Malware Analysis Report

2024-10-19 07:29

Sample ID 240520-qtte9scd22
Target Ransomware.WannaCrypt0r.v1.exe
SHA256 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
Tags
wannacry defense_evasion execution impact persistence ransomware spyware stealer worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Threat Level: Known bad

The file Ransomware.WannaCrypt0r.v1.exe was found to be: Known bad.

Malicious Activity Summary

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Wannacry

Deletes shadow copies

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Kills process with taskkill

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 13:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 13:33

Reported

2024-05-20 13:34

Platform

win7-20240508-en

Max time kernel

67s

Max time network

23s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe"

Signatures

Wannacry

ransomware worm wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD29EF.tmp C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware.WannaCrypt0r.v1.exe\" /r" C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1304 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1304 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1304 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2408 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2408 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2408 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2408 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2408 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2408 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2408 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2408 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2408 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2408 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 876 wrote to memory of 668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 876 wrote to memory of 668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 876 wrote to memory of 668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2408 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2408 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2408 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2408 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 668 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 668 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 668 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 668 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1804 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1804 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1804 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1804 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1804 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1804 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1804 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe

"C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c 56391716212026.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp

Files

memory/2408-6-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\56391716212026.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 772188adc9a39992fd0608038f941967
SHA1 5f2037942bcbb38a0580a992921255c3a5c3f7f6
SHA256 f078a0f7d43bb6f7f67308f4f45e66f230699b8a05f1b65321eb586fa2120a5e
SHA512 d6a9c384297d62007225edf01323d3a79c5b9fbe662869da74ad1eaea506c08b15c1ed7796a98cb94c1b16863e76bb8a4d9382122b2d0d8d4f7b24469e05e076

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 507a3f4919f981906d984a8d4604deab
SHA1 d9a6c215c7f9f260cb12cc6187ca6a1baca80678
SHA256 098dd0e68b29dc4be490a7413991a4d19e7a0052db30010076c6c584d31ab830
SHA512 23664f5247381f206dd92be1539720d1c605145bd8ad1d3541e123999b6b85284c2f9fea9376149126ec9ff38d1fb8355f1f8fcc8343946e93f59cbd4b9f797a

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 ecf7cf8daddf2d7fd9ff730bc31c0490
SHA1 367e4d2fc64a1da5775dab2380cbe5a73129f210
SHA256 54768fe562e12ff975bebd21a1205f7e33a2ab6526da75b46cdb0fde4377b909
SHA512 3f2e8b16ab18143a091ac7ec9fce772566c982a5b47b05d0d70e87463ea241ef7109bf7f664642501b718aa23adb7c2b2a711777bcfadf8a8ba56aabe7ae209b

C:\Users\Admin\Documents\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 0d9f8f2dd58ef5897b144bcb804e7a46
SHA1 3ac12239d04f161520029c336e4c3ebbe1e9efe5
SHA256 ce56961ff4f5500304c950f24ca3b93c95cbab4ab7e923ef7ee7e81c16137d14
SHA512 133b77cd4efda96069073dbcc714741454c5a0ec4c1a40005dbe5bcbdc4ade357e0ece85f01febedbf9fba047fa091cf76c643d026491344c4f8b4eb993a4649

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 b59b8fd30ca42d88353eb9b51cf9a4aa
SHA1 6131ba68c0dcb04abd3d410ff5d06210dfe7110c
SHA256 885b083194f40e5c6872a3aaad48fe9c0514f69f21ef3127b4cad60b4808787b
SHA512 170eadfb02d34c2f71167e550f36fdf93ca043004574b30ccc72241faf559bd8a40187be80bbd733b98888679d3ae583b4f629099e52b1e5d02cb9c423b25de4

C:\Users\Admin\AppData\Local\Temp\f.wry

MD5 85e235cd4757d8af91cbe3145b630ed0
SHA1 6a86dda6e266ee51b0a353fe3383f720ec471335
SHA256 b78d336226cf138995537a63f7fd67f983d96b469b07c00ac60b71c64c0ab1c9
SHA512 be24d8b819d9f2dacd00706c955359d3a88b6f97390b904372021110ba533c1a0837b2138fd619b14261f0a2969e8b594b9397e50ee544c161f0e5658fbf222d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.WCRY

MD5 f6b07a01f064d19ba109a7e08d780aaa
SHA1 6d23296782619d2eaab9e86ddde4d7075578040d
SHA256 051138cb52f0bd9dd7b667bb767c4ec7f6ffd6c8312dd54031e65848aef40379
SHA512 d9214190bb3b51828b675d9cc24d5210a872547a11ad0d7113dbbab577e427e0cb34149e9dde8c704bdc562daf8a2c75b5aede42f15670c850960a54d5651c06

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.WCRY

MD5 2d6bd6015391c99b67080a2fadfa6a4e
SHA1 e082ae01cf8d38fe5a2d846b8eb9c3bba969475a
SHA256 9da4a59bfb8b9cf8437013283dfe9ce97cc9dbefa22dae06fba625da3e1ee1dc
SHA512 94331605df78f548539cb3fb387e9bbf25904b5ac9be3e78982e7d7ed09f3c121cdd7dffe760fd458a0eb6a72d0ea3b88a23de3402e228dfa9662b7db2b55d5a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png.WCRY

MD5 a9a2f724539c55234590c06d96e6744a
SHA1 e69bd402a79a6ba907fdc38256f3939c11f82756
SHA256 1039382fca1be68bdaba697fbb87980d47ad7691db374214359fcbd5ef09155a
SHA512 e03f6ca664290a7ad28036b3530961fd7e4adff84ac17f587ba028be4c730007795d9a1e18e8637b7f8182b9fb50010625047bcec790b2c9c07a4017c69fc587

C:\Users\Admin\AppData\Local\Temp\00000000.eky

MD5 9dd48bca199c4d19cca04879a3ea378e
SHA1 b1586748a7de8d75cebd164222e3ad4745aa06b9
SHA256 8e5ba7542e5866cfcc21420bd6cfe942bad09855a70f50318588dccff82f9046
SHA512 bbd6eee007814aa8cf03282cfd82be16cec796458b85941b2b71aff705d62f4a6577f4b029ec48d52f5d0169d062cb60249692f7f87924dcf3e67d2ef796ad3d

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 998fc22ad4794e9ab324660fecf5cc94
SHA1 2e325a13ae7701fb97e9263b18fa533a5b51e5dc
SHA256 39ee95bfd4f3abf6022013c12d4a89ad259c7045df4f8927821909fdab69c70e
SHA512 9a3e7f5a18b445622302ee301cbf426a7a2d6f023e67b97594c4767ecc5a1ff513aeff6b433b7b9509e7993415c7aca43801276de5feb66119287d5a9b233320

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 13:33

Reported

2024-05-20 13:36

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe"

Signatures

Wannacry

ransomware worm wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDF4A4.tmp C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDF48D.tmp C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware.WannaCrypt0r.v1.exe\" /r" C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2028 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2028 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2740 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2740 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2740 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2740 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2740 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2740 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2740 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2740 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2740 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2740 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2740 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2740 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2740 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2740 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2740 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\taskkill.exe
PID 2740 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2740 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2740 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2740 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2036 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2036 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2740 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2740 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2740 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2304 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4356 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4356 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe

"C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 195101716212027.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
N/A 127.0.0.1:9150 tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/2740-9-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u.wry

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\195101716212027.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 3357134959ef9dfd0f9c9ff2881be928
SHA1 b68a8f2b41712eed0da67ffaf18c2e2b12c0af14
SHA256 a74f12ee79c4cc284ecf5003470e1bb22921f1debd972531c23ec1131d3995a0
SHA512 ec39d95bd9fdac7b4745f2e722c8e49eaddd117e3b1ebf9f4025af6bef85896b39dac8777815c50181d60c5409c9de9b4ab5bc79b3e29fd412c73861d7da3e5f

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 82263c02c6ab2c579660ba4dce9c335a
SHA1 3eeb25000ad3b948f424e3341ed27bf12ec51607
SHA256 7038dec8669ef109ce920d0caa244a20672efea54f70e5d4629c8745da89e9c2
SHA512 3b164fe0a410904771b0c068efb60d4fd68ca6bc929a8d80e3b294638841e98b26cdae5f6156c8825314ed9089e2c02cc683120e711f86b118fcc530a3c9606b

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 941f8104d1b4fb61b6916c831eb13634
SHA1 a469fdb610d9407716ca8c57ede410ff6e0f346e
SHA256 99ff58fe067021cf29ad1ae23ed13d36bd68d0b7c214fa8904e592b0ccccaf31
SHA512 f61af008d225e96f8007533897b4a4968aa04f2abe28b58db7b4653d5b9d2850eefcac34de31d5d9ddb30a2195a6767b29799b2e01bf4324d6d4d42fad078240

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 806f22e364cf36a6fd4edd7cfa98a185
SHA1 9d6056e12264eea2e0ee84b08a3938e6224210c1
SHA256 1f757f557bcf2c772e7288e0212b9baef11deaa4d81003a63a48d6cf167da9a3
SHA512 0bb3bedc176b8ed0bdf354a1e23f7ca845d2b1be34c87a725b7aadefaa2b64cdaff6b7a908d9f0c3802a471701684df74953925d9d97a251a1e69689ffd37f3f

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 8c26b5d07448e4e9ab85904e388feffe
SHA1 ca3be861a057fbd764224103766e236c3109354c
SHA256 b57bcd37d09b0ef69797237462aad57230a23c40c8b2ef35b8ad2dfe4e7ad86b
SHA512 5d6e11af37e6064d05d5c73681c7f66e9248a38287c6611a2729b1da15b81ff00df0070f6a486b712d13667bed84038ddd5658b95f265c3f0891dd695dba0656