Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 18:56
Static task
static1
Behavioral task
behavioral1
Sample
WannaCry.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
WannaCry.exe
Resource
win10v2004-20240226-en
General
-
Target
WannaCry.exe
-
Size
224KB
-
MD5
5c7fb0927db37372da25f270708103a2
-
SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29
-
SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
-
SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
SSDEEP
3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
taskmgr.exedescription pid process target process PID 1220 created 1356 1220 taskmgr.exe !WannaDecryptor!.exe PID 1220 created 1356 1220 taskmgr.exe !WannaDecryptor!.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
Processes:
WannaCry.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4D45.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4D5B.tmp WannaCry.exe -
Executes dropped EXE 6 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 1052 !WannaDecryptor!.exe 3048 !WannaDecryptor!.exe 2988 !WannaDecryptor!.exe 1356 !WannaDecryptor!.exe 1784 !WannaDecryptor!.exe 2828 !WannaDecryptor!.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WannaCry.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" WannaCry.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3752 taskkill.exe 3324 taskkill.exe 3216 taskkill.exe 3080 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-275798769-4264537674-1142822080-1000\{C0592359-2C07-4F58-97F2-4BEB98F79FDA} msedge.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
taskmgr.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1060 msedge.exe 1060 msedge.exe 2240 msedge.exe 2240 msedge.exe 3752 identity_helper.exe 3752 identity_helper.exe 3204 msedge.exe 3204 msedge.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 660 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
Processes:
msedge.exepid process 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe -
Suspicious use of AdjustPrivilegeToken 54 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 3324 taskkill.exe Token: SeDebugPrivilege 3752 taskkill.exe Token: SeDebugPrivilege 3216 taskkill.exe Token: SeDebugPrivilege 3080 taskkill.exe Token: SeIncreaseQuotaPrivilege 2356 WMIC.exe Token: SeSecurityPrivilege 2356 WMIC.exe Token: SeTakeOwnershipPrivilege 2356 WMIC.exe Token: SeLoadDriverPrivilege 2356 WMIC.exe Token: SeSystemProfilePrivilege 2356 WMIC.exe Token: SeSystemtimePrivilege 2356 WMIC.exe Token: SeProfSingleProcessPrivilege 2356 WMIC.exe Token: SeIncBasePriorityPrivilege 2356 WMIC.exe Token: SeCreatePagefilePrivilege 2356 WMIC.exe Token: SeBackupPrivilege 2356 WMIC.exe Token: SeRestorePrivilege 2356 WMIC.exe Token: SeShutdownPrivilege 2356 WMIC.exe Token: SeDebugPrivilege 2356 WMIC.exe Token: SeSystemEnvironmentPrivilege 2356 WMIC.exe Token: SeRemoteShutdownPrivilege 2356 WMIC.exe Token: SeUndockPrivilege 2356 WMIC.exe Token: SeManageVolumePrivilege 2356 WMIC.exe Token: 33 2356 WMIC.exe Token: 34 2356 WMIC.exe Token: 35 2356 WMIC.exe Token: 36 2356 WMIC.exe Token: SeIncreaseQuotaPrivilege 2356 WMIC.exe Token: SeSecurityPrivilege 2356 WMIC.exe Token: SeTakeOwnershipPrivilege 2356 WMIC.exe Token: SeLoadDriverPrivilege 2356 WMIC.exe Token: SeSystemProfilePrivilege 2356 WMIC.exe Token: SeSystemtimePrivilege 2356 WMIC.exe Token: SeProfSingleProcessPrivilege 2356 WMIC.exe Token: SeIncBasePriorityPrivilege 2356 WMIC.exe Token: SeCreatePagefilePrivilege 2356 WMIC.exe Token: SeBackupPrivilege 2356 WMIC.exe Token: SeRestorePrivilege 2356 WMIC.exe Token: SeShutdownPrivilege 2356 WMIC.exe Token: SeDebugPrivilege 2356 WMIC.exe Token: SeSystemEnvironmentPrivilege 2356 WMIC.exe Token: SeRemoteShutdownPrivilege 2356 WMIC.exe Token: SeUndockPrivilege 2356 WMIC.exe Token: SeManageVolumePrivilege 2356 WMIC.exe Token: 33 2356 WMIC.exe Token: 34 2356 WMIC.exe Token: 35 2356 WMIC.exe Token: 36 2356 WMIC.exe Token: SeBackupPrivilege 2408 vssvc.exe Token: SeRestorePrivilege 2408 vssvc.exe Token: SeAuditPrivilege 2408 vssvc.exe Token: SeDebugPrivilege 1220 taskmgr.exe Token: SeSystemProfilePrivilege 1220 taskmgr.exe Token: SeCreateGlobalPrivilege 1220 taskmgr.exe Token: 33 1220 taskmgr.exe Token: SeIncBasePriorityPrivilege 1220 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
!WannaDecryptor!.exetaskmgr.exe!WannaDecryptor!.exemsedge.exepid process 1356 !WannaDecryptor!.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 2828 !WannaDecryptor!.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exemsedge.exepid process 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 1220 taskmgr.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 1052 !WannaDecryptor!.exe 1052 !WannaDecryptor!.exe 3048 !WannaDecryptor!.exe 3048 !WannaDecryptor!.exe 2988 !WannaDecryptor!.exe 2988 !WannaDecryptor!.exe 1356 !WannaDecryptor!.exe 1356 !WannaDecryptor!.exe 1784 !WannaDecryptor!.exe 2828 !WannaDecryptor!.exe 2828 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exemsedge.exedescription pid process target process PID 540 wrote to memory of 3808 540 WannaCry.exe cmd.exe PID 540 wrote to memory of 3808 540 WannaCry.exe cmd.exe PID 540 wrote to memory of 3808 540 WannaCry.exe cmd.exe PID 3808 wrote to memory of 4592 3808 cmd.exe cscript.exe PID 3808 wrote to memory of 4592 3808 cmd.exe cscript.exe PID 3808 wrote to memory of 4592 3808 cmd.exe cscript.exe PID 540 wrote to memory of 1052 540 WannaCry.exe !WannaDecryptor!.exe PID 540 wrote to memory of 1052 540 WannaCry.exe !WannaDecryptor!.exe PID 540 wrote to memory of 1052 540 WannaCry.exe !WannaDecryptor!.exe PID 540 wrote to memory of 3752 540 WannaCry.exe taskkill.exe PID 540 wrote to memory of 3752 540 WannaCry.exe taskkill.exe PID 540 wrote to memory of 3752 540 WannaCry.exe taskkill.exe PID 540 wrote to memory of 3080 540 WannaCry.exe taskkill.exe PID 540 wrote to memory of 3080 540 WannaCry.exe taskkill.exe PID 540 wrote to memory of 3080 540 WannaCry.exe taskkill.exe PID 540 wrote to memory of 3216 540 WannaCry.exe taskkill.exe PID 540 wrote to memory of 3216 540 WannaCry.exe taskkill.exe PID 540 wrote to memory of 3216 540 WannaCry.exe taskkill.exe PID 540 wrote to memory of 3324 540 WannaCry.exe taskkill.exe PID 540 wrote to memory of 3324 540 WannaCry.exe taskkill.exe PID 540 wrote to memory of 3324 540 WannaCry.exe taskkill.exe PID 540 wrote to memory of 3048 540 WannaCry.exe !WannaDecryptor!.exe PID 540 wrote to memory of 3048 540 WannaCry.exe !WannaDecryptor!.exe PID 540 wrote to memory of 3048 540 WannaCry.exe !WannaDecryptor!.exe PID 540 wrote to memory of 5040 540 WannaCry.exe cmd.exe PID 540 wrote to memory of 5040 540 WannaCry.exe cmd.exe PID 540 wrote to memory of 5040 540 WannaCry.exe cmd.exe PID 5040 wrote to memory of 2988 5040 cmd.exe !WannaDecryptor!.exe PID 5040 wrote to memory of 2988 5040 cmd.exe !WannaDecryptor!.exe PID 5040 wrote to memory of 2988 5040 cmd.exe !WannaDecryptor!.exe PID 540 wrote to memory of 1356 540 WannaCry.exe !WannaDecryptor!.exe PID 540 wrote to memory of 1356 540 WannaCry.exe !WannaDecryptor!.exe PID 540 wrote to memory of 1356 540 WannaCry.exe !WannaDecryptor!.exe PID 2988 wrote to memory of 1388 2988 !WannaDecryptor!.exe cmd.exe PID 2988 wrote to memory of 1388 2988 !WannaDecryptor!.exe cmd.exe PID 2988 wrote to memory of 1388 2988 !WannaDecryptor!.exe cmd.exe PID 1388 wrote to memory of 2356 1388 cmd.exe WMIC.exe PID 1388 wrote to memory of 2356 1388 cmd.exe WMIC.exe PID 1388 wrote to memory of 2356 1388 cmd.exe WMIC.exe PID 540 wrote to memory of 2828 540 WannaCry.exe !WannaDecryptor!.exe PID 540 wrote to memory of 2828 540 WannaCry.exe !WannaDecryptor!.exe PID 540 wrote to memory of 2828 540 WannaCry.exe !WannaDecryptor!.exe PID 2240 wrote to memory of 1360 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 1360 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3384 2240 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 101131712688995.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1052 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3752 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3080 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3216 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3048 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2828
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1784
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1220
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\3f2c173628594d388539526ae1f7f129 /t 3424 /p 13561⤵PID:3460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\ExpandConvertFrom.mhtml1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd6ab146f8,0x7ffd6ab14708,0x7ffd6ab147182⤵PID:1360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:22⤵PID:3384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:82⤵PID:3732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:12⤵PID:4920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:12⤵PID:1568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵PID:1576
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:82⤵PID:1572
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3752 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:4132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵PID:3636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2572 /prefetch:12⤵PID:4508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:12⤵PID:3264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵PID:1072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵PID:4048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5760 /prefetch:82⤵PID:4620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5964 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3204 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:3524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:12⤵PID:5564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵PID:5860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵PID:5868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:6036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵PID:6044
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3636
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\24ebc262-8a5e-455f-a103-04521c1919ac.tmp
Filesize6KB
MD55c8bcf0b685bb8f2bf24af4e46292822
SHA161a944e111f491ca199b39156d2b0b1dc546966d
SHA25642353e5562582789c0df8ad56101c541f372fc161d95e5eb8e61234bbb109771
SHA5128da0944306e90240fb81d7f3dbbb0bdf64ae4feab4f9a7fbdf9e6f933c4282a3a362e7a571ae6412adfdcb69e3bf021336d4806531846c42393babf7cc1c8c40
-
Filesize
6KB
MD555e8e602f21624fffc9efbf53c7392d8
SHA1e2248fc9c859d1d2f8963e65e1b6cb4b0c95e87d
SHA2564b0085edfd4f3ee75de8ae18546e00e7914d844713a94c46ce7ee5ab2bc61ea5
SHA5123085f537bb5cb2498c7e6151435a6bb1177f5cf42b67bbf73e7541add94e11b8b932ba6029e1fcd63f34177c83edd550132ace9874d46a2c6d700aa52fa0757b
-
Filesize
7KB
MD50c500297956de426208b60af70109eb7
SHA19e03607e5e005ea6a68e1fb64a92638f604979f9
SHA2565f38e514fc0dff4f1d5eda6492c2d5a24b3bedfafce9a2bd39a17eb63ecbf598
SHA5129128440832302bee999faafbe99a233063675be964eb9e2823ab6adcdcd6f02796651ad248fd0b6a946876c2778c8804b333fb1bff6570d51e111c104775142a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD54b9589e6ba657fd646085f9bcdd4a7a4
SHA119f3ccf4bdc05dad28c778c0caefa1d386903bd4
SHA256480338e23b310538d08b3e79c1b7c6a343f2b8f136ffaf937c5fefb310bbcae0
SHA512027ccabf5929eedb20097f20f27ccd71895292bdca07a8f5a574ce3b8b2aacc26c75d835db22e5a8601f3353a453f65ec7e515f4188df2b9ad3e787a1337ffa5
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
1KB
MD5ce2f9b9eb8ab321d1b1218359ccf0958
SHA1b18d15bd89fda2d3b1e804bd311c9e0a0d0ca0d5
SHA2565dfa27563ff1968e1d23871def68b07cccb7f1c46d7b5646a339d8a9cf2b0ea2
SHA5121e5dac01b3ca75f0c493d54b7ff94ad608cec9c5a9d63ae1c05c6b4220937d509ff28fa2712e6d842f9d6aca5ec1a1eb8dc911964b86d0c93316acefee36b57f
-
Filesize
136B
MD57fbe176c4d95d086ddab128be6176171
SHA1d74b1a7c6a62b47d10c929e8340b52e1affb404c
SHA256bdf208bcda3b78cdcd517be713fbfd2eaeccb1cea7f94c06d0f4ed233bcb732b
SHA512a5052017cadbab2756f1bbbab51d1a8259d10c668155d7988cdf18b3848b6047ad283689f64333965a9705c09e68151e6550890e4b3b2f2e15a673ee602ceb22
-
Filesize
136B
MD5be3be4489a6a9e959cf000bde6904fb2
SHA1f6460feb511e8436203bef1efe5a5bc7d0fb8bc8
SHA2560935898403f83ea7fe597c0cdb9facdcd7b84dab33ae31156d2149b707d86fcd
SHA51253e850a8fe7ace9abdaef17ce059ec6ae7d811321f5301f593be95cf6993354aa0f5ace3e301f70797e231dfb168f7dbd2e12939ec6630ce979bdda74944bc6d
-
Filesize
136B
MD54e221c309ff5fd74585e9d40b51199c6
SHA1b307a27f2fb8e4c25fe701cffe40f0146b11d6c5
SHA256e8ffef95c9f166742255c47c51135d76fa6c505f8b74c8c7610bcff65cf60687
SHA512a257f36a40f00a2bbab1ac33a5fc97b561ea1664481b0e53116753db9761ffa9b1bd12af73295a79be3cf8fdb10322a3b62f6fbbbad2699e45074366486b4453
-
Filesize
336B
MD53540e056349c6972905dc9706cd49418
SHA1492c20442d34d45a6d6790c720349b11ec591cde
SHA25673872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c
-
Filesize
219B
MD55f6d40ca3c34b470113ed04d06a88ff4
SHA150629e7211ae43e32060686d6be17ebd492fd7aa
SHA2560fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA5124d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35
-
Filesize
628B
MD51c2bf134df9662ec69d463c2de159ef4
SHA1ebc22b0a262f65ebd4d45e7cd0dfd5c2af4557b4
SHA2562b4e70bfcbb30d1df44ba823ed4c1f3a4f48b43a48f10e9cbb487cbebc447c74
SHA512bbccca595305b16e8b732a0391dcb1572ed90a7b1d9fa095a458e3c753960ca95217cf6b3d23c02693092c8806f3a78f6e25d1dae9996877f0e00a7db94bba26
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e