Malware Analysis Report

2024-10-19 07:13

Sample ID 240316-ysqlzsba5y
Target 2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry
SHA256 3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22
Tags
chaos evasion ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22

Threat Level: Known bad

The file 2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry was found to be: Known bad.

Malicious Activity Summary

chaos evasion ransomware spyware stealer

Chaos family

Chaos

Chaos Ransomware

Detects command variations typically used by ransomware

Modifies boot configuration data using bcdedit

Deletes shadow copies

Detects command variations typically used by ransomware

Deletes backup catalog

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Uses Task Scheduler COM API

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-16 20:03

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Detects command variations typically used by ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 20:03

Reported

2024-03-16 20:05

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Detects command variations typically used by ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SatanCE.url C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Warning C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8lrdccchl.jpg" C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe C:\Users\Admin\AppData\Roaming\SatanCE.exe
PID 2040 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe C:\Users\Admin\AppData\Roaming\SatanCE.exe
PID 2040 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe C:\Users\Admin\AppData\Roaming\SatanCE.exe
PID 2612 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2612 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2612 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2884 wrote to memory of 1700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2884 wrote to memory of 1700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2884 wrote to memory of 1700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2884 wrote to memory of 1328 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2884 wrote to memory of 1328 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2884 wrote to memory of 1328 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2612 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2612 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2612 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 1960 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1960 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1960 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1960 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1960 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1960 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2612 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2612 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2612 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 1620 wrote to memory of 1524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1620 wrote to memory of 1524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1620 wrote to memory of 1524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2612 wrote to memory of 480 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\system32\rundll32.exe
PID 2612 wrote to memory of 480 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\system32\rundll32.exe
PID 2612 wrote to memory of 480 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\system32\rundll32.exe
PID 480 wrote to memory of 1072 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 480 wrote to memory of 1072 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 480 wrote to memory of 1072 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 480 wrote to memory of 1072 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe"

C:\Users\Admin\AppData\Roaming\SatanCE.exe

"C:\Users\Admin\AppData\Roaming\SatanCE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Warning

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Warning"

Network

N/A

Files

memory/2040-0-0x0000000000070000-0x00000000000AE000-memory.dmp

memory/2040-1-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SatanCE.exe

MD5 6c5819190ff74ba8dcaa64b57e1eb8f7
SHA1 7573ab29469e9d182f56d0b13c1dae41e9184526
SHA256 3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22
SHA512 f9dcb598f6ebc883239280166e6e733fc81275372574ce1017c5e89c6970701b543dd0282569755a7882d7beb64142ccb5e3e252ad8126b914b44620106c346f

memory/2612-8-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

memory/2040-7-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

memory/2612-9-0x0000000000AA0000-0x0000000000ADE000-memory.dmp

memory/2612-14-0x000000001ADF0000-0x000000001AE70000-memory.dmp

C:\Users\Admin\Documents\Warning

MD5 c75b56f95828f12ebac6712cd64faefa
SHA1 3c5f44d61ef38a8707270adf1ddcde28dc9a25f6
SHA256 f6386967312097f6e26419438d6c5ff6d399d624f9099956a49e4e305417fdc2
SHA512 07f014a78c6b73fb7f0205a55cb390f525c7b622316b2adc32e8d3545ed9b052915cbfb5b1a7f4d498d279eb818143960f44b013e6152ef3304f5b9f3adaea56

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 a276112589b604930639f871cf8594c0
SHA1 ea24e12b3a5a851b4e4615e2e2266543795bf006
SHA256 27406ee832e808f5375d1cc5a323dc3bed9440f4c77e9444732bcecebe1fed60
SHA512 f7c7ad7f3b0ca49c7d896eede512d3a761565a09a8d55353384b52493aa091c7a3c495ddd434683132f076e5de0dc92362e6c5d049d90339f1a4b01234884e9c

memory/2612-470-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

memory/2612-471-0x000000001ADF0000-0x000000001AE70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 20:03

Reported

2024-03-16 20:05

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Detects command variations typically used by ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SatanCE.url C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Warning C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\m6o3ucb2d.jpg" C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe C:\Users\Admin\AppData\Roaming\SatanCE.exe
PID 3492 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe C:\Users\Admin\AppData\Roaming\SatanCE.exe
PID 700 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 700 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 3664 wrote to memory of 4904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3664 wrote to memory of 4904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3664 wrote to memory of 4508 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3664 wrote to memory of 4508 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 700 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 700 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 2432 wrote to memory of 4016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2432 wrote to memory of 4016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2432 wrote to memory of 3844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2432 wrote to memory of 3844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 700 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 700 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Roaming\SatanCE.exe C:\Windows\System32\cmd.exe
PID 4972 wrote to memory of 4652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4972 wrote to memory of 4652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-16_6c5819190ff74ba8dcaa64b57e1eb8f7_wannacry.exe"

C:\Users\Admin\AppData\Roaming\SatanCE.exe

"C:\Users\Admin\AppData\Roaming\SatanCE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 32.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 56.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 51.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3492-0-0x0000000000980000-0x00000000009BE000-memory.dmp

memory/3492-1-0x00007FFAFE2F0000-0x00007FFAFEDB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\SatanCE.exe

MD5 6c5819190ff74ba8dcaa64b57e1eb8f7
SHA1 7573ab29469e9d182f56d0b13c1dae41e9184526
SHA256 3488e674a734e33410a122472c102763edb84b4184b10e041f9c774b9213bd22
SHA512 f9dcb598f6ebc883239280166e6e733fc81275372574ce1017c5e89c6970701b543dd0282569755a7882d7beb64142ccb5e3e252ad8126b914b44620106c346f

memory/700-14-0x00007FFAFE2F0000-0x00007FFAFEDB1000-memory.dmp

memory/3492-15-0x00007FFAFE2F0000-0x00007FFAFEDB1000-memory.dmp

memory/700-20-0x0000000000FF0000-0x0000000001000000-memory.dmp

C:\Users\Admin\Documents\Warning

MD5 c75b56f95828f12ebac6712cd64faefa
SHA1 3c5f44d61ef38a8707270adf1ddcde28dc9a25f6
SHA256 f6386967312097f6e26419438d6c5ff6d399d624f9099956a49e4e305417fdc2
SHA512 07f014a78c6b73fb7f0205a55cb390f525c7b622316b2adc32e8d3545ed9b052915cbfb5b1a7f4d498d279eb818143960f44b013e6152ef3304f5b9f3adaea56

memory/700-424-0x00007FFAFE2F0000-0x00007FFAFEDB1000-memory.dmp

memory/700-425-0x0000000000FF0000-0x0000000001000000-memory.dmp