Resubmissions
09-05-2024 20:23
240509-y58y4afh39 103-05-2024 11:30
240503-nl9feafd78 1003-05-2024 11:28
240503-nlhbxsfd55 403-05-2024 11:25
240503-nh81gadc71 10Analysis
-
max time kernel
157s -
max time network
141s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
03-05-2024 11:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
Resource
win10-20240404-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
Malware Config
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC7D.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDCA3.tmp WannaCry.exe -
Executes dropped EXE 5 IoCs
pid Process 2276 WannaCry.exe 3820 !WannaDecryptor!.exe 4160 !WannaDecryptor!.exe 2992 !WannaDecryptor!.exe 3980 !WannaDecryptor!.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r" WannaCry.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 44 raw.githubusercontent.com 45 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4116 vssadmin.exe -
Kills process with taskkill 4 IoCs
pid Process 2696 taskkill.exe 4764 taskkill.exe 4960 taskkill.exe 2424 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133592091284724589" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2768 chrome.exe 2768 chrome.exe 1892 chrome.exe 1892 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 2768 chrome.exe 2768 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe Token: SeShutdownPrivilege 2768 chrome.exe Token: SeCreatePagefilePrivilege 2768 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe 2768 chrome.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3820 !WannaDecryptor!.exe 3820 !WannaDecryptor!.exe 4160 !WannaDecryptor!.exe 4160 !WannaDecryptor!.exe 2992 !WannaDecryptor!.exe 2992 !WannaDecryptor!.exe 3980 !WannaDecryptor!.exe 3980 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2768 wrote to memory of 4672 2768 chrome.exe 73 PID 2768 wrote to memory of 4672 2768 chrome.exe 73 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 3556 2768 chrome.exe 75 PID 2768 wrote to memory of 5016 2768 chrome.exe 76 PID 2768 wrote to memory of 5016 2768 chrome.exe 76 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 PID 2768 wrote to memory of 396 2768 chrome.exe 77 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd14b79758,0x7ffd14b79768,0x7ffd14b797782⤵PID:4672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:22⤵PID:3556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1768 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:82⤵PID:5016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:82⤵PID:396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2868 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:12⤵PID:2460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:12⤵PID:2752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:82⤵PID:4304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:82⤵PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2448 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:82⤵PID:4580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2044 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:82⤵PID:4588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:82⤵PID:992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:82⤵PID:1500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5260 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:82⤵PID:2176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2492 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:82⤵PID:4456
-
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:2276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 291351714735624.bat3⤵PID:3004
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs4⤵PID:3648
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe f3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3820
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*3⤵
- Kills process with taskkill
PID:4960
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*3⤵
- Kills process with taskkill
PID:4764
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe3⤵
- Kills process with taskkill
PID:2696
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe3⤵
- Kills process with taskkill
PID:2424
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe c3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4160
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v3⤵PID:4212
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe v4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2992 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵PID:4496
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:4116
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵PID:620
-
-
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:3980
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:82⤵PID:1136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5380 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1876
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5cf533aa5db02b8c1c7fffbf954f33354
SHA144ea5f7d2704382034c231a983681d1ec344c4f9
SHA256c6ba1ee51bb43ef0c8bafa946dd0ce94a51ca21fbccb13db790f663f25a3d2c6
SHA5120f59929bb82855186d9d0806977e6f62ad05c3dfd5e7f412a7a2481a38e766beac42c9a2a3804e4f7a3bac4dd1c9cdbda43579b9649719ed8bd89b9fd48abead
-
Filesize
1KB
MD54515e1df88236fd9126f1ba9ed8b80e9
SHA1dfb4e1fd8e3771400d80d214e8cc596d9eb94113
SHA25661bdba699e57eacd7a1e1bbc2b234ed90783c16cdfb0e1fc44108168d5aa4c75
SHA51217af6e4ef83e9eb20a431abe293bbbd6ea9c0f267785c60dbf654ed5a099e8ddb95187515f5df7d0384f80a5591e62fccf158216e25c039cd8072eacea668bb3
-
Filesize
1018B
MD529b5bae3fe3ec02972812bf044f3b8e6
SHA1ddc9016db62d6cbab646702d0a0621d3cc60b5af
SHA25648ae40e36190fafda7b193763b8bcb896eb42a378ec37d233582d42cd76c3e87
SHA512193cd2366dfbccb32d1d53d123a374e3cb8955d2964ddcac8c04cb7560dc667d6d792f109c96636fbd412f94d89af343525e340eac0db3a18a131f43756db2fc
-
Filesize
1KB
MD589873835cdf1c9da8957800e05326f2a
SHA1145a1ac0e7e1189c76093455e5f7ca15dacfa0c3
SHA2566e37c2c8bfebed3485a77b0aec8614c1fe2905427f7a861b6bf1d99fe70e0057
SHA5125b1c95f559189681011b1aea6ff292253a6f56fa48102d641b0aadf135562d2a1e824f5b3403d0e1183088425b2a640270b1f03bdbdc65d0d2c6da63c36afa4a
-
Filesize
1KB
MD578857dda2caac07a2c7102e16facfba7
SHA1848cd43eff2f7cfadcbfb2ef710b10b2524b212a
SHA256f0cda277dba14aa1d6dc73a3e38eb8b7b7bd7a80eb2bcef8b96393b3f7a10e90
SHA512fc9b1dc860ac25047dbe798eee00175b3c7f0bb4459ad270d2de86fcb0dcf3e0d423f4564979809e161d1bd1a9d67ed572b2e5a7bdd57068b111e75558dd933a
-
Filesize
1KB
MD552c9d654ba780b90192923e39b3030ec
SHA10ecd9fa5ace6f23e1d041443191d0d6ba71796d0
SHA2564b519b75894aeae4a843d2c6d4ae0c1bcece94b9a3f6edf6327cc7e5fa60091c
SHA5128514bba854790de098c37267a2959a0d0e3b81ff8cc78fd9f3fe0268612cde61509e5849073239b108b6f822610ab93ec3014a64ed80695bc466fb16b053062f
-
Filesize
6KB
MD5b85443bf26d2053c52e6e74cfcba3c77
SHA1471158fcae943f0ad0c6389bdbd19314bea5d1a1
SHA25653ba31bd59c64f369b23fd1d62acaf4d4651b4fdcb8b92a3a9a7049f20641c93
SHA51245c63c770935a7d034d880c9eff7211b5dd3a3c9097ec42c6c918b23631ab5b50ca2b538366af5358c7459b030b2a9faece02bb635506054b5e4c7dc5248d433
-
Filesize
6KB
MD559c9459123e96a9192c27daab96f0c76
SHA1aafae1310b56efeb9165392517849047cb629702
SHA25614c13f7c63b6aa5075ddb2ec6160ce8bcc512fc2cb6ed55d79b14bdf8f4a852d
SHA5129118db4571ddce30e2e1a8b47bfa166e7f30ce69adc72714cb49c1c6e6c875dd786c031092e6be7b774eaed8b084824ce61c6053ac0a2966f52be29cf716a837
-
Filesize
6KB
MD5ce423de9b0b7431be1822c045d835b0d
SHA157b7573ccaf7167119df024c0d5d9d509ea9926b
SHA2568f7fdba7f65c33029ef3b62c78a859830548bfc425b2836268c72c87e060d7b4
SHA512d3e63f15fa4b6c6d4f856517ad82f058dc6e97c0c8db6ec3f503a9292164b1a0d67a70dacb25c76309bd30bcdf0f64c0225bf2892d34b6ee2320be20a80c8e6c
-
Filesize
6KB
MD5b805d15d0aab888e124e37383087b7d9
SHA1589c136f0cc2a6bbd9f89697a0634268b0024941
SHA256fe3320a023a2dd728fd583bc0d4affed28d6017a7a3228e887fcfb1be182ac0f
SHA512f93cc69b5002b3c02cd9f77804f9943ea30dfff7cdf1affa9b4b4c9ff03bbc311a48eaafa4e883e861072a580c076ae43e491b4530386748b9fb167108ecdee7
-
Filesize
136KB
MD5285e01c6180bd624b62d2542821ef2bb
SHA1e149ae99b16dc77da2f16234daef1c91484d13fd
SHA2567e5106cd49f62d2254f22900a9a1e18516b95b0bd3a41d1ab506143c4bfa522b
SHA51297b769c8abc8f75072e398ddbbbeceff4e62c9964af5727f0ff78ce9d7e322c862fce7fead5b37584e8ad551288750338cb821867f571c7d19d6d4408b0b33c0
-
Filesize
111KB
MD53d326ea2c380f62c3184fbf6be6b1589
SHA16e0fc4db0989a5a76ad42b2e9218401c374e4b40
SHA256e0007441cd3089f5bf8c52996288b72d7ad8dae6c013eed87280eb07898e6bcb
SHA51290124a1f6f2147c76e49b4eb730136b75d99bb3fd0c32152e2f17059fa4ebe238a926d6f752faf55597b073ddb8b74347d498b3fa5ee25e02a83ea9b7195de43
-
Filesize
98KB
MD5332ebb072d944e54994cd776a769513e
SHA17ae29ea3b2f6bc3bb73379537170b124e9a2fb48
SHA256477e81403266674a9db7375550ace08e5e764e64e3e25e194fef75a965be387e
SHA512348a596e486cd6c014175fbe7f5957808c7c2b631c1484aa7ab2579b81dfaf6dbbfc3a73d42393899cdfce7dfb70c1a791af98c21b21d9620ed93ba9c167da26
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
590B
MD5c08093e9cf33368f3f849c9268f3967a
SHA1b73aa85a65fb04c6eb46dbcbfa7cd182b8ab7096
SHA2569f30c343f083ac32be7644b2893194922af318934d044ab3e0ca7c1ea3d00dda
SHA512daef53484bdd3fe576aafd3f3532135df2621c04e01d78efa88830085f1db03343c071af488549bed2cfa8e4c7f97a3ce14464c2e86dc8b8bf14cbdd4ee30180
-
Filesize
136B
MD5b827bb3e4d924f4c92b05a68f531aa67
SHA16ab54faaa4f31d28b159282997e88a54d7e5375a
SHA256649a6b7bc8b04d74958e48b3881f9b485ca5db89caa1e10fbd7cfc1e843f113e
SHA5125b8dccfd75a793503a73e20042dbde8a7d7594980b3ec37f3ab8838e81246d72334b5f998c996a8e94553596e4f37c77aa9cda4af8d1e5f3c721bbdfecd2a9ab
-
Filesize
136B
MD53404927f8f24d9e5a54b9f66ed0c9df7
SHA1691b54b97088d47117142d1d874918e3ad578c83
SHA25684af7e1e1d383e35e546a6e7b10d21e0e4637a0632b98b7b98bf0b8fad04d3b3
SHA51265ca8bdfca3218a5906be8957e374b21012e08a66288df2ba1cb024fb09d0dc7fa43e65a6f51d87c149163f0567837b61e4e0b3b18277d49473f950d38ca40de
-
Filesize
136B
MD5944af0f61eb29e300f04ef2715b356c3
SHA1347b9b79a08e3c9e1b79459c82e21dbbf366866f
SHA2566663e3b733368e7c4da03e4fe4c2bd43b7bc6f0528c06b469097346c285f6c56
SHA512cdf8e847b49d30392e6825066b978d73965636f4e28add6cc2690291cd20059bd357de510f5d935c2163891061feb85f69cbbe2b7b0a751dd99751181080ec57
-
Filesize
318B
MD5a261428b490a45438c0d55781a9c6e75
SHA1e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e
SHA2564288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44
SHA512304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40
-
Filesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
Filesize
201B
MD502b937ceef5da308c5689fcdb3fb12e9
SHA1fa5490ea513c1b0ee01038c18cb641a51f459507
SHA2565d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1
SHA512843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653
-
Filesize
628B
MD5cf1d892d3b95aa0c6f3e6774ed8bd81a
SHA1607c543046d730d225a090c52458603dab4dea65
SHA256391d273ce0b43cbf18dfe700af2ea79a6b9541e6c8e699da872557ef4e9bb0db
SHA5124a97e384ac231acf5d917cf3c1161064aacce617ce4bd0ac34ce8267ad0360181c96e2dcf8cb2ba6aafd049fe9f7477547e74b7f02f8835d6446346af3213a8b
-
Filesize
628B
MD5663e55df21852bc8870b86bc38e58262
SHA11c691bf030ecfce78a9476fbdef3afe61724e6a9
SHA256bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538
SHA5126a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5