f945f41309157e15012a29fb998281a23c4edd378584625f10 |
| SHA512 | 4446bec8f45f2251a927fae44304ecc47587f31c774ee0701090b5366c6aa3ce0197acbe52453d6348fc7e088bc62fe90e483e05847f8b6ba325849bc4c3abd5 |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
| MD5 | d1457b72c3fb323a2671125aef3eab5d |
| SHA1 | 5bab61eb53176449e25c2c82f172b82cb13ffb9d |
| SHA256 | 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1 |
| SHA512 | ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0 |
memory/2672-883-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
memory/2672-884-0x000000001B080000-0x000000001B100000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-08 10:42
Reported
2024-03-08 10:44
Platform
win10v2004-20240226-en
Max time kernel
155s
Max time network
151s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes shadow copies
Detects command variations typically used by ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing many references to VEEAM. Observed in ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (162) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\Micosoft Edge (7).exe" | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe
"C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/4068-0-0x0000000000550000-0x0000000000666000-memory.dmp
memory/4068-1-0x00007FFED75A0000-0x00007FFED8061000-memory.dmp
memory/4068-2-0x000000001B200000-0x000000001B210000-memory.dmp
memory/4068-3-0x00007FFED75A0000-0x00007FFED8061000-memory.dmp
memory/4068-4-0x000000001B200000-0x000000001B210000-memory.dmp
C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe
| MD5 | 619fc98c120d10c8b5be2215153d4b46 |
| SHA1 | 72cec945d3e057ee27e9ff2b6ede6ac8ca127eb5 |
| SHA256 | 7267439752d21c7856257c4a766b10d9d49301ee7207390d57025d1071bb080f |
| SHA512 | c443c07685c63c2e9c2ef025e6ba6b4b49679acd8ee2c27fddc305e6d08182cd6647ae4b590b00d1f9c90792dcf8d5906ce3fcfa3aedb775559c29fb6e4728a9 |
C:\Users\Admin\AppData\Roaming\Micosoft Edge (7).exe
| MD5 | 0fb57bcd76bab482a24e0968e7b27968 |
| SHA1 | 800b817d9c1e4f03643f75c7b8d7e3c53d78a34e |
| SHA256 | ad685ddbba928c1979c7edab398fab4b4e9964b87c2178389c7b0f16b77d9d51 |
| SHA512 | 5ecf5988407595bae7597e3b4eb1752c4eb65849d7bace244dbd1cb3a305aca3f8b4b9c9f4c20967e2b88917cbb4fd8ecc600a9838557809ab82cdfdbaecf04b |
memory/1664-17-0x00007FFED75A0000-0x00007FFED8061000-memory.dmp
memory/1664-18-0x0000000002370000-0x0000000002380000-memory.dmp
memory/4068-19-0x00007FFED75A0000-0x00007FFED8061000-memory.dmp
C:\Users\Admin\3D Objects\read_it.txt
| MD5 | f20c9e44f4ebffc60633fdda598d46df |
| SHA1 | 603231bca4cb23c096e8a9517cd62d4d1b7d087e |
| SHA256 | c6f95cdd7ab574f945f41309157e15012a29fb998281a23c4edd378584625f10 |
| SHA512 | 4446bec8f45f2251a927fae44304ecc47587f31c774ee0701090b5366c6aa3ce0197acbe52453d6348fc7e088bc62fe90e483e05847f8b6ba325849bc4c3abd5 |
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
| MD5 | d1457b72c3fb323a2671125aef3eab5d |
| SHA1 | 5bab61eb53176449e25c2c82f172b82cb13ffb9d |
| SHA256 | 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1 |
| SHA512 | ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2024-03-08_619fc98c120d10c8b5be2215153d4b46_wannacry.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |