Malware Analysis Report

2024-08-06 16:51

Sample ID 240603-gccazsdd7t
Target Surprise.exe
SHA256 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
Tags
wannacry defense_evasion execution impact persistence ransomware spyware stealer worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Threat Level: Known bad

The file Surprise.exe was found to be: Known bad.

Malicious Activity Summary

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Wannacry

Deletes shadow copies

Executes dropped EXE

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Defacement
T1491
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:39

Reported

2024-06-03 05:41

Platform

win7-20240221-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Surprise.exe"

Signatures

Wannacry

ransomware worm wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD342B.tmp C:\Users\Admin\AppData\Local\Temp\Surprise.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Surprise.exe\" /r" C:\Users\Admin\AppData\Local\Temp\Surprise.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2512 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2512 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2512 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1800 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1800 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1800 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1800 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1800 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1800 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1800 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1800 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1800 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1800 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 912 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 912 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 912 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1800 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1800 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1800 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1800 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1388 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1848 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1848 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1848 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1848 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Surprise.exe

"C:\Users\Admin\AppData\Local\Temp\Surprise.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c 124151717393163.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

Network

Country Destination Domain Proto
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp

Files

memory/1800-6-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\124151717393163.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 513c6fc75c447fa41605846cb3f82434
SHA1 002e904e5e54dd33347db2490fd0541d873ce6f4
SHA256 b41f6e4ce1fbc325da125c2b31e8ee4907f1660f2d503c201e8c0b3b6909de18
SHA512 efe12283a2582ce174959dd24617eaa6eb51549a41124c3d44b1f7a72ccd08620640a21ccbe6f2ec5c423f4a6c43a878922791dc9d72289c7da607a2e23e0029

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 3cb6c0f7bfa95fa33f64b06bff61e1c1
SHA1 06c36e2dea3010ad34f21aa1d558601a95dadbca
SHA256 62835e7195823fe7785b528e9c9be7d1be7172e7ac1b9a3ded906176d69d6eb4
SHA512 3f8692047f2ba6c91d400d788ff6967eaa974b6569f055492ead621aea805fed8d9cf387a1d057d5e4765d6cee1f0f16418e6b88181223871d0ff784f6017448

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 c3da9c6790105d338893ed4625b3303a
SHA1 6f0e09463a6d0d234881f7829e2afe5672351a4e
SHA256 770d5b2564de14239a1a81d53c87bec837391916dfaf8f27f494460e27310bef
SHA512 0fd96a2dd011cea59bf67ff54cecea3967558b934d86ca7500a29a34b7995a9d17de4117d07631e79a93b94cf16e3907ed11b0d69df61e57038ae80f53cef139

C:\Users\Admin\Documents\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 4a9ce682821b51764911caca182234d8
SHA1 c7ea028ca3b961ec7895a40dbb291798597d2b13
SHA256 17caf89a636de4e8ecbd12ada8a24827803b97b6282f65d1facf93288d6361a5
SHA512 212b821569aeb25b4809ce1b4a62306dc52df2c42245e2a18c05301a2b295dddf636a3c48540bb9755c8b24259589a5da3451896cd06df5cf38ce2ca5660c7ad

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 53773afa59a6ae1b6ae569a4b7092bdb
SHA1 44733c901160422c4820ffc038649a0d8b8b2cd7
SHA256 3d7670c6c27d0fc10b35c42d409449c640e609e7b471f95e75b9a178410c2112
SHA512 e6d176c3a1088dc573eda4fa6108f94f56e3521cd1fe9b37e6213a8d7f17a3c562e8b4b8a9167ace14daf92443cdf10ac128f661b0222ecb4c8c8f543b350929

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:39

Reported

2024-06-03 05:41

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Surprise.exe"

Signatures

Wannacry

ransomware worm wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4C88.tmp C:\Users\Admin\AppData\Local\Temp\Surprise.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4C8F.tmp C:\Users\Admin\AppData\Local\Temp\Surprise.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Surprise.exe\" /r" C:\Users\Admin\AppData\Local\Temp\Surprise.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1760 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1760 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1668 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1668 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1668 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1668 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1668 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1668 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1668 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1668 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1668 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1668 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1668 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1668 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1668 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1668 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1668 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\taskkill.exe
PID 1668 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1668 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1668 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1668 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4956 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4956 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1668 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1668 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1668 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Surprise.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2860 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1408 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1408 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Surprise.exe

"C:\Users\Admin\AppData\Local\Temp\Surprise.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 96001717393163.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/1668-6-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u.wry

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\96001717393163.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 3bcfb8d1bcec6d5a97031809ce3972fa
SHA1 0220416d1f1a0f1d00c62c207e4f21bd6dbc56f7
SHA256 256cf91da994be620da6f36202d96fe384db68e6aedf5a1d495aff9fc0a3e195
SHA512 a95b40958f673e8044715bc61459c2872ed0b7b60b80230223a430cb59ac0d8e85f8a361fe15414490b3e43128ece3b1d1f621729e1b089b647444d493d35e22

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 ed261fab3ec1978acce1f15e935ee60b
SHA1 de553083f05758817329e6e904220a61c5520db2
SHA256 80fda9f4b5a0f7358d85073a972d41061a908a35725dd45c72fd4047ca511045
SHA512 81decd70d5e99e79680f810a2f539bed10ee876d08eaec3e9d561dfcbd09cf7bc81fe10e19ef396b425777eeae49db0a3e5f892cc419e8fac7c3cb7fb7dd42cf

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 3783c4288230c6e45bf6a7dd740ca126
SHA1 743c01cf8c2a9e44a877bca8cc7b8f0ee3f57985
SHA256 ba43f40331b7a7834d60e16cd750fd77f65eddc2c1269cbe1e8c36ac78af74c7
SHA512 01546de835ab2c06086fb8f2d52a57e39b05ba04ecb5caadba46c54eb1c903816bb2148be4c3c490f7e6d2deaf10cd804895caf52b7061beea91b91911c345f8

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 5500efc162a01fd956bdeb3a7612bd02
SHA1 28c7cea4a42fc719693befb54c00455fe7c89f8e
SHA256 c9600d9e4538f0d09bbad97698e5584865e9ea2eaca2eff0d2d1a410a3f9717f
SHA512 70e4f03391f467b74f631f712caa08a6fd98740d147b4e1af81e1f1ff1b9114cd5eb1d5506b3e8b70bc0324a905bda6bd0f7035aec14872555849ca8137b4609

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 012618beb0d8241eb38bbce756ccf29c
SHA1 c76e0a9a9022de438a79bc59b167ba9e0aae99f6
SHA256 865d486d6d7106a84a0c5ab3ce2b901071677cb975e4f6ac9a7cc81452de1eff
SHA512 101864ec39ad490f0d401cdf5926d21415b4ecde8a5736a8c968c14573a8858c4956ee3050ea00777a398fc947844bd2504ae7ea759516f7867c17a56f1822c7