wannacry | 773186144282a63cc3502ad10a3d8fd781a6c83eaabf06de4369b4ef96d93178

General

Target

WannaCry2.dll
Size

5.0MB
MD5

0805cb0e64e34711530c95e58e38c11f
SHA1

69a8ba560ef1aad2b1bc7614c1de8ed22e19deb6
SHA256

773186144282a63cc3502ad10a3d8fd781a6c83eaabf06de4369b4ef96d93178
SHA512

92b54b1fdf484fe188659b40e14e40ce69a736ae7feb02cb8f165843a18a5d358bf76f7e383d6166961c90916563f308757b6e6ab47ac1c9da8007e33fa1ed1a
SSDEEP

98304:1DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:1DqPe1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery evasion ransomware worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

mssecsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\mssecsvc.exe = "C:\\WINDOWS\\mssecsvc.exe:*:enabled:@shell32.dll,-1"	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	mssecsvc.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3089) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

3008 mssecsvc.exe
4328 mssecsvc.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2652 3008 WerFault.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

pid	pid_target	process	target process
2652	3008	WerFault.exe	mssecsvc.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings taskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

mssecsvc.exemssecsvc.exetaskmgr.exetaskmgr.exe

pid	process
3008	mssecsvc.exe
3008	mssecsvc.exe
4328	mssecsvc.exe
4328	mssecsvc.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

mssecsvc.exe

pid	process
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe
3008	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

mssecsvc.exemssecsvc.exetaskmgr.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3008	mssecsvc.exe
Token: SeDebugPrivilege	4328	mssecsvc.exe
Token: SeDebugPrivilege	632	taskmgr.exe
Token: SeSystemProfilePrivilege	632	taskmgr.exe
Token: SeCreateGlobalPrivilege	632	taskmgr.exe
Token: 33	632	taskmgr.exe
Token: SeIncBasePriorityPrivilege	632	taskmgr.exe
Token: SeDebugPrivilege	1804	taskmgr.exe
Token: SeSystemProfilePrivilege	1804	taskmgr.exe
Token: SeCreateGlobalPrivilege	1804	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
632	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe
1804	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 4724 wrote to memory of 1292	4724	rundll32.exe	rundll32.exe
PID 4724 wrote to memory of 1292	4724	rundll32.exe	rundll32.exe
PID 4724 wrote to memory of 1292	4724	rundll32.exe	rundll32.exe
PID 1292 wrote to memory of 3008	1292	rundll32.exe	mssecsvc.exe
PID 1292 wrote to memory of 3008	1292	rundll32.exe	mssecsvc.exe
PID 1292 wrote to memory of 3008	1292	rundll32.exe	mssecsvc.exe
PID 3008 wrote to memory of 612	3008	mssecsvc.exe	winlogon.exe
PID 3008 wrote to memory of 612	3008	mssecsvc.exe	winlogon.exe
PID 3008 wrote to memory of 612	3008	mssecsvc.exe	winlogon.exe
PID 3008 wrote to memory of 612	3008	mssecsvc.exe	winlogon.exe
PID 3008 wrote to memory of 612	3008	mssecsvc.exe	winlogon.exe
PID 3008 wrote to memory of 612	3008	mssecsvc.exe	winlogon.exe
PID 3008 wrote to memory of 684	3008	mssecsvc.exe	lsass.exe
PID 3008 wrote to memory of 684	3008	mssecsvc.exe	lsass.exe
PID 3008 wrote to memory of 684	3008	mssecsvc.exe	lsass.exe
PID 3008 wrote to memory of 684	3008	mssecsvc.exe	lsass.exe
PID 3008 wrote to memory of 684	3008	mssecsvc.exe	lsass.exe
PID 3008 wrote to memory of 684	3008	mssecsvc.exe	lsass.exe
PID 3008 wrote to memory of 784	3008	mssecsvc.exe	fontdrvhost.exe
PID 3008 wrote to memory of 784	3008	mssecsvc.exe	fontdrvhost.exe
PID 3008 wrote to memory of 784	3008	mssecsvc.exe	fontdrvhost.exe
PID 3008 wrote to memory of 784	3008	mssecsvc.exe	fontdrvhost.exe
PID 3008 wrote to memory of 784	3008	mssecsvc.exe	fontdrvhost.exe
PID 3008 wrote to memory of 784	3008	mssecsvc.exe	fontdrvhost.exe
PID 3008 wrote to memory of 788	3008	mssecsvc.exe	fontdrvhost.exe
PID 3008 wrote to memory of 788	3008	mssecsvc.exe	fontdrvhost.exe
PID 3008 wrote to memory of 788	3008	mssecsvc.exe	fontdrvhost.exe
PID 3008 wrote to memory of 788	3008	mssecsvc.exe	fontdrvhost.exe
PID 3008 wrote to memory of 788	3008	mssecsvc.exe	fontdrvhost.exe
PID 3008 wrote to memory of 788	3008	mssecsvc.exe	fontdrvhost.exe
PID 3008 wrote to memory of 800	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 800	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 800	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 800	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 800	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 800	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 908	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 908	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 908	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 908	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 908	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 908	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 960	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 960	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 960	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 960	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 960	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 960	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 336	3008	mssecsvc.exe	dwm.exe
PID 3008 wrote to memory of 336	3008	mssecsvc.exe	dwm.exe
PID 3008 wrote to memory of 336	3008	mssecsvc.exe	dwm.exe
PID 3008 wrote to memory of 336	3008	mssecsvc.exe	dwm.exe
PID 3008 wrote to memory of 336	3008	mssecsvc.exe	dwm.exe
PID 3008 wrote to memory of 336	3008	mssecsvc.exe	dwm.exe
PID 3008 wrote to memory of 392	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 392	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 392	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 392	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 392	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 392	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 924	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 924	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 924	3008	mssecsvc.exe	svchost.exe
PID 3008 wrote to memory of 924	3008	mssecsvc.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:788

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:336

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:800

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
2⤵
PID:2896

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:3876

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:4052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4168

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4648

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:4160

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:5068

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
2⤵
PID:2712

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
2⤵
PID:3588

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
2⤵
PID:220

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
2⤵
PID:668

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:2176

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:2236

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
2⤵
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1076

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3188

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
2⤵
PID:2232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1372

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2004

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2500

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3392

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry2.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry2.dll,#1
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1292

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1424
5⤵
- Program crash
PID:2652

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:632

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1804

C:\Windows\System32\gw1gni.exe
"C:\Windows\System32\gw1gni.exe"
2⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4912

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:3592

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3008 -ip 3008
1⤵
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Discovery

2

T1046

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
f436c9d65d3dab907fc0d5a54c360114

SHA1
c1d5e6b69af752cdc2726e5379647bc8fb16d5ec

SHA256
136a4e3aebbe3264dd1dda4eabd0073bd95fd8a53002087fba0a2f2069c96e0b

SHA512
071198d73ce2bf5d8328ece118ee32ecdae42b251d179c43648031254cb92fda5f0a43ca6ef9ebce4f42157c9078e53f45bfcb11358cc8ec41e19637440b77f1

Download Submit
memory/632-35-0x00000199D2CF0000-0x00000199D2CF1000-memory.dmp

Filesize
4KB

Download
memory/632-34-0x00000199D2CF0000-0x00000199D2CF1000-memory.dmp

Filesize
4KB

Download
memory/632-30-0x00000199D2CF0000-0x00000199D2CF1000-memory.dmp

Filesize
4KB

Download
memory/632-36-0x00000199D2CF0000-0x00000199D2CF1000-memory.dmp

Filesize
4KB

Download
memory/632-37-0x00000199D2CF0000-0x00000199D2CF1000-memory.dmp

Filesize
4KB

Download
memory/632-38-0x00000199D2CF0000-0x00000199D2CF1000-memory.dmp

Filesize
4KB

Download
memory/632-39-0x00000199D2CF0000-0x00000199D2CF1000-memory.dmp

Filesize
4KB

Download
memory/632-40-0x00000199D2CF0000-0x00000199D2CF1000-memory.dmp

Filesize
4KB

Download
memory/632-28-0x00000199D2CF0000-0x00000199D2CF1000-memory.dmp

Filesize
4KB

Download
memory/632-29-0x00000199D2CF0000-0x00000199D2CF1000-memory.dmp

Filesize
4KB

Download
memory/1804-41-0x00000199C6CD0000-0x00000199C6CD1000-memory.dmp

Filesize
4KB

Download
memory/1804-42-0x00000199C6CD0000-0x00000199C6CD1000-memory.dmp

Filesize
4KB

Download
memory/1804-53-0x00000199C6CD0000-0x00000199C6CD1000-memory.dmp

Filesize
4KB

Download
memory/1804-52-0x00000199C6CD0000-0x00000199C6CD1000-memory.dmp

Filesize
4KB

Download
memory/1804-51-0x00000199C6CD0000-0x00000199C6CD1000-memory.dmp

Filesize
4KB

Download
memory/1804-50-0x00000199C6CD0000-0x00000199C6CD1000-memory.dmp

Filesize
4KB

Download
memory/1804-49-0x00000199C6CD0000-0x00000199C6CD1000-memory.dmp

Filesize
4KB

Download
memory/1804-48-0x00000199C6CD0000-0x00000199C6CD1000-memory.dmp

Filesize
4KB

Download
memory/1804-43-0x00000199C6CD0000-0x00000199C6CD1000-memory.dmp

Filesize
4KB

Download
memory/3008-13-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3008-6-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3008-8-0x00000000775B3000-0x00000000775B4000-memory.dmp

Filesize
4KB

Download
memory/3008-9-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3008-7-0x00000000775B2000-0x00000000775B3000-memory.dmp

Filesize
4KB

Download
memory/3008-12-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3008-15-0x00000000775B2000-0x00000000775B3000-memory.dmp

Filesize
4KB

Download
memory/3008-19-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3008-5-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3008-4-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/3008-26-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/3008-14-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3008-16-0x00000000775B3000-0x00000000775B4000-memory.dmp

Filesize
4KB

Download
memory/3008-18-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4328-11-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/4328-27-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads