Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 03:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
-
Size
987KB
-
MD5
7f3607674f31dd96e4d6a009cb4dfb7e
-
SHA1
5ebce6ec9924dc24e73a1faef6934128ea46c28c
-
SHA256
ab1ead6628df92a6cf9e0aee75bdf3ad9e7bf7e9067baf2a5a83adbf4cfd5d02
-
SHA512
68e0aff21d3ee5d24794c1d46f5a13fdc6af63f299ff175f74f89443b7edbcf09f7a96fdd43d64ed44e8336f37bfdc1c1806a2103846bbb2e14593fc0a125c06
-
SSDEEP
12288:ut3UkyTa5ziXxqf8FLpqf77yAJKrMCLSoJjvN+MyjLvBG1YJX8ORnu:TkbsLpqDuA7E3cRnu
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4832-0-0x00000000002C0000-0x00000000003BC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Detects command variations typically used by ransomware 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4832-0-0x00000000002C0000-0x00000000003BC000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware -
Detects executables containing many references to VEEAM. Observed in ransomware 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4832-0-0x00000000002C0000-0x00000000003BC000-memory.dmp INDICATOR_SUSPICOUS_EXE_References_VEEAM -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4168 bcdedit.exe 3916 bcdedit.exe -
Processes:
wbadmin.exepid process 2128 wbadmin.exe -
Processes:
wbadmin.exepid process 3308 wbadmin.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2224 netsh.exe 1236 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe -
Drops startup file 7 IoCs
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinLogonCmd.bat 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zebra..y2g42s 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinLogonCmd.bat 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zebra..y2g42s 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 20 IoCs
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
label.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exedescription ioc process File opened (read-only) \??\I: label.exe File opened (read-only) \??\K: label.exe File opened (read-only) \??\Y: label.exe File opened (read-only) \??\M: label.exe File opened (read-only) \??\T: label.exe File opened (read-only) \??\Z: label.exe File opened (read-only) \??\L: label.exe File opened (read-only) \??\S: label.exe File opened (read-only) \??\G: label.exe File opened (read-only) \??\Q: label.exe File opened (read-only) \??\X: label.exe File opened (read-only) \??\B: label.exe File opened (read-only) \??\N: label.exe File opened (read-only) \??\P: label.exe File opened (read-only) \??\V: label.exe File opened (read-only) \??\A: label.exe File opened (read-only) \??\D: label.exe File opened (read-only) \??\H: label.exe File opened (read-only) \??\W: label.exe File opened (read-only) \??\E: label.exe File opened (read-only) \??\J: label.exe File opened (read-only) \??\R: label.exe File opened (read-only) \??\F: label.exe File opened (read-only) \??\O: label.exe File opened (read-only) \??\U: label.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exedescription ioc process File opened for modification C:\Program Files\MoveBlock.jpeg 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\readme.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\SendSkip.sql 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File created C:\Program Files\7-Zip\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\!HELP FILES ENCRYPTED!.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\MoveSearch.mpeg2 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\SetLock.001 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\desktop.ini 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\InitializeDebug.mp2 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\History.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe File opened for modification C:\Program Files\PushSelect.001 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe -
Drops file in Windows directory 3 IoCs
Processes:
wbadmin.exedescription ioc process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4652 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exepid process 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exevssvc.exeWMIC.exewbengine.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe Token: SeDebugPrivilege 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe Token: SeBackupPrivilege 2428 vssvc.exe Token: SeRestorePrivilege 2428 vssvc.exe Token: SeAuditPrivilege 2428 vssvc.exe Token: SeIncreaseQuotaPrivilege 3164 WMIC.exe Token: SeSecurityPrivilege 3164 WMIC.exe Token: SeTakeOwnershipPrivilege 3164 WMIC.exe Token: SeLoadDriverPrivilege 3164 WMIC.exe Token: SeSystemProfilePrivilege 3164 WMIC.exe Token: SeSystemtimePrivilege 3164 WMIC.exe Token: SeProfSingleProcessPrivilege 3164 WMIC.exe Token: SeIncBasePriorityPrivilege 3164 WMIC.exe Token: SeCreatePagefilePrivilege 3164 WMIC.exe Token: SeBackupPrivilege 3164 WMIC.exe Token: SeRestorePrivilege 3164 WMIC.exe Token: SeShutdownPrivilege 3164 WMIC.exe Token: SeDebugPrivilege 3164 WMIC.exe Token: SeSystemEnvironmentPrivilege 3164 WMIC.exe Token: SeRemoteShutdownPrivilege 3164 WMIC.exe Token: SeUndockPrivilege 3164 WMIC.exe Token: SeManageVolumePrivilege 3164 WMIC.exe Token: 33 3164 WMIC.exe Token: 34 3164 WMIC.exe Token: 35 3164 WMIC.exe Token: 36 3164 WMIC.exe Token: SeIncreaseQuotaPrivilege 3164 WMIC.exe Token: SeSecurityPrivilege 3164 WMIC.exe Token: SeTakeOwnershipPrivilege 3164 WMIC.exe Token: SeLoadDriverPrivilege 3164 WMIC.exe Token: SeSystemProfilePrivilege 3164 WMIC.exe Token: SeSystemtimePrivilege 3164 WMIC.exe Token: SeProfSingleProcessPrivilege 3164 WMIC.exe Token: SeIncBasePriorityPrivilege 3164 WMIC.exe Token: SeCreatePagefilePrivilege 3164 WMIC.exe Token: SeBackupPrivilege 3164 WMIC.exe Token: SeRestorePrivilege 3164 WMIC.exe Token: SeShutdownPrivilege 3164 WMIC.exe Token: SeDebugPrivilege 3164 WMIC.exe Token: SeSystemEnvironmentPrivilege 3164 WMIC.exe Token: SeRemoteShutdownPrivilege 3164 WMIC.exe Token: SeUndockPrivilege 3164 WMIC.exe Token: SeManageVolumePrivilege 3164 WMIC.exe Token: 33 3164 WMIC.exe Token: 34 3164 WMIC.exe Token: 35 3164 WMIC.exe Token: 36 3164 WMIC.exe Token: SeBackupPrivilege 3284 wbengine.exe Token: SeRestorePrivilege 3284 wbengine.exe Token: SeSecurityPrivilege 3284 wbengine.exe Token: SeIncreaseQuotaPrivilege 3252 WMIC.exe Token: SeSecurityPrivilege 3252 WMIC.exe Token: SeTakeOwnershipPrivilege 3252 WMIC.exe Token: SeLoadDriverPrivilege 3252 WMIC.exe Token: SeSystemProfilePrivilege 3252 WMIC.exe Token: SeSystemtimePrivilege 3252 WMIC.exe Token: SeProfSingleProcessPrivilege 3252 WMIC.exe Token: SeIncBasePriorityPrivilege 3252 WMIC.exe Token: SeCreatePagefilePrivilege 3252 WMIC.exe Token: SeBackupPrivilege 3252 WMIC.exe Token: SeRestorePrivilege 3252 WMIC.exe Token: SeShutdownPrivilege 3252 WMIC.exe Token: SeDebugPrivilege 3252 WMIC.exe Token: SeSystemEnvironmentPrivilege 3252 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4832 wrote to memory of 5028 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 5028 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 5028 wrote to memory of 332 5028 cmd.exe attrib.exe PID 5028 wrote to memory of 332 5028 cmd.exe attrib.exe PID 4832 wrote to memory of 1568 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe schtasks.exe PID 4832 wrote to memory of 1568 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe schtasks.exe PID 4832 wrote to memory of 1792 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 1792 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 1792 wrote to memory of 4652 1792 cmd.exe vssadmin.exe PID 1792 wrote to memory of 4652 1792 cmd.exe vssadmin.exe PID 4832 wrote to memory of 1624 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 1624 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 1624 wrote to memory of 2128 1624 cmd.exe wbadmin.exe PID 1624 wrote to memory of 2128 1624 cmd.exe wbadmin.exe PID 4832 wrote to memory of 2524 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 2524 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 2524 wrote to memory of 3164 2524 cmd.exe WMIC.exe PID 2524 wrote to memory of 3164 2524 cmd.exe WMIC.exe PID 4832 wrote to memory of 3328 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 3328 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3328 wrote to memory of 3308 3328 cmd.exe wbadmin.exe PID 3328 wrote to memory of 3308 3328 cmd.exe wbadmin.exe PID 4832 wrote to memory of 1728 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 1728 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 3008 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 3008 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3008 wrote to memory of 3916 3008 cmd.exe bcdedit.exe PID 3008 wrote to memory of 3916 3008 cmd.exe bcdedit.exe PID 4832 wrote to memory of 1224 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 1224 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 1224 wrote to memory of 2224 1224 cmd.exe netsh.exe PID 1224 wrote to memory of 2224 1224 cmd.exe netsh.exe PID 4832 wrote to memory of 3904 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 3904 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 3904 wrote to memory of 1236 3904 cmd.exe netsh.exe PID 3904 wrote to memory of 1236 3904 cmd.exe netsh.exe PID 4832 wrote to memory of 2884 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 2884 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 2884 wrote to memory of 2248 2884 cmd.exe reg.exe PID 2884 wrote to memory of 2248 2884 cmd.exe reg.exe PID 4832 wrote to memory of 1560 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 1560 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 1560 wrote to memory of 3252 1560 cmd.exe WMIC.exe PID 1560 wrote to memory of 3252 1560 cmd.exe WMIC.exe PID 4832 wrote to memory of 4372 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 4372 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4372 wrote to memory of 2868 4372 cmd.exe label.exe PID 4372 wrote to memory of 2868 4372 cmd.exe label.exe PID 4832 wrote to memory of 1724 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 1724 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 1724 wrote to memory of 4448 1724 cmd.exe label.exe PID 1724 wrote to memory of 4448 1724 cmd.exe label.exe PID 4832 wrote to memory of 4400 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 4400 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4400 wrote to memory of 116 4400 cmd.exe label.exe PID 4400 wrote to memory of 116 4400 cmd.exe label.exe PID 4832 wrote to memory of 1016 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 1016 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 1016 wrote to memory of 3920 1016 cmd.exe label.exe PID 1016 wrote to memory of 3920 1016 cmd.exe label.exe PID 4832 wrote to memory of 416 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 4832 wrote to memory of 416 4832 2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe cmd.exe PID 416 wrote to memory of 2300 416 cmd.exe label.exe PID 416 wrote to memory of 2300 416 cmd.exe label.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"1⤵
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C attrib +h +s "C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"3⤵
- Views/modifies file attributes
PID:332 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "ZEBRA" /tr "C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"2⤵
- Creates scheduled task(s)
PID:1568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:3308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:1728
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:4168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off2⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
PID:2224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable2⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:1236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵PID:2248
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic SHADOWCOPY /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label A: Locked By Zebra2⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\system32\label.exelabel A: Locked By Zebra3⤵
- Enumerates connected drives
PID:2868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label B: Locked By Zebra2⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\label.exelabel B: Locked By Zebra3⤵
- Enumerates connected drives
PID:4448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label C: Locked By Zebra2⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\system32\label.exelabel C: Locked By Zebra3⤵PID:116
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label D: Locked By Zebra2⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\label.exelabel D: Locked By Zebra3⤵
- Enumerates connected drives
PID:3920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label E: Locked By Zebra2⤵
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\system32\label.exelabel E: Locked By Zebra3⤵
- Enumerates connected drives
PID:2300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label F: Locked By Zebra2⤵PID:276
-
C:\Windows\system32\label.exelabel F: Locked By Zebra3⤵
- Enumerates connected drives
PID:2320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label G: Locked By Zebra2⤵PID:2596
-
C:\Windows\system32\label.exelabel G: Locked By Zebra3⤵
- Enumerates connected drives
PID:3080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label H: Locked By Zebra2⤵PID:3864
-
C:\Windows\system32\label.exelabel H: Locked By Zebra3⤵
- Enumerates connected drives
PID:4168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label I: Locked By Zebra2⤵PID:3912
-
C:\Windows\system32\label.exelabel I: Locked By Zebra3⤵
- Enumerates connected drives
PID:3868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label J: Locked By Zebra2⤵PID:2268
-
C:\Windows\system32\label.exelabel J: Locked By Zebra3⤵
- Enumerates connected drives
PID:3872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label K: Locked By Zebra2⤵PID:3508
-
C:\Windows\system32\label.exelabel K: Locked By Zebra3⤵
- Enumerates connected drives
PID:2360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label L: Locked By Zebra2⤵PID:2484
-
C:\Windows\system32\label.exelabel L: Locked By Zebra3⤵
- Enumerates connected drives
PID:3252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label M: Locked By Zebra2⤵PID:3080
-
C:\Windows\system32\label.exelabel M: Locked By Zebra3⤵
- Enumerates connected drives
PID:3400 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label N: Locked By Zebra2⤵PID:644
-
C:\Windows\system32\label.exelabel N: Locked By Zebra3⤵
- Enumerates connected drives
PID:4448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label O: Locked By Zebra2⤵PID:1408
-
C:\Windows\system32\label.exelabel O: Locked By Zebra3⤵
- Enumerates connected drives
PID:1040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label P: Locked By Zebra2⤵PID:2012
-
C:\Windows\system32\label.exelabel P: Locked By Zebra3⤵
- Enumerates connected drives
PID:2360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label Q: Locked By Zebra2⤵PID:1144
-
C:\Windows\system32\label.exelabel Q: Locked By Zebra3⤵
- Enumerates connected drives
PID:4932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label R: Locked By Zebra2⤵PID:4604
-
C:\Windows\system32\label.exelabel R: Locked By Zebra3⤵
- Enumerates connected drives
PID:292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label S: Locked By Zebra2⤵PID:2868
-
C:\Windows\system32\label.exelabel S: Locked By Zebra3⤵
- Enumerates connected drives
PID:3400 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label T: Locked By Zebra2⤵PID:4376
-
C:\Windows\system32\label.exelabel T: Locked By Zebra3⤵
- Enumerates connected drives
PID:4180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label U: Locked By Zebra2⤵PID:3872
-
C:\Windows\system32\label.exelabel U: Locked By Zebra3⤵
- Enumerates connected drives
PID:880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label V: Locked By Zebra2⤵PID:4564
-
C:\Windows\system32\label.exelabel V: Locked By Zebra3⤵
- Enumerates connected drives
PID:3100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label W: Locked By Zebra2⤵PID:3308
-
C:\Windows\system32\label.exelabel W: Locked By Zebra3⤵
- Enumerates connected drives
PID:1664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label X: Locked By Zebra2⤵PID:1936
-
C:\Windows\system32\label.exelabel X: Locked By Zebra3⤵
- Enumerates connected drives
PID:3792 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label Y: Locked By Zebra2⤵PID:4200
-
C:\Windows\system32\label.exelabel Y: Locked By Zebra3⤵
- Enumerates connected drives
PID:4448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label Z: Locked By Zebra2⤵PID:1140
-
C:\Windows\system32\label.exelabel Z: Locked By Zebra3⤵
- Enumerates connected drives
PID:436 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\!HELP FILES ENCRYPTED!.txt2⤵PID:4932
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:644
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:1716
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
4File Deletion
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.iniFilesize
463B
MD5038c9bfbb5b3a66571fae131a30ecef5
SHA161ec5384ce33224eda0782b82cf4203d03c0a8c2
SHA2567b7f52d26a3f05c73e5a4edd57d33dc9af8ff89133feb7f499f9ab1bdd2b123c
SHA51237785e470741a135b719c9e2f75c71683198943b9ee3224f44cb9e1fcf01760b491feba570cafb0c1cf6b08fa816a5d15222d2677e0784c09f08d74cd685ed9e
-
F:\$RECYCLE.BIN\!HELP FILES ENCRYPTED!.txtFilesize
922B
MD5edaa0b91f5b297c18f57330f8b857177
SHA13f65ce2eddd91bfa8069be815ae39570999114e4
SHA256a05357637ea73d949e05ff78f7843f7186ed15688993363481d3f17d90953863
SHA5121d120e810c2df8c5bd880f05f5bd1b1ddf6ee9c6039cdd22044aefbcb1904179fab8704811a02afdcc4d5325d572c67dd81caf0ffcb2f78ea70653eb8568f3c1
-
memory/4832-0-0x00000000002C0000-0x00000000003BC000-memory.dmpFilesize
1008KB
-
memory/4832-1-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmpFilesize
10.8MB
-
memory/4832-2-0x000000001B390000-0x000000001B3A0000-memory.dmpFilesize
64KB
-
memory/4832-5-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmpFilesize
10.8MB
-
memory/4832-6-0x000000001B390000-0x000000001B3A0000-memory.dmpFilesize
64KB