Malware Analysis Report

2024-08-06 16:44

Sample ID 240531-mcs7dsfb49
Target Installer.exe
SHA256 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
Tags
wannacry defense_evasion execution impact persistence ransomware spyware stealer worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Threat Level: Known bad

The file Installer.exe was found to be: Known bad.

Malicious Activity Summary

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Wannacry

Deletes shadow copies

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Interacts with shadow copies

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Defacement
T1491
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-31 10:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 10:19

Reported

2024-05-31 10:22

Platform

win7-20240419-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Installer.exe"

Signatures

Wannacry

ransomware worm wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2212.tmp C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Installer.exe\" /r" C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2776 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2776 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2776 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1740 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1740 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1740 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1740 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1740 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 1740 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1740 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1740 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1740 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1740 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1484 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1484 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1484 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1740 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1740 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1740 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1740 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1292 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 448 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 448 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 448 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 448 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 448 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 448 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 448 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\Installer.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c 293391717150785.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

Network

Country Destination Domain Proto
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp

Files

memory/1740-6-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\293391717150785.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 50bacc89bb36f244acb2af0a62d7115d
SHA1 e89d641b21452100b1c8118765c0635b97734d9c
SHA256 b3e5f536ad4eb1dd05ddcd3dbb1c6ada141c01e37ea11a8e0aeee261329308c8
SHA512 bf2b7b52094e4bafce7e4a9b0093b41813fd511359ef28b0055213b5e4d3780e9709002afb3d7c2c32d1c58de47d2dc6b49a95395eed33b36129a57a4cf1732f

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 86acb0c1aa4807665c6866d7e58ba3bb
SHA1 16392fe43fc1bd1d7a6f5c3cea81930aa412fd17
SHA256 500728650440850213bd55ac4a2d75ab484e55413bbade10559d52c592f4dcf3
SHA512 120f87a34fdaa8dcce4d6f3978a7a689c6f5f184cd1e5c39995f73bda23143975149b8399f6f85e6e8a866e57123c9d75ed7543fb48e520778d0326ccd068bd8

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 77a36dfbca722f2d53da0d2e8c365455
SHA1 79f8aa35a6948ca4e1198b4ba00a11c7a70a95cf
SHA256 c7e574e5689a6e2159c895ae4f4e066cdb4361e995b9acfd99cce41d6a1655c2
SHA512 c23346bcff7356a37430f105809b5110a17d549a9620bf3558cd32fe47832e9cd02b04fadcf73adbc60e6e64aa3cf3a42db19225f82fc84952beb4af2fef9d56

C:\Users\Admin\Documents\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 336bc39b7b2f9094a7edc4d19d6b6b2f
SHA1 e818ec447c96d43fdeed357bfb8dc9a892e8f680
SHA256 3070987477d621a39ae154331904a1bba5816cbf7e4b8e539bc4a9512e5af4b7
SHA512 64513e5f1588c3d3a31315d2dd5948eda3882e9819f99ce4bdc98d783dd7b2d519b31ec453ae0db7f46ab17945d75f16f112357d4d62c763d84989b0e10f76ff

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 bf2711e565e5d3c4292378a869c886f0
SHA1 35f9ceca1caf3291893ca6af846d6599a0ce88cf
SHA256 6e3f06351865ecbaf675ef071adab4c293a29a8ee127bfc9e4e6226685331ad7
SHA512 338ecaca1a28ff70f33a8c8b7d2dc6b3b13acd669a57b2a67ad5486d7e1057dd6729516936f9d82aa477e3b96dc5abfbc50f37cb8ee7badaf67234068c6e03bc

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 10:19

Reported

2024-05-31 10:22

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Installer.exe"

Signatures

Wannacry

ransomware worm wannacry

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7D6D.tmp C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7D57.tmp C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Installer.exe\" /r" C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4768 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4768 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2564 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2564 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2564 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2564 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 2564 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 2564 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 2564 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 2564 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 2564 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 2564 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 2564 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 2564 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 2564 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 2564 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 2564 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\taskkill.exe
PID 2564 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2564 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2564 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2564 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2564 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2564 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3600 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3600 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3600 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\Installer.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 181651717150786.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
N/A 127.0.0.1:9050 tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/2564-6-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u.wry

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\181651717150786.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 875173f67599c2c38554b122bfde69a6
SHA1 ba56aaeaf5fcb78d36ab48210d05208d1c880adc
SHA256 8bf52435f4a605594c10918f494009b5fa95d7c27d5c264908a8ba6a6fcbee88
SHA512 6114af14a5002dd273a9e08dfcf7a52327b3378bf078db68361c32484c4d33b6a33bd8258eed8bb61a68b24b1e9eb2321244b57dbd67d35faa558c54a6b13c22

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 50bacc89bb36f244acb2af0a62d7115d
SHA1 e89d641b21452100b1c8118765c0635b97734d9c
SHA256 b3e5f536ad4eb1dd05ddcd3dbb1c6ada141c01e37ea11a8e0aeee261329308c8
SHA512 bf2b7b52094e4bafce7e4a9b0093b41813fd511359ef28b0055213b5e4d3780e9709002afb3d7c2c32d1c58de47d2dc6b49a95395eed33b36129a57a4cf1732f

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 3fda4a95ad0784372dd20b8612b3d7e0
SHA1 be31ce875c87042db5e4600587635f301eeee469
SHA256 ed00ade9bc4627a3c5638f713488258b80000904247c315efb168a28778a0e4f
SHA512 c0fd2d7515f14867bb66e54473d777903b4f64d6eef7fc54875877ee268dcb01b567a6df4b12b1d8d5e42a8db62ffb2f450091aed98aa533ea14d9217ef9b3f6

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 3fae7d424bf516375f2824f7e83f11c9
SHA1 106864040a1d5cf02d590fb3cbe6fa34710af3b3
SHA256 e036e3ac69e3af002dac88523bd14abfb4914d18306a4d8b3f84d3fe76c273b0
SHA512 aaa576617655792123e96dc06122b7b14f16e70dc7231174c3aeef0e172be9c5c315d2e6f34c61d30025376de459fd3b0f6d7995d3c86dac31c32313c399b96a

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 96f49edc553759cf256fb1901e6a25cd
SHA1 ca2b5fcbdb0c8b3e7ccc2ab76251839702588c5f
SHA256 fc436422b8f73cdf452d129894d11245d142e04657309e6b62352c4bcfb43bd4
SHA512 d5e08edd369ca4495dbe0ce43509fe16421e4084c683edb8058dba1d7bde379d44fa304d9421e127a6508b59d4ea9f87ac5fa8ea10b70d98bc36ee8ea6452b0b