Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 03:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
-
Size
987KB
-
MD5
7f3607674f31dd96e4d6a009cb4dfb7e
-
SHA1
5ebce6ec9924dc24e73a1faef6934128ea46c28c
-
SHA256
ab1ead6628df92a6cf9e0aee75bdf3ad9e7bf7e9067baf2a5a83adbf4cfd5d02
-
SHA512
68e0aff21d3ee5d24794c1d46f5a13fdc6af63f299ff175f74f89443b7edbcf09f7a96fdd43d64ed44e8336f37bfdc1c1806a2103846bbb2e14593fc0a125c06
-
SSDEEP
12288:ut3UkyTa5ziXxqf8FLpqf77yAJKrMCLSoJjvN+MyjLvBG1YJX8ORnu:TkbsLpqDuA7E3cRnu
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3044-0-0x0000000000F80000-0x000000000107C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Detects command variations typically used by ransomware 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3044-0-0x0000000000F80000-0x000000000107C000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware -
Detects executables containing many references to VEEAM. Observed in ransomware 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3044-0-0x0000000000F80000-0x000000000107C000-memory.dmp INDICATOR_SUSPICOUS_EXE_References_VEEAM -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2068 bcdedit.exe 1780 bcdedit.exe -
Processes:
wbadmin.exepid process 2952 wbadmin.exe -
Processes:
wbadmin.exepid process 2644 wbadmin.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 868 netsh.exe 2688 netsh.exe -
Drops startup file 7 IoCs
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zebra..y2g42s 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinLogonCmd.bat 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zebra..y2g42s 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinLogonCmd.bat 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Public\Documents\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2GIU3NG8\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMDLW4SJ\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Public\Music\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\27PKR52P\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4XCMPANZ\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Public\Videos\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0U93YK0N\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FW0P2MZH\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JJ7YKCO8\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BP3UABCB\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Public\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
label.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exedescription ioc process File opened (read-only) \??\H: label.exe File opened (read-only) \??\X: label.exe File opened (read-only) \??\B: label.exe File opened (read-only) \??\D: label.exe File opened (read-only) \??\I: label.exe File opened (read-only) \??\N: label.exe File opened (read-only) \??\Y: label.exe File opened (read-only) \??\F: label.exe File opened (read-only) \??\G: label.exe File opened (read-only) \??\O: label.exe File opened (read-only) \??\V: label.exe File opened (read-only) \??\U: label.exe File opened (read-only) \??\J: label.exe File opened (read-only) \??\K: label.exe File opened (read-only) \??\Q: label.exe File opened (read-only) \??\M: label.exe File opened (read-only) \??\P: label.exe File opened (read-only) \??\W: label.exe File opened (read-only) \??\Z: label.exe File opened (read-only) \??\L: label.exe File opened (read-only) \??\S: label.exe File opened (read-only) \??\A: label.exe File opened (read-only) \??\E: label.exe File opened (read-only) \??\R: label.exe File opened (read-only) \??\T: label.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\DVD Maker\OmdBase.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\RenameMove.css 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Program Files\Common Files\System\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Mendoza 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Malta 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jni.h 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe -
Drops file in Windows directory 3 IoCs
Processes:
wbadmin.exedescription ioc process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2468 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exepid process 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exevssvc.exeWMIC.exewbengine.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe Token: SeDebugPrivilege 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe Token: SeBackupPrivilege 2776 vssvc.exe Token: SeRestorePrivilege 2776 vssvc.exe Token: SeAuditPrivilege 2776 vssvc.exe Token: SeIncreaseQuotaPrivilege 2684 WMIC.exe Token: SeSecurityPrivilege 2684 WMIC.exe Token: SeTakeOwnershipPrivilege 2684 WMIC.exe Token: SeLoadDriverPrivilege 2684 WMIC.exe Token: SeSystemProfilePrivilege 2684 WMIC.exe Token: SeSystemtimePrivilege 2684 WMIC.exe Token: SeProfSingleProcessPrivilege 2684 WMIC.exe Token: SeIncBasePriorityPrivilege 2684 WMIC.exe Token: SeCreatePagefilePrivilege 2684 WMIC.exe Token: SeBackupPrivilege 2684 WMIC.exe Token: SeRestorePrivilege 2684 WMIC.exe Token: SeShutdownPrivilege 2684 WMIC.exe Token: SeDebugPrivilege 2684 WMIC.exe Token: SeSystemEnvironmentPrivilege 2684 WMIC.exe Token: SeRemoteShutdownPrivilege 2684 WMIC.exe Token: SeUndockPrivilege 2684 WMIC.exe Token: SeManageVolumePrivilege 2684 WMIC.exe Token: 33 2684 WMIC.exe Token: 34 2684 WMIC.exe Token: 35 2684 WMIC.exe Token: SeIncreaseQuotaPrivilege 2684 WMIC.exe Token: SeSecurityPrivilege 2684 WMIC.exe Token: SeTakeOwnershipPrivilege 2684 WMIC.exe Token: SeLoadDriverPrivilege 2684 WMIC.exe Token: SeSystemProfilePrivilege 2684 WMIC.exe Token: SeSystemtimePrivilege 2684 WMIC.exe Token: SeProfSingleProcessPrivilege 2684 WMIC.exe Token: SeIncBasePriorityPrivilege 2684 WMIC.exe Token: SeCreatePagefilePrivilege 2684 WMIC.exe Token: SeBackupPrivilege 2684 WMIC.exe Token: SeRestorePrivilege 2684 WMIC.exe Token: SeShutdownPrivilege 2684 WMIC.exe Token: SeDebugPrivilege 2684 WMIC.exe Token: SeSystemEnvironmentPrivilege 2684 WMIC.exe Token: SeRemoteShutdownPrivilege 2684 WMIC.exe Token: SeUndockPrivilege 2684 WMIC.exe Token: SeManageVolumePrivilege 2684 WMIC.exe Token: 33 2684 WMIC.exe Token: 34 2684 WMIC.exe Token: 35 2684 WMIC.exe Token: SeBackupPrivilege 852 wbengine.exe Token: SeRestorePrivilege 852 wbengine.exe Token: SeSecurityPrivilege 852 wbengine.exe Token: SeIncreaseQuotaPrivilege 272 WMIC.exe Token: SeSecurityPrivilege 272 WMIC.exe Token: SeTakeOwnershipPrivilege 272 WMIC.exe Token: SeLoadDriverPrivilege 272 WMIC.exe Token: SeSystemProfilePrivilege 272 WMIC.exe Token: SeSystemtimePrivilege 272 WMIC.exe Token: SeProfSingleProcessPrivilege 272 WMIC.exe Token: SeIncBasePriorityPrivilege 272 WMIC.exe Token: SeCreatePagefilePrivilege 272 WMIC.exe Token: SeBackupPrivilege 272 WMIC.exe Token: SeRestorePrivilege 272 WMIC.exe Token: SeShutdownPrivilege 272 WMIC.exe Token: SeDebugPrivilege 272 WMIC.exe Token: SeSystemEnvironmentPrivilege 272 WMIC.exe Token: SeRemoteShutdownPrivilege 272 WMIC.exe Token: SeUndockPrivilege 272 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3044 wrote to memory of 2160 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 2160 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 2160 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 2160 wrote to memory of 2564 2160 cmd.exe attrib.exe PID 2160 wrote to memory of 2564 2160 cmd.exe attrib.exe PID 2160 wrote to memory of 2564 2160 cmd.exe attrib.exe PID 3044 wrote to memory of 2656 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe schtasks.exe PID 3044 wrote to memory of 2656 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe schtasks.exe PID 3044 wrote to memory of 2656 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe schtasks.exe PID 3044 wrote to memory of 2612 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 2612 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 2612 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 2612 wrote to memory of 2468 2612 cmd.exe vssadmin.exe PID 2612 wrote to memory of 2468 2612 cmd.exe vssadmin.exe PID 2612 wrote to memory of 2468 2612 cmd.exe vssadmin.exe PID 3044 wrote to memory of 3028 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 3028 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 3028 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3028 wrote to memory of 2952 3028 cmd.exe wbadmin.exe PID 3028 wrote to memory of 2952 3028 cmd.exe wbadmin.exe PID 3028 wrote to memory of 2952 3028 cmd.exe wbadmin.exe PID 3044 wrote to memory of 2720 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 2720 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 2720 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 2720 wrote to memory of 2684 2720 cmd.exe WMIC.exe PID 2720 wrote to memory of 2684 2720 cmd.exe WMIC.exe PID 2720 wrote to memory of 2684 2720 cmd.exe WMIC.exe PID 3044 wrote to memory of 928 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 928 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 928 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 928 wrote to memory of 2644 928 cmd.exe wbadmin.exe PID 928 wrote to memory of 2644 928 cmd.exe wbadmin.exe PID 928 wrote to memory of 2644 928 cmd.exe wbadmin.exe PID 3044 wrote to memory of 1972 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 1972 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 1972 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 1972 wrote to memory of 2068 1972 cmd.exe bcdedit.exe PID 1972 wrote to memory of 2068 1972 cmd.exe bcdedit.exe PID 1972 wrote to memory of 2068 1972 cmd.exe bcdedit.exe PID 3044 wrote to memory of 932 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 932 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 932 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 932 wrote to memory of 1780 932 cmd.exe bcdedit.exe PID 932 wrote to memory of 1780 932 cmd.exe bcdedit.exe PID 932 wrote to memory of 1780 932 cmd.exe bcdedit.exe PID 3044 wrote to memory of 1204 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 1204 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 1204 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 1204 wrote to memory of 868 1204 cmd.exe netsh.exe PID 1204 wrote to memory of 868 1204 cmd.exe netsh.exe PID 1204 wrote to memory of 868 1204 cmd.exe netsh.exe PID 3044 wrote to memory of 1404 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 1404 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 1404 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 1404 wrote to memory of 2688 1404 cmd.exe netsh.exe PID 1404 wrote to memory of 2688 1404 cmd.exe netsh.exe PID 1404 wrote to memory of 2688 1404 cmd.exe netsh.exe PID 3044 wrote to memory of 536 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 536 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3044 wrote to memory of 536 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 536 wrote to memory of 1008 536 cmd.exe reg.exe PID 536 wrote to memory of 1008 536 cmd.exe reg.exe PID 536 wrote to memory of 1008 536 cmd.exe reg.exe PID 3044 wrote to memory of 844 3044 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C attrib +h +s "C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"3⤵
- Views/modifies file attributes
PID:2564 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "ZEBRA" /tr "C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"2⤵
- Creates scheduled task(s)
PID:2656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off2⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
PID:868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable2⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:2688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵PID:1008
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic SHADOWCOPY /nointeractive2⤵PID:844
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label A: Locked By Zebra2⤵PID:1728
-
C:\Windows\system32\label.exelabel A: Locked By Zebra3⤵
- Enumerates connected drives
PID:2252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label B: Locked By Zebra2⤵PID:788
-
C:\Windows\system32\label.exelabel B: Locked By Zebra3⤵
- Enumerates connected drives
PID:1904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label C: Locked By Zebra2⤵PID:2052
-
C:\Windows\system32\label.exelabel C: Locked By Zebra3⤵PID:1776
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label D: Locked By Zebra2⤵PID:2260
-
C:\Windows\system32\label.exelabel D: Locked By Zebra3⤵
- Enumerates connected drives
PID:2748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label E: Locked By Zebra2⤵PID:840
-
C:\Windows\system32\label.exelabel E: Locked By Zebra3⤵
- Enumerates connected drives
PID:1544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label F: Locked By Zebra2⤵PID:1816
-
C:\Windows\system32\label.exelabel F: Locked By Zebra3⤵
- Enumerates connected drives
PID:2264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label G: Locked By Zebra2⤵PID:1896
-
C:\Windows\system32\label.exelabel G: Locked By Zebra3⤵
- Enumerates connected drives
PID:1160 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label H: Locked By Zebra2⤵PID:1536
-
C:\Windows\system32\label.exelabel H: Locked By Zebra3⤵
- Enumerates connected drives
PID:1840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label I: Locked By Zebra2⤵PID:1064
-
C:\Windows\system32\label.exelabel I: Locked By Zebra3⤵
- Enumerates connected drives
PID:2872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label J: Locked By Zebra2⤵PID:2208
-
C:\Windows\system32\label.exelabel J: Locked By Zebra3⤵
- Enumerates connected drives
PID:2364 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label K: Locked By Zebra2⤵PID:1672
-
C:\Windows\system32\label.exelabel K: Locked By Zebra3⤵
- Enumerates connected drives
PID:884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label L: Locked By Zebra2⤵PID:2544
-
C:\Windows\system32\label.exelabel L: Locked By Zebra3⤵
- Enumerates connected drives
PID:2200 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label M: Locked By Zebra2⤵PID:1916
-
C:\Windows\system32\label.exelabel M: Locked By Zebra3⤵
- Enumerates connected drives
PID:2224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label N: Locked By Zebra2⤵PID:1600
-
C:\Windows\system32\label.exelabel N: Locked By Zebra3⤵
- Enumerates connected drives
PID:1832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label O: Locked By Zebra2⤵PID:2824
-
C:\Windows\system32\label.exelabel O: Locked By Zebra3⤵
- Enumerates connected drives
PID:2244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label P: Locked By Zebra2⤵PID:2732
-
C:\Windows\system32\label.exelabel P: Locked By Zebra3⤵
- Enumerates connected drives
PID:2876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label Q: Locked By Zebra2⤵PID:2844
-
C:\Windows\system32\label.exelabel Q: Locked By Zebra3⤵
- Enumerates connected drives
PID:2516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label R: Locked By Zebra2⤵PID:2448
-
C:\Windows\system32\label.exelabel R: Locked By Zebra3⤵
- Enumerates connected drives
PID:2532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label S: Locked By Zebra2⤵PID:2836
-
C:\Windows\system32\label.exelabel S: Locked By Zebra3⤵
- Enumerates connected drives
PID:216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label T: Locked By Zebra2⤵PID:228
-
C:\Windows\system32\label.exelabel T: Locked By Zebra3⤵
- Enumerates connected drives
PID:3036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label U: Locked By Zebra2⤵PID:2468
-
C:\Windows\system32\label.exelabel U: Locked By Zebra3⤵
- Enumerates connected drives
PID:2476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label V: Locked By Zebra2⤵PID:2956
-
C:\Windows\system32\label.exelabel V: Locked By Zebra3⤵
- Enumerates connected drives
PID:2728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label W: Locked By Zebra2⤵PID:936
-
C:\Windows\system32\label.exelabel W: Locked By Zebra3⤵
- Enumerates connected drives
PID:2548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label X: Locked By Zebra2⤵PID:2156
-
C:\Windows\system32\label.exelabel X: Locked By Zebra3⤵
- Enumerates connected drives
PID:1984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label Y: Locked By Zebra2⤵PID:1312
-
C:\Windows\system32\label.exelabel Y: Locked By Zebra3⤵
- Enumerates connected drives
PID:1628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label Z: Locked By Zebra2⤵PID:1584
-
C:\Windows\system32\label.exelabel Z: Locked By Zebra3⤵
- Enumerates connected drives
PID:1780 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\!HELP FILES ENCRYPTED!.txt2⤵PID:2352
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:852
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2712
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2796
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
4File Deletion
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\!HELP FILES ENCRYPTED!.txtFilesize
922B
MD576c36a2be8207db056ecd89b9b6df025
SHA15e86f6eda39e6b1b51bdd6deabdad40d450b4069
SHA256624e9f317b2e9d231c9c983976e1e5eec6bae74e7ff9d84239bc2135ebaa1dff
SHA512c842cbdf9378848934920595eed61f7def666659ea1e9810e746d83b814dec433d587940fadf34bbad7751b66ac96166f74db3443f781c0df6ec7acb42d0a1c0
-
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.iniFilesize
463B
MD500aafdd13be543dcc56ca24ce4a9885c
SHA1dbfa502217bbc3d4e15e9af3cf43841d224d009e
SHA25665f2861f81879e6668ffb143f771b7df6ef8788c03eb53671d45996d49542c04
SHA512647fcaf2a93b746cf77fe9db6782b29033c43c61e0a19a0a04ac0ed1cb5d32f9313270c96cc3693c8998ef6c3640f9b581131612c83dee899ca5462429244f22
-
memory/3044-0-0x0000000000F80000-0x000000000107C000-memory.dmpFilesize
1008KB
-
memory/3044-1-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmpFilesize
9.9MB
-
memory/3044-2-0x0000000000530000-0x00000000005B0000-memory.dmpFilesize
512KB
-
memory/3044-2188-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmpFilesize
9.9MB
-
memory/3044-2609-0x0000000000530000-0x00000000005B0000-memory.dmpFilesize
512KB