wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry[.]exe

Resubmissions

08-04-2024 03:16

240408-dsz57sfc87 10

Analysis

max time kernel
923s
max time network
845s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
08-04-2024 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe

Score

10^/10

wannacry persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9F55.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9F6B.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

Processes:

WannaCry.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

2552 WannaCry.exe
3336 !WannaDecryptor!.exe
3048 !WannaDecryptor!.exe
1608 !WannaDecryptor!.exe
1936 !WannaDecryptor!.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2552	WannaCry.exe
3336	!WannaDecryptor!.exe
3048	!WannaDecryptor!.exe
1608	!WannaDecryptor!.exe
1936	!WannaDecryptor!.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

11 raw.githubusercontent.com
12 raw.githubusercontent.com
31 raw.githubusercontent.com

flow	ioc
11	raw.githubusercontent.com
12	raw.githubusercontent.com
31	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1064 taskkill.exe
1740 taskkill.exe
5024 taskkill.exe
1752 taskkill.exe

pid	process
1064	taskkill.exe
1740	taskkill.exe
5024	taskkill.exe
1752	taskkill.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 100219.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
3300	msedge.exe
3300	msedge.exe
4416	msedge.exe
4416	msedge.exe
4536	msedge.exe
4536	msedge.exe
3112	identity_helper.exe
3112	identity_helper.exe
1624	msedge.exe
1624	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4416 msedge.exe
4416 msedge.exe
4416 msedge.exe
4416 msedge.exe
4416 msedge.exe
4416 msedge.exe
4416 msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2092	WMIC.exe
Token: SeSecurityPrivilege	2092	WMIC.exe
Token: SeTakeOwnershipPrivilege	2092	WMIC.exe
Token: SeLoadDriverPrivilege	2092	WMIC.exe
Token: SeSystemProfilePrivilege	2092	WMIC.exe
Token: SeSystemtimePrivilege	2092	WMIC.exe
Token: SeProfSingleProcessPrivilege	2092	WMIC.exe
Token: SeIncBasePriorityPrivilege	2092	WMIC.exe
Token: SeCreatePagefilePrivilege	2092	WMIC.exe
Token: SeBackupPrivilege	2092	WMIC.exe
Token: SeRestorePrivilege	2092	WMIC.exe
Token: SeShutdownPrivilege	2092	WMIC.exe
Token: SeDebugPrivilege	2092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2092	WMIC.exe
Token: SeRemoteShutdownPrivilege	2092	WMIC.exe
Token: SeUndockPrivilege	2092	WMIC.exe
Token: SeManageVolumePrivilege	2092	WMIC.exe
Token: 33	2092	WMIC.exe
Token: 34	2092	WMIC.exe
Token: 35	2092	WMIC.exe
Token: 36	2092	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2092	WMIC.exe
Token: SeSecurityPrivilege	2092	WMIC.exe
Token: SeTakeOwnershipPrivilege	2092	WMIC.exe
Token: SeLoadDriverPrivilege	2092	WMIC.exe
Token: SeSystemProfilePrivilege	2092	WMIC.exe
Token: SeSystemtimePrivilege	2092	WMIC.exe
Token: SeProfSingleProcessPrivilege	2092	WMIC.exe
Token: SeIncBasePriorityPrivilege	2092	WMIC.exe
Token: SeCreatePagefilePrivilege	2092	WMIC.exe
Token: SeBackupPrivilege	2092	WMIC.exe
Token: SeRestorePrivilege	2092	WMIC.exe
Token: SeShutdownPrivilege	2092	WMIC.exe
Token: SeDebugPrivilege	2092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2092	WMIC.exe
Token: SeRemoteShutdownPrivilege	2092	WMIC.exe
Token: SeUndockPrivilege	2092	WMIC.exe
Token: SeManageVolumePrivilege	2092	WMIC.exe
Token: 33	2092	WMIC.exe
Token: 34	2092	WMIC.exe
Token: 35	2092	WMIC.exe
Token: 36	2092	WMIC.exe
Token: SeBackupPrivilege	1672	vssvc.exe
Token: SeRestorePrivilege	1672	vssvc.exe
Token: SeAuditPrivilege	1672	vssvc.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
3336	!WannaDecryptor!.exe
3336	!WannaDecryptor!.exe
3048	!WannaDecryptor!.exe
3048	!WannaDecryptor!.exe
1608	!WannaDecryptor!.exe
1608	!WannaDecryptor!.exe
1936	!WannaDecryptor!.exe
1936	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4416 wrote to memory of 3924	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3924	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 1416	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3300	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3300	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe
PID 4416 wrote to memory of 3272	4416	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd60d13cb8,0x7ffd60d13cc8,0x7ffd60d13cd8
2⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
2⤵
PID:1416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
2⤵
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
2⤵
PID:236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1972 /prefetch:1
2⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
2⤵
PID:664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
2⤵
PID:1364

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6044 /prefetch:8
2⤵
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,14278278846105228689,17649660419431632329,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6188 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4500

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 11131712546704.bat
2⤵
PID:1624

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
PID:2580

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3336

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
PID:3144

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:1856

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3b1e59e67b947d63336fe9c8a1a5cebc

SHA1
5dc7146555c05d8eb1c9680b1b5c98537dd19b91

SHA256
7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263

SHA512
2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e10a8550dceecf34b33a98b85d5fa0b

SHA1
357ed761cbff74e7f3f75cd15074b4f7f3bcdce0

SHA256
5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61

SHA512
fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
8775688af457a05866e059a378a4eeca

SHA1
63912ebaefb702bd1d8bbef50c5f4f17685c00ba

SHA256
803cb0aebe7932240dc46eab74833b770e0c90d62cfa36c1f2d183e52823a0d5

SHA512
3a919c83f4cadc540f457ca247bc962c1aaffe3813a6189f077a254078a246eb70ae880958e5b2cd3aea175726f82656016912aa04884472961ffcaf7681f3ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
579B

MD5
a7d1701142cca705f833d70023ef4e1e

SHA1
1b76853132abfcddb4fefac42bf9df5d013c9815

SHA256
6c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7

SHA512
806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
bc66392429dba05ade6097fe99744bb3

SHA1
c8df8b8a4ff11c6adcd61129cce25142c4ad591d

SHA256
08f98323006700aeca68df7376167874bc573a64ecc586253ecde4756a84c498

SHA512
0dd1194b017037d20a3fee2d8f9e011c4b0d0766511d2d8444e08905a4491e2db299a3e1f13db0545216f654332211dd34610c909d6ad51e9b95426485963b88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f74b16ec80917b3ee9bc1863f590c92a

SHA1
e1557273eb3244d2500346eb7636e189ae70c967

SHA256
3d8507f5e2d585d193e74eb1b7542a796bb99a047eb1c84e2f5d4ac414094835

SHA512
a244f7c98236ab43bf80ebdf91a8f7a816fd37fbdd4b23d40af9aabe5b58e9f7927a330cef93c59af1f533ddea633cfa878448769b7ce9f82ec21e42c969fade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
65cf77312919934ad032d12d1c7af4dc

SHA1
33cfe518af5da4d0ee3c817914aff91e706aa034

SHA256
573c2de52ca3c4b3eb44bf23d8eba2a9bd0a76ecb17f5a9a741407b41d1bd42d

SHA512
2b79707739ab2d9623aaa6f53b3a660a24a6bd1d624f4d0856456fe69619173639269a9be090302552cb10e60448ae02023f5f3ff063f6385b93a95a8f40ae15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d1b2ad58f9c6a6c93d3acee4be97d770

SHA1
267354139cb88e9f49c521df4623d489e682375c

SHA256
557c7a1d70dd9bd5b3baa3b31d09068d94741e908e1bd138592ef43651197cab

SHA512
35e866919d5d59275099968cec7860b7ffd45af2d85ced93bb67c9994cc98fcf91ea6f2aa30dbe3a3e6b8f013d367a0bd653e642622dbc2bf61cb54c6be76f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
16d601a0dd2d6460e49d8a32c4476471

SHA1
26915d6bbd3ab951cb95057387f93ab29d691020

SHA256
4ac8641ada90cc14115fe0b75772a22fd7e0b1bfeb4c3c3a270265593359818e

SHA512
2c32c4b77a127b3b086febc5528e3c424596a103ceb8a0c136f38665e51623248d8c9733280e85927bc56a79e65660272731c35f8ee84ff5138ec65868056d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f7cd.TMP
Filesize
874B

MD5
09c85d8f4c535d188e4e13195f3f64fc

SHA1
4ae30e06d9f62051d1d16905d4d8fa740e8ca9b8

SHA256
45ed519df29513c7bf648c0285c2cd6f78894ffbee6367eae84d93195b12c0f1

SHA512
599bb022774394defbc78928391675ad8cea1be6532b3964cc087b9dc379cb5cc10b23aad8ef01056b605eb09c91f36d71ced3db73f4a23e3a40a1884a123589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2240a864b6f3d53503e2f5e6edf18a22

SHA1
e20543e26f340c8e7d3fd15e3a00e6759814491c

SHA256
aad1a1b16e90ee4e21a61c3f2cb02a36e0db17bbc52d50807dfb0e97428d2313

SHA512
3cfdd37816a42aac785312473f768e5e036f57ce574e3bc0b0d6ab8d62be480aca098bc64121dce66fed8bbac77e8e84d5babd08586cd359917aa5b0f152c5ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9612a05171211c46f5f33fd1a02965c2

SHA1
89a84419efa2cb101066789b8abcf0093dd46b18

SHA256
3f51305ab616ab6b4da6c44a3f958dbc44c84425488051c5d0f2c122c12fc798

SHA512
2f001ca9609d2ffe1221e8664c1a7a408441118e2ad031f37acaa9fb1e5693218eb1bb519de64a3817b6ac7c5063a7cfd70dafe5679afc5646945b4d6fb72b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
0b9049e92046be4c614bef9931f02772

SHA1
3ffeb6be66ddfa11e7d6905681f2577674d0858a

SHA256
77a3b68a64a98cd52cd8905eff81275b236d2d74255208ae02f56afdca7c1bab

SHA512
84e6b86db54d75f6dcbf3a547fbb94f3a99181f97e1ff3c0592947befe8e8a6354924b958981cc60ff2346246bbb627a7072297c6759994f5c195f8df4a9d585

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt
Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk
Filesize
590B

MD5
d6c1f9c52850839a4db00cb8cbfe1bc3

SHA1
e7b00d8b35513b23e102003a96b38249972c932e

SHA256
0fc5f7d2e4dd50b402c984ca1832f398d4c873a9f01028795cb4420d8fc28e22

SHA512
73762734179f063af81ee650a21f01f8cfa85093a7481d08a790183729778bed68d2dec9f6c02c112d54dbbe3fbb9d072c334fd36f5b5328b22f368e7aa4f77a

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
8e717e0dc5235781f5921c4eb8ff755b

SHA1
62cbd84ab7416b51e5e6f6048f2a105ad7af86b4

SHA256
b69f7ec6b4ea3fa8f6100d8d9155d3b003eb6846eebfc35b42b4d70a023fb671

SHA512
b0a92190b77748802ceb3a9adff0d412ab05064bbb312f567e196a505d19e9b6f33369fa3be8545d931c91b34e85f2eeb94e5b5dfe923a2b2b0b42e3bc5a6fa4

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
0647f42644a2c5cfd2aa716580d8a2bd

SHA1
26bb2e95ae3a1ce95e8171da54ca0148daa80149

SHA256
f63e9fe5dcf23d2cea886625ef41553455e6eba4f5360fb22ee5d1fd6d112063

SHA512
433d60318e33537f16f5940e90a235f40d4e0467c64336c29f430fe30bc1b4e76b6c2385bad3db81aabdade612bc802fa9193a14be91ef8dfbc082dc4c9aa14d

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
87bd2acac37a05bc37df7e182502bfb5

SHA1
efbe8cb854a5bb6ef02a7f02e3639f2168601fb3

SHA256
8d38a7592ebbbd3a61b89469452c31786a9e4344885a59b83e3b4f9824d6b929

SHA512
916fb5a1d5d2383d5b8e77472e5ab7555c79905981c52ea02995fb12aab3fd02653ec3bdbff07b01bfb59f205103c3fb0dbf38ae3f0a15b5e76699daed399524

Download Submit
C:\Users\Admin\Downloads\11131712546704.bat
Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 100219.crdownload
Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier
Filesize
220B

MD5
d0353be18a59dddfeb3e75dca1584590

SHA1
524ece8afd3127adbf8570e842dc280c9d7e4ea4

SHA256
e90f568fd547263e6567ef7c30548f746a3358dc4e80cc144e96277133cd2407

SHA512
f2f81a9cebbdd93ec9452ff4b2f4195c90b1a8b4281d30d826547e5a8dba3836d855769d13dd3a37f1d0bb0e6432be46bb0a312c780aa8f49698055db9669838

Download Submit
C:\Users\Admin\Downloads\c.vbs
Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry
Filesize
628B

MD5
808af086972c362fa237eda70d197221

SHA1
5139508b2e3f503447dc8445651e110e6dbe1b59

SHA256
4202fb44e51ecd663d5b2ffe1fab90a2fb973e0be33d0a2191c7140d1f99ff9c

SHA512
f130a76cb12d02048d0f33775fc512fbe78bc67be0451e07897aaeb17528e7666a4bb6690bcb86e0dd592d0009ecaa300b3456fdb8744ee12edc1dd5cb13de0c

Download Submit
C:\Users\Admin\Downloads\m.wry
Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\??\pipe\LOCAL\crashpad_4416_IAEKHVKXERFYVYCC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2552-322-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download