Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2024 18:16
Static task
static1
Behavioral task
behavioral1
Sample
WannaCry2.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
WannaCry2.dll
Resource
win10v2004-20240226-en
General
-
Target
WannaCry2.dll
-
Size
5.0MB
-
MD5
0805cb0e64e34711530c95e58e38c11f
-
SHA1
69a8ba560ef1aad2b1bc7614c1de8ed22e19deb6
-
SHA256
773186144282a63cc3502ad10a3d8fd781a6c83eaabf06de4369b4ef96d93178
-
SHA512
92b54b1fdf484fe188659b40e14e40ce69a736ae7feb02cb8f165843a18a5d358bf76f7e383d6166961c90916563f308757b6e6ab47ac1c9da8007e33fa1ed1a
-
SSDEEP
98304:1DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:1DqPe1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\mssecsvc.exe = "C:\\WINDOWS\\mssecsvc.exe:*:enabled:@shell32.dll,-1" mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications mssecsvc.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3089) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 3008 mssecsvc.exe 4328 mssecsvc.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2652 3008 WerFault.exe mssecsvc.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exetaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Modifies registry class 1 IoCs
Processes:
taskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
Processes:
mssecsvc.exemssecsvc.exetaskmgr.exetaskmgr.exepid process 3008 mssecsvc.exe 3008 mssecsvc.exe 4328 mssecsvc.exe 4328 mssecsvc.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
mssecsvc.exepid process 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe 3008 mssecsvc.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
mssecsvc.exemssecsvc.exetaskmgr.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 3008 mssecsvc.exe Token: SeDebugPrivilege 4328 mssecsvc.exe Token: SeDebugPrivilege 632 taskmgr.exe Token: SeSystemProfilePrivilege 632 taskmgr.exe Token: SeCreateGlobalPrivilege 632 taskmgr.exe Token: 33 632 taskmgr.exe Token: SeIncBasePriorityPrivilege 632 taskmgr.exe Token: SeDebugPrivilege 1804 taskmgr.exe Token: SeSystemProfilePrivilege 1804 taskmgr.exe Token: SeCreateGlobalPrivilege 1804 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exetaskmgr.exepid process 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exetaskmgr.exepid process 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe 1804 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 4724 wrote to memory of 1292 4724 rundll32.exe rundll32.exe PID 4724 wrote to memory of 1292 4724 rundll32.exe rundll32.exe PID 4724 wrote to memory of 1292 4724 rundll32.exe rundll32.exe PID 1292 wrote to memory of 3008 1292 rundll32.exe mssecsvc.exe PID 1292 wrote to memory of 3008 1292 rundll32.exe mssecsvc.exe PID 1292 wrote to memory of 3008 1292 rundll32.exe mssecsvc.exe PID 3008 wrote to memory of 612 3008 mssecsvc.exe winlogon.exe PID 3008 wrote to memory of 612 3008 mssecsvc.exe winlogon.exe PID 3008 wrote to memory of 612 3008 mssecsvc.exe winlogon.exe PID 3008 wrote to memory of 612 3008 mssecsvc.exe winlogon.exe PID 3008 wrote to memory of 612 3008 mssecsvc.exe winlogon.exe PID 3008 wrote to memory of 612 3008 mssecsvc.exe winlogon.exe PID 3008 wrote to memory of 684 3008 mssecsvc.exe lsass.exe PID 3008 wrote to memory of 684 3008 mssecsvc.exe lsass.exe PID 3008 wrote to memory of 684 3008 mssecsvc.exe lsass.exe PID 3008 wrote to memory of 684 3008 mssecsvc.exe lsass.exe PID 3008 wrote to memory of 684 3008 mssecsvc.exe lsass.exe PID 3008 wrote to memory of 684 3008 mssecsvc.exe lsass.exe PID 3008 wrote to memory of 784 3008 mssecsvc.exe fontdrvhost.exe PID 3008 wrote to memory of 784 3008 mssecsvc.exe fontdrvhost.exe PID 3008 wrote to memory of 784 3008 mssecsvc.exe fontdrvhost.exe PID 3008 wrote to memory of 784 3008 mssecsvc.exe fontdrvhost.exe PID 3008 wrote to memory of 784 3008 mssecsvc.exe fontdrvhost.exe PID 3008 wrote to memory of 784 3008 mssecsvc.exe fontdrvhost.exe PID 3008 wrote to memory of 788 3008 mssecsvc.exe fontdrvhost.exe PID 3008 wrote to memory of 788 3008 mssecsvc.exe fontdrvhost.exe PID 3008 wrote to memory of 788 3008 mssecsvc.exe fontdrvhost.exe PID 3008 wrote to memory of 788 3008 mssecsvc.exe fontdrvhost.exe PID 3008 wrote to memory of 788 3008 mssecsvc.exe fontdrvhost.exe PID 3008 wrote to memory of 788 3008 mssecsvc.exe fontdrvhost.exe PID 3008 wrote to memory of 800 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 800 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 800 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 800 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 800 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 800 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 908 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 908 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 908 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 908 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 908 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 908 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 960 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 960 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 960 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 960 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 960 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 960 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 336 3008 mssecsvc.exe dwm.exe PID 3008 wrote to memory of 336 3008 mssecsvc.exe dwm.exe PID 3008 wrote to memory of 336 3008 mssecsvc.exe dwm.exe PID 3008 wrote to memory of 336 3008 mssecsvc.exe dwm.exe PID 3008 wrote to memory of 336 3008 mssecsvc.exe dwm.exe PID 3008 wrote to memory of 336 3008 mssecsvc.exe dwm.exe PID 3008 wrote to memory of 392 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 392 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 392 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 392 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 392 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 392 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 924 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 924 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 924 3008 mssecsvc.exe svchost.exe PID 3008 wrote to memory of 924 3008 mssecsvc.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:336
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:684
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:800
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:2896
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3788
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3948
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4168
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4648
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:4160
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:5068
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:2712
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe2⤵PID:3588
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca2⤵PID:220
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca2⤵PID:668
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:2176
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:2236
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3644
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵PID:2044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:924
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1076
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3188
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe2⤵PID:2232
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1212
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1244
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1372
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1384
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1572
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1644
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1832
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1872
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1880
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2004
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1820
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2112
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2220
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2500
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2528
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3392
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry2.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry2.dll,#13⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 14245⤵
- Program crash
PID:2652 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:632 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1804 -
C:\Windows\System32\gw1gni.exe"C:\Windows\System32\gw1gni.exe"2⤵PID:1028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3600
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4912
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:4880
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:2132
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:3592
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3008 -ip 30081⤵PID:4244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
3.6MB
MD5f436c9d65d3dab907fc0d5a54c360114
SHA1c1d5e6b69af752cdc2726e5379647bc8fb16d5ec
SHA256136a4e3aebbe3264dd1dda4eabd0073bd95fd8a53002087fba0a2f2069c96e0b
SHA512071198d73ce2bf5d8328ece118ee32ecdae42b251d179c43648031254cb92fda5f0a43ca6ef9ebce4f42157c9078e53f45bfcb11358cc8ec41e19637440b77f1