wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware

Resubmissions

09-05-2024 20:23

240509-y58y4afh39 1

03-05-2024 11:30

240503-nl9feafd78 10

03-05-2024 11:28

240503-nlhbxsfd55 4

03-05-2024 11:25

240503-nh81gadc71 10

Analysis

max time kernel
157s
max time network
141s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03-05-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC7D.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDCA3.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

Processes:

WannaCry.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

2276 WannaCry.exe
3820 !WannaDecryptor!.exe
4160 !WannaDecryptor!.exe
2992 !WannaDecryptor!.exe
3980 !WannaDecryptor!.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2276	WannaCry.exe
3820	!WannaDecryptor!.exe
4160	!WannaDecryptor!.exe
2992	!WannaDecryptor!.exe
3980	!WannaDecryptor!.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

44 raw.githubusercontent.com
45 raw.githubusercontent.com

flow	ioc
44	raw.githubusercontent.com
45	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4116 vssadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2696 taskkill.exe
4764 taskkill.exe
4960 taskkill.exe
2424 taskkill.exe

pid	process
4116	vssadmin.exe

pid	process
2696	taskkill.exe
4764	taskkill.exe
4960	taskkill.exe
2424	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133592091284724589"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2768 chrome.exe
2768 chrome.exe
1892 chrome.exe
1892 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

2768 chrome.exe
2768 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
3820	!WannaDecryptor!.exe
3820	!WannaDecryptor!.exe
4160	!WannaDecryptor!.exe
4160	!WannaDecryptor!.exe
2992	!WannaDecryptor!.exe
2992	!WannaDecryptor!.exe
3980	!WannaDecryptor!.exe
3980	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2768 wrote to memory of 4672	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 4672	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3556	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 5016	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 5016	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 396	2768	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd14b79758,0x7ffd14b79768,0x7ffd14b79778
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:2
2⤵
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1768 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:8
2⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:8
2⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2868 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:1
2⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:1
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:8
2⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:8
2⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2448 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:8
2⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2044 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:8
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:8
2⤵
PID:992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:8
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5260 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2492 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:8
2⤵
PID:4456

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 291351714735624.bat
3⤵
PID:3004

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
4⤵
PID:3648

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3820

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
3⤵
- Kills process with taskkill
PID:4960

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
3⤵
- Kills process with taskkill
PID:4764

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
3⤵
- Kills process with taskkill
PID:2696

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
3⤵
- Kills process with taskkill
PID:2424

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4160

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
3⤵
PID:4212

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
PID:4496

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
6⤵
- Interacts with shadow copies
PID:4116

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
PID:620

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:8
2⤵
PID:1136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5380 --field-trial-handle=1908,i,8308716544705014878,4985156727688615127,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
cf533aa5db02b8c1c7fffbf954f33354

SHA1
44ea5f7d2704382034c231a983681d1ec344c4f9

SHA256
c6ba1ee51bb43ef0c8bafa946dd0ce94a51ca21fbccb13db790f663f25a3d2c6

SHA512
0f59929bb82855186d9d0806977e6f62ad05c3dfd5e7f412a7a2481a38e766beac42c9a2a3804e4f7a3bac4dd1c9cdbda43579b9649719ed8bd89b9fd48abead

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
4515e1df88236fd9126f1ba9ed8b80e9

SHA1
dfb4e1fd8e3771400d80d214e8cc596d9eb94113

SHA256
61bdba699e57eacd7a1e1bbc2b234ed90783c16cdfb0e1fc44108168d5aa4c75

SHA512
17af6e4ef83e9eb20a431abe293bbbd6ea9c0f267785c60dbf654ed5a099e8ddb95187515f5df7d0384f80a5591e62fccf158216e25c039cd8072eacea668bb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1018B

MD5
29b5bae3fe3ec02972812bf044f3b8e6

SHA1
ddc9016db62d6cbab646702d0a0621d3cc60b5af

SHA256
48ae40e36190fafda7b193763b8bcb896eb42a378ec37d233582d42cd76c3e87

SHA512
193cd2366dfbccb32d1d53d123a374e3cb8955d2964ddcac8c04cb7560dc667d6d792f109c96636fbd412f94d89af343525e340eac0db3a18a131f43756db2fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
89873835cdf1c9da8957800e05326f2a

SHA1
145a1ac0e7e1189c76093455e5f7ca15dacfa0c3

SHA256
6e37c2c8bfebed3485a77b0aec8614c1fe2905427f7a861b6bf1d99fe70e0057

SHA512
5b1c95f559189681011b1aea6ff292253a6f56fa48102d641b0aadf135562d2a1e824f5b3403d0e1183088425b2a640270b1f03bdbdc65d0d2c6da63c36afa4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
78857dda2caac07a2c7102e16facfba7

SHA1
848cd43eff2f7cfadcbfb2ef710b10b2524b212a

SHA256
f0cda277dba14aa1d6dc73a3e38eb8b7b7bd7a80eb2bcef8b96393b3f7a10e90

SHA512
fc9b1dc860ac25047dbe798eee00175b3c7f0bb4459ad270d2de86fcb0dcf3e0d423f4564979809e161d1bd1a9d67ed572b2e5a7bdd57068b111e75558dd933a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
52c9d654ba780b90192923e39b3030ec

SHA1
0ecd9fa5ace6f23e1d041443191d0d6ba71796d0

SHA256
4b519b75894aeae4a843d2c6d4ae0c1bcece94b9a3f6edf6327cc7e5fa60091c

SHA512
8514bba854790de098c37267a2959a0d0e3b81ff8cc78fd9f3fe0268612cde61509e5849073239b108b6f822610ab93ec3014a64ed80695bc466fb16b053062f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b85443bf26d2053c52e6e74cfcba3c77

SHA1
471158fcae943f0ad0c6389bdbd19314bea5d1a1

SHA256
53ba31bd59c64f369b23fd1d62acaf4d4651b4fdcb8b92a3a9a7049f20641c93

SHA512
45c63c770935a7d034d880c9eff7211b5dd3a3c9097ec42c6c918b23631ab5b50ca2b538366af5358c7459b030b2a9faece02bb635506054b5e4c7dc5248d433

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
59c9459123e96a9192c27daab96f0c76

SHA1
aafae1310b56efeb9165392517849047cb629702

SHA256
14c13f7c63b6aa5075ddb2ec6160ce8bcc512fc2cb6ed55d79b14bdf8f4a852d

SHA512
9118db4571ddce30e2e1a8b47bfa166e7f30ce69adc72714cb49c1c6e6c875dd786c031092e6be7b774eaed8b084824ce61c6053ac0a2966f52be29cf716a837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ce423de9b0b7431be1822c045d835b0d

SHA1
57b7573ccaf7167119df024c0d5d9d509ea9926b

SHA256
8f7fdba7f65c33029ef3b62c78a859830548bfc425b2836268c72c87e060d7b4

SHA512
d3e63f15fa4b6c6d4f856517ad82f058dc6e97c0c8db6ec3f503a9292164b1a0d67a70dacb25c76309bd30bcdf0f64c0225bf2892d34b6ee2320be20a80c8e6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b805d15d0aab888e124e37383087b7d9

SHA1
589c136f0cc2a6bbd9f89697a0634268b0024941

SHA256
fe3320a023a2dd728fd583bc0d4affed28d6017a7a3228e887fcfb1be182ac0f

SHA512
f93cc69b5002b3c02cd9f77804f9943ea30dfff7cdf1affa9b4b4c9ff03bbc311a48eaafa4e883e861072a580c076ae43e491b4530386748b9fb167108ecdee7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
285e01c6180bd624b62d2542821ef2bb

SHA1
e149ae99b16dc77da2f16234daef1c91484d13fd

SHA256
7e5106cd49f62d2254f22900a9a1e18516b95b0bd3a41d1ab506143c4bfa522b

SHA512
97b769c8abc8f75072e398ddbbbeceff4e62c9964af5727f0ff78ce9d7e322c862fce7fead5b37584e8ad551288750338cb821867f571c7d19d6d4408b0b33c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
111KB

MD5
3d326ea2c380f62c3184fbf6be6b1589

SHA1
6e0fc4db0989a5a76ad42b2e9218401c374e4b40

SHA256
e0007441cd3089f5bf8c52996288b72d7ad8dae6c013eed87280eb07898e6bcb

SHA512
90124a1f6f2147c76e49b4eb730136b75d99bb3fd0c32152e2f17059fa4ebe238a926d6f752faf55597b073ddb8b74347d498b3fa5ee25e02a83ea9b7195de43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe592503.TMP
Filesize
98KB

MD5
332ebb072d944e54994cd776a769513e

SHA1
7ae29ea3b2f6bc3bb73379537170b124e9a2fb48

SHA256
477e81403266674a9db7375550ace08e5e764e64e3e25e194fef75a965be387e

SHA512
348a596e486cd6c014175fbe7f5957808c7c2b631c1484aa7ab2579b81dfaf6dbbfc3a73d42393899cdfce7dfb70c1a791af98c21b21d9620ed93ba9c167da26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt
Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk
Filesize
590B

MD5
c08093e9cf33368f3f849c9268f3967a

SHA1
b73aa85a65fb04c6eb46dbcbfa7cd182b8ab7096

SHA256
9f30c343f083ac32be7644b2893194922af318934d044ab3e0ca7c1ea3d00dda

SHA512
daef53484bdd3fe576aafd3f3532135df2621c04e01d78efa88830085f1db03343c071af488549bed2cfa8e4c7f97a3ce14464c2e86dc8b8bf14cbdd4ee30180

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
b827bb3e4d924f4c92b05a68f531aa67

SHA1
6ab54faaa4f31d28b159282997e88a54d7e5375a

SHA256
649a6b7bc8b04d74958e48b3881f9b485ca5db89caa1e10fbd7cfc1e843f113e

SHA512
5b8dccfd75a793503a73e20042dbde8a7d7594980b3ec37f3ab8838e81246d72334b5f998c996a8e94553596e4f37c77aa9cda4af8d1e5f3c721bbdfecd2a9ab

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
3404927f8f24d9e5a54b9f66ed0c9df7

SHA1
691b54b97088d47117142d1d874918e3ad578c83

SHA256
84af7e1e1d383e35e546a6e7b10d21e0e4637a0632b98b7b98bf0b8fad04d3b3

SHA512
65ca8bdfca3218a5906be8957e374b21012e08a66288df2ba1cb024fb09d0dc7fa43e65a6f51d87c149163f0567837b61e4e0b3b18277d49473f950d38ca40de

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
944af0f61eb29e300f04ef2715b356c3

SHA1
347b9b79a08e3c9e1b79459c82e21dbbf366866f

SHA256
6663e3b733368e7c4da03e4fe4c2bd43b7bc6f0528c06b469097346c285f6c56

SHA512
cdf8e847b49d30392e6825066b978d73965636f4e28add6cc2690291cd20059bd357de510f5d935c2163891061feb85f69cbbe2b7b0a751dd99751181080ec57

Download Submit
C:\Users\Admin\Downloads\291351714735624.bat
Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe
Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs
Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry
Filesize
628B

MD5
cf1d892d3b95aa0c6f3e6774ed8bd81a

SHA1
607c543046d730d225a090c52458603dab4dea65

SHA256
391d273ce0b43cbf18dfe700af2ea79a6b9541e6c8e699da872557ef4e9bb0db

SHA512
4a97e384ac231acf5d917cf3c1161064aacce617ce4bd0ac34ce8267ad0360181c96e2dcf8cb2ba6aafd049fe9f7477547e74b7f02f8835d6446346af3213a8b

Download Submit
C:\Users\Admin\Downloads\c.wry
Filesize
628B

MD5
663e55df21852bc8870b86bc38e58262

SHA1
1c691bf030ecfce78a9476fbdef3afe61724e6a9

SHA256
bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538

SHA512
6a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9

Download Submit
C:\Users\Admin\Downloads\m.wry
Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\??\pipe\crashpad_2768_HYJYWLPMWWGCBRHU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2276-259-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download