a5c4ff5dd0782930bae9e58bba41765491f11cbb56651f7cd9452947a86cf168

General

Target

202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe
Size

92KB
MD5

3622cd2ae39df938752adbea70509a7d
SHA1

c2ed856920532a42140299f5ab0c2df35407ab6d
SHA256

a5c4ff5dd0782930bae9e58bba41765491f11cbb56651f7cd9452947a86cf168
SHA512

692d03005ad496b96cb1931360fa2fa41949bae0eaf2db69a6e454d622c5a409daa07bddbdc8411f630e637554e7bdc1c960351fe68b751f5621492fb2118d7c
SSDEEP

1536:9RcrcV9YNJaccMpTrX7YeOzk+7w1m6wVcl:XcrcV9Y/NcMp3vqY

Score

9^/10

persistence ransomware

Malware Config

Signatures

Renames multiple (120) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe"	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe

Drops desktop.ini file(s) 6 IoCs

Processes:

202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe

description	ioc	process
File created	C:\Users\Admin\Desktop\desktop.ini	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe
File created	C:\Users\Admin\Downloads\desktop.ini	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe
File created	C:\Users\Admin\Documents\desktop.ini	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe
File created	C:\Users\Admin\Pictures\desktop.ini	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe
File created	C:\Users\Admin\Music\desktop.ini	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe
File created	C:\Users\Admin\Videos\desktop.ini	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\├æ:\ABREME.exe.exe cmd.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2788 NOTEPAD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe

description pid process

Token: SeDebugPrivilege 2924 202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe

pid process

2924 202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe

pid process

2924 202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\├æ:\ABREME.exe.exe	cmd.exe

pid	process
2788	NOTEPAD.EXE

description	pid	process
Token: SeDebugPrivilege	2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe

pid	process
2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe

pid	process
2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe

description	pid	process	target process
PID 2924 wrote to memory of 2788	2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe	NOTEPAD.EXE
PID 2924 wrote to memory of 2788	2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe	NOTEPAD.EXE
PID 2924 wrote to memory of 2788	2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe	NOTEPAD.EXE
PID 2924 wrote to memory of 2788	2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe	NOTEPAD.EXE
PID 2924 wrote to memory of 344	2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe	cmd.exe
PID 2924 wrote to memory of 344	2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe	cmd.exe
PID 2924 wrote to memory of 344	2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe	cmd.exe
PID 2924 wrote to memory of 344	2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe	cmd.exe
PID 2924 wrote to memory of 3056	2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe	cmd.exe
PID 2924 wrote to memory of 3056	2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe	cmd.exe
PID 2924 wrote to memory of 3056	2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe	cmd.exe
PID 2924 wrote to memory of 3056	2924	202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe
"C:\Users\Admin\AppData\Local\Temp\202405243622cd2ae39df938752adbea70509a7ddestroyerwannacry.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c @echo off REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "
  2⤵
  - NTFS ADS
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\usb_maker.bat

Filesize
3KB

MD5
e9a3d3d14864e745924f854ae6e647b5

SHA1
906e2e6fdbeba70321481b6c74ed29c33be953c8

SHA256
ade030f611dcde1a703ff1ec0281f7790c2e4322828d9d2c08cf9008b686b94c

SHA512
86b2a9015c0df93e34a4abf91d9374d3fee865fd92e14736a60ec57ce9379f3fe7b6690855f7a8d3740a92f5e9a578c6070dc1f0a1c74b525118b44610de4757

Download Submit
C:\Users\Admin\Music\README.txt

Filesize
306B

MD5
0d6366fd615a459e3fa68d06599c7433

SHA1
9fe034bf35b9deeec64268acb15d505ee5457588

SHA256
cb662a858a3675dd665bf2a2da1249acc691194be2b88fa5b7d3631615c8497c

SHA512
5539245ddf8d12f22a2039e419dff5b6c01c4c28f2a84cf720813ea6b3f911dcf9f4f88704dc656222ed8d6e2ca505686e530be1455526912e821c852a8f0a7f

Download Submit
memory/2924-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/2924-1-0x0000000000B60000-0x0000000000B7C000-memory.dmp

Filesize
112KB

Download
memory/2924-2-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2924-270-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads