Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 08:32
Static task
static1
Behavioral task
behavioral1
Sample
WannaCry.exe
Resource
win10v2004-20240426-en
General
-
Target
WannaCry.exe
-
Size
224KB
-
MD5
5c7fb0927db37372da25f270708103a2
-
SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29
-
SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
-
SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
SSDEEP
3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
Processes:
WannaCry.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD686C.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6883.tmp WannaCry.exe -
Executes dropped EXE 5 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 4844 !WannaDecryptor!.exe 3784 !WannaDecryptor!.exe 2916 !WannaDecryptor!.exe 3100 !WannaDecryptor!.exe 4512 !WannaDecryptor!.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WannaCry.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" WannaCry.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
!WannaDecryptor!.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2084 taskkill.exe 2416 taskkill.exe 4160 taskkill.exe 4520 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 700 msedge.exe 700 msedge.exe 3952 msedge.exe 3952 msedge.exe 5112 identity_helper.exe 5112 identity_helper.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
!WannaDecryptor!.exepid process 3100 !WannaDecryptor!.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid process 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe -
Suspicious use of AdjustPrivilegeToken 54 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exesvchost.exeSystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exedescription pid process Token: SeDebugPrivilege 2416 taskkill.exe Token: SeDebugPrivilege 4520 taskkill.exe Token: SeDebugPrivilege 2084 taskkill.exe Token: SeDebugPrivilege 4160 taskkill.exe Token: SeIncreaseQuotaPrivilege 4228 WMIC.exe Token: SeSecurityPrivilege 4228 WMIC.exe Token: SeTakeOwnershipPrivilege 4228 WMIC.exe Token: SeLoadDriverPrivilege 4228 WMIC.exe Token: SeSystemProfilePrivilege 4228 WMIC.exe Token: SeSystemtimePrivilege 4228 WMIC.exe Token: SeProfSingleProcessPrivilege 4228 WMIC.exe Token: SeIncBasePriorityPrivilege 4228 WMIC.exe Token: SeCreatePagefilePrivilege 4228 WMIC.exe Token: SeBackupPrivilege 4228 WMIC.exe Token: SeRestorePrivilege 4228 WMIC.exe Token: SeShutdownPrivilege 4228 WMIC.exe Token: SeDebugPrivilege 4228 WMIC.exe Token: SeSystemEnvironmentPrivilege 4228 WMIC.exe Token: SeRemoteShutdownPrivilege 4228 WMIC.exe Token: SeUndockPrivilege 4228 WMIC.exe Token: SeManageVolumePrivilege 4228 WMIC.exe Token: 33 4228 WMIC.exe Token: 34 4228 WMIC.exe Token: 35 4228 WMIC.exe Token: 36 4228 WMIC.exe Token: SeIncreaseQuotaPrivilege 4228 WMIC.exe Token: SeSecurityPrivilege 4228 WMIC.exe Token: SeTakeOwnershipPrivilege 4228 WMIC.exe Token: SeLoadDriverPrivilege 4228 WMIC.exe Token: SeSystemProfilePrivilege 4228 WMIC.exe Token: SeSystemtimePrivilege 4228 WMIC.exe Token: SeProfSingleProcessPrivilege 4228 WMIC.exe Token: SeIncBasePriorityPrivilege 4228 WMIC.exe Token: SeCreatePagefilePrivilege 4228 WMIC.exe Token: SeBackupPrivilege 4228 WMIC.exe Token: SeRestorePrivilege 4228 WMIC.exe Token: SeShutdownPrivilege 4228 WMIC.exe Token: SeDebugPrivilege 4228 WMIC.exe Token: SeSystemEnvironmentPrivilege 4228 WMIC.exe Token: SeRemoteShutdownPrivilege 4228 WMIC.exe Token: SeUndockPrivilege 4228 WMIC.exe Token: SeManageVolumePrivilege 4228 WMIC.exe Token: 33 4228 WMIC.exe Token: 34 4228 WMIC.exe Token: 35 4228 WMIC.exe Token: 36 4228 WMIC.exe Token: SeBackupPrivilege 1880 vssvc.exe Token: SeRestorePrivilege 1880 vssvc.exe Token: SeAuditPrivilege 1880 vssvc.exe Token: SeManageVolumePrivilege 4672 svchost.exe Token: SeSystemtimePrivilege 716 SystemSettingsAdminFlows.exe Token: SeSystemtimePrivilege 716 SystemSettingsAdminFlows.exe Token: SeSystemtimePrivilege 3252 SystemSettingsAdminFlows.exe Token: SeSystemtimePrivilege 3252 SystemSettingsAdminFlows.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exeSystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exe!WannaDecryptor!.exepid process 4844 !WannaDecryptor!.exe 4844 !WannaDecryptor!.exe 3784 !WannaDecryptor!.exe 3784 !WannaDecryptor!.exe 2916 !WannaDecryptor!.exe 2916 !WannaDecryptor!.exe 3100 !WannaDecryptor!.exe 3100 !WannaDecryptor!.exe 716 SystemSettingsAdminFlows.exe 3252 SystemSettingsAdminFlows.exe 4512 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exe!WannaDecryptor!.exemsedge.exedescription pid process target process PID 1728 wrote to memory of 4860 1728 WannaCry.exe cmd.exe PID 1728 wrote to memory of 4860 1728 WannaCry.exe cmd.exe PID 1728 wrote to memory of 4860 1728 WannaCry.exe cmd.exe PID 4860 wrote to memory of 4228 4860 cmd.exe cscript.exe PID 4860 wrote to memory of 4228 4860 cmd.exe cscript.exe PID 4860 wrote to memory of 4228 4860 cmd.exe cscript.exe PID 1728 wrote to memory of 4844 1728 WannaCry.exe !WannaDecryptor!.exe PID 1728 wrote to memory of 4844 1728 WannaCry.exe !WannaDecryptor!.exe PID 1728 wrote to memory of 4844 1728 WannaCry.exe !WannaDecryptor!.exe PID 1728 wrote to memory of 2084 1728 WannaCry.exe taskkill.exe PID 1728 wrote to memory of 2084 1728 WannaCry.exe taskkill.exe PID 1728 wrote to memory of 2084 1728 WannaCry.exe taskkill.exe PID 1728 wrote to memory of 2416 1728 WannaCry.exe taskkill.exe PID 1728 wrote to memory of 2416 1728 WannaCry.exe taskkill.exe PID 1728 wrote to memory of 2416 1728 WannaCry.exe taskkill.exe PID 1728 wrote to memory of 4160 1728 WannaCry.exe taskkill.exe PID 1728 wrote to memory of 4160 1728 WannaCry.exe taskkill.exe PID 1728 wrote to memory of 4160 1728 WannaCry.exe taskkill.exe PID 1728 wrote to memory of 4520 1728 WannaCry.exe taskkill.exe PID 1728 wrote to memory of 4520 1728 WannaCry.exe taskkill.exe PID 1728 wrote to memory of 4520 1728 WannaCry.exe taskkill.exe PID 1728 wrote to memory of 3784 1728 WannaCry.exe !WannaDecryptor!.exe PID 1728 wrote to memory of 3784 1728 WannaCry.exe !WannaDecryptor!.exe PID 1728 wrote to memory of 3784 1728 WannaCry.exe !WannaDecryptor!.exe PID 1728 wrote to memory of 2136 1728 WannaCry.exe cmd.exe PID 1728 wrote to memory of 2136 1728 WannaCry.exe cmd.exe PID 1728 wrote to memory of 2136 1728 WannaCry.exe cmd.exe PID 2136 wrote to memory of 2916 2136 cmd.exe !WannaDecryptor!.exe PID 2136 wrote to memory of 2916 2136 cmd.exe !WannaDecryptor!.exe PID 2136 wrote to memory of 2916 2136 cmd.exe !WannaDecryptor!.exe PID 1728 wrote to memory of 3100 1728 WannaCry.exe !WannaDecryptor!.exe PID 1728 wrote to memory of 3100 1728 WannaCry.exe !WannaDecryptor!.exe PID 1728 wrote to memory of 3100 1728 WannaCry.exe !WannaDecryptor!.exe PID 2916 wrote to memory of 3628 2916 !WannaDecryptor!.exe cmd.exe PID 2916 wrote to memory of 3628 2916 !WannaDecryptor!.exe cmd.exe PID 2916 wrote to memory of 3628 2916 !WannaDecryptor!.exe cmd.exe PID 3628 wrote to memory of 4228 3628 cmd.exe WMIC.exe PID 3628 wrote to memory of 4228 3628 cmd.exe WMIC.exe PID 3628 wrote to memory of 4228 3628 cmd.exe WMIC.exe PID 3100 wrote to memory of 3952 3100 !WannaDecryptor!.exe msedge.exe PID 3100 wrote to memory of 3952 3100 !WannaDecryptor!.exe msedge.exe PID 3952 wrote to memory of 2384 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 2384 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe PID 3952 wrote to memory of 3936 3952 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 312351718094787.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4844 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2416 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4160 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3784 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff95e8346f8,0x7ff95e834708,0x7ff95e8347184⤵PID:2384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵PID:3936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:700 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:84⤵PID:4952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:14⤵PID:2240
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:14⤵PID:1996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:14⤵PID:1916
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:84⤵PID:5104
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,12432901833464833444,14427384234694392302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:5112
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1832
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3184
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:716
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv rkRoZkIwW0yCns87Kk4oDw.01⤵PID:1264
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3252
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv R6598ftMH0qUL6T966e5eA.01⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
Filesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
Filesize
202KB
MD56a16cbefd2e29c459297b7ccc8d366ad
SHA140da0213a9e5ea4cb6948f4a8e92b5e8b97e6cfe
SHA2569462da5aa6e2a762b02a24b7305bac86349e5b5ea182d36fd6a163de550cde60
SHA5126a9de0231f9987554a20208a89c6c802d28c57ecb6f9e95771c94156b65c61ac1e18298ce6d3f0559d3a08052845cc2014dab335e119fde731d745e4857b7d74
-
Filesize
120B
MD59558b7e09be924c8e85354b916daf9ec
SHA1af086b0b7e427aa2dd0dd3aa33c557132c1856bf
SHA2563643a6ded78a06b4a0b378d1bdc038c816863b0566a623d64fb96ca2bafc7c10
SHA512adaeca6bde67578dc99b591714fe9a755b1236e2f7b006bb583a2219b75337efa626abbd52b919b65ebc2f169b71691e55d749d1ec1b7ae6683d42ceec7de673
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD515628a09a9daa7fd3f208b6df7ff574d
SHA1cfae8083fabecc6fa2c9149fd6748b3885c664c0
SHA25649194703d26675a9755d566686fc25800e0054dceef4c98ce57fde618f5fbd76
SHA512d8a69d2b6e1e1cd173d7d6cac163bb246ce923893fa01a83166f847fa6528cd85ed63f1bde9edc18def4af23bd9ff0ade0539cdc3fbeb4d7967a47836df0c543
-
Filesize
845B
MD5d63068a07d7de7e8bff4150d3bc284ef
SHA1117b07b0ee7d3063384bd0d77e2b938356ad5ba7
SHA256d54d39a245aeac4a6d4a55ebb8d135a9b422d9fb6cbd6a299f51ed22d4b24129
SHA512acc261015b9fdc4f9070f6e6c6ccb0a331296b52f175f9756f5ffa156a5196ed482924f4787c5aa9d803c8d8b3e7f769748fcaea17f0dbafb9d25c08fb10fe38
-
Filesize
5KB
MD5a84680c2c26da96209ac54c6f610162d
SHA12d4e749689013e9c90aeca35415400c0f60d64ac
SHA256ad33df4db4fc55e1736120f352c63e63706305861f4211baadb813024d1add10
SHA512980a270031329f3fa0366ef9a0897ea6c8e60ad6c38d4d45bc5ffc7c0b6a8617ed7f48f0930259cee027fd396e04975c178f96ca58310d1fd03605bbdb174ed4
-
Filesize
6KB
MD5daf6e0fd7037d6ec1b19619dbd88093d
SHA1311e497f388d6f2f73efe1e101c803bf71fb14c3
SHA2564d423fa1a90f3301c85877e447a89d8549b2bf9277d29044d5d1f13083163cad
SHA5123ea50e8ad5b7d7d29c8f29f4e4dc9aca28f1c08be49cbb0bfb260a0bc661fddb472f96d4e0d56aadc980761db3d37f935154da31a6358b24bf37d5f55288434a
-
Filesize
6KB
MD5a8d458389245b911b10b05dfe3a5ddee
SHA1ef3293a1cf16a442bfd609ad682d36da4343f746
SHA256046fbaffff458759acf816db027b9b847dd02dec20423d4a90646e94996020d2
SHA51265417ac1969eaccb5fe80c8798740f960f14057b16351f9727bc880f81597c718e7f4a3795b4ca79fa390c8cdf12410fe9dc1fd0fe00d075242504a06a741f2c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD504b46959831a021651d5be71f7b82d0d
SHA130798bd7d1948b3661f9f069a724be947d93fe8f
SHA256bd7ce33007bb69d33af6194ca5537b4135ca9187f6f0a484e8dc4bea2f408be5
SHA5124619a6cb6be8679774d7e12fcb48fa830cb93b57316d1a758316fd7d9cd0b989356c9cffb7ef71e70c4dd8c36e31f2001998f21c6627e0a794da3d2a8754b5f2
-
Filesize
11KB
MD520c572a9bcaf4977fdeb91eea03a87a4
SHA124ab49ac3ecbe106cbe6607cf4b93dd09d580e1f
SHA25652d63d560197d74b5f63167faf0c0d2507e856b9eb11dcb0d03a7e1c0f0b12eb
SHA5120a1f70e6486dded78b27927c56857a17e53fb04ef34f70ce358231f2512e16ef52016832bf743251835e0c0e67173cb9a413fdea102785dcbca9ca9277d55000
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HKBKLUUL\2\ny8zro4pDGbiNebl2UkdFP3COms.br[1].js.WCRY
Filesize2KB
MD57606286ebf9b8b246cb4f6bca3d46e05
SHA1cc15b7e375dc71cf7c274fdc3b3b513686755238
SHA256d88d66bb097ae57271ab53dffca022e97ce644abfed2943f44824ce7c9f45902
SHA512ce319199c46c7ec68501df8ea9b464eea7d0ea631fb055d99542710a35c52fe217075e5a3237e83758a5f95e14d51898a11d3c4cea8a1e9dd6c709853ea1e150
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
1KB
MD58182facfd79b884b2c027f7dbf8c5bb2
SHA1cb09fb86975cb183e34704395fea70f6147cb6ef
SHA256a40ae58632dc09a6b73e0cc8e539ecb2a556da7e61d283ac722fec12a1bff41b
SHA512dcde4ef95ba46a599aa535b894a9b83007da7182c81d4f6f303270c1ff3314e3800ec40a1a0346ae1ebb6c5c4ba34995a88ad9a8efa54850a20147b2b741e14f
-
Filesize
1KB
MD502f64b5f196d2898bdcbb94e8d580fae
SHA1428ce6f51f47cf25fc312f23a3188408541ef02b
SHA256890d0a4dee8eeb20567423d401ac1cbde7514be3b10288d7a30f1dbe71a1c888
SHA5129f89374ba018dce59d0676a24a957b6ef59fa8d65d0676d97aabd4338693311df3290af71ed612bd56414bad50dc22c83f8c46142c4ee70a0e18b585093cbfcf
-
Filesize
136B
MD5f2214b90737cf5fcbbb1af5fd19a766f
SHA1ee87f5a4f6b5b29d6d5e78807bba62dfd9eb0e55
SHA25630f82f13b151e659a8413e7a7e7ad2718b1b7c769811def4c62095fa9eb3749a
SHA512e2b97794031189594ed95a5798a021b5daaaf2019e04fe4a749703a8b723277823d5b8f236c2dd9280a7d15570610555781dcee7f8f591ca906dbce9b4f954a2
-
Filesize
136B
MD5ea44c7dd86e85d307ac538c69103e373
SHA10e9441e07d3209bd5d5309b79d97e6b1b3b0424c
SHA25618c50c3cfd859d93b85275c5cd3f466fc4c4e27f3d247ae0ac3a3d85e1e74113
SHA51253336f9ec5054d7a55bbd2b18b9535fedb9d442d24778cc59bf76abcf917bf1aee6e0f6b847664d22107b0939bea696a32fd57ae7ab0971ae9934f7c844e37f4
-
Filesize
136B
MD5770835d66e63ac10bf289936aa329456
SHA166b9acfe7f58f12ce1c068d379ee9a77421e35d2
SHA256bce43b3b4877469aaa98970f57bf88bf25ae2db4b0183a529ee671f439b44dfe
SHA512d24a17f2860f5d32e74ecaf948215fbb5e8bdfdfab1de2603000427882174fc8760f0661fc3518f14e8bb133d2b579cbfc3dbb686c86f35ea8660cb934fc9b83
-
Filesize
136B
MD5f28999f412187ebf52f851bd34557dc8
SHA13e38e3f639db5e764a64136094539be6d3a206b7
SHA2560b027b3fa506d61b7312688305b0954631f3dc98037cfd19575edb8f7fdd65ed
SHA5127dfebb45fd4ddcb6b3f3c15dcedd4c1a78d0b70dddba31d571d9b664791c286d9b3d1540f6253c8a8cf4425792ca237320d97d0e8c77e60db6ea5cdd6c28d482
-
Filesize
136B
MD5ee4aba225058d16fcc1bdf06a0de9eb2
SHA12e1f05ce6efbd43e6007a75fec34f7caf5d680fc
SHA25678ec115224dfe9551fb7954cff96266ad30a75bf7af17a87eb4f267a53cda39e
SHA512fe58ce7144d074981a8c808032c7a36cfd02366a8ef849ad0dce662bad4c40047773d4ab8d1ad9f61c08daf306985b21fcaef37f38f718a7ff421cbcd945c147
-
Filesize
336B
MD53540e056349c6972905dc9706cd49418
SHA1492c20442d34d45a6d6790c720349b11ec591cde
SHA25673872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c
-
Filesize
219B
MD55f6d40ca3c34b470113ed04d06a88ff4
SHA150629e7211ae43e32060686d6be17ebd492fd7aa
SHA2560fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA5124d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35
-
Filesize
628B
MD540afb36afbe2bdc492847c8b91302b66
SHA153dac49a48d28e079e70bc6ee4b62cc34a3ffe97
SHA256100f9c6f3b275f2f804234d9a2cce4d4f8b0a33fb36dbbf2516d0cc76d28a377
SHA512cf1826b6ed6256ab07f1d41ef9b8410f044eae0941fa1f516c386ddfae95dc49d3cf674e1055beda6827bdb629edb21b71c9176817b0413fba97cd25ad3309ec
-
Filesize
332B
MD52c03d43389ed4cdafc05c5911343ae52
SHA163bc3b76ed17388fc4a9ea2c8c6ef141bd239403
SHA2565499624aa36ea816f5a9c095c383f201f6a454b26036d66547633537bc97ece2
SHA5126d56e39d3696589ffa35570b906050ce177899ad0e926cba6b8b45174d2436f06f6307e5d35af931a9618ac5db492f6686e73520d2c6cb2f40aa96bd3d930bbf
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
407KB
MD5201590394baaea1e53f0f76d5ea36384
SHA1d2698267703918aec09a5b231ba418715aeb554b
SHA256f31e632cf7ab9f4578136f4a0f571e32aa83c1d65a31c4e168bea27ce748ca62
SHA5125e618f6ea8ad3d4b8c477b65671b30519049d860e2b97e904602c37b8c75918bda1b824f829b8e45fff9ec388a064e75b39a3b726fc4982763113c2a2b5670d6
-
Filesize
662KB
MD510a608d8c56c23aa7af4765a0742da70
SHA1463c9fa8c468a815ba79f8a42ff519565ed51518
SHA25615ff2fcace87ecfb524a77fb5b846e1a1ed050b52d426aa7de6ce82724e2d99b
SHA512e109b964597b67653438e16a2176f53a1f41223e195fa10717a9849669fab8f1f30d3bdec2ffe93ea05068fee848273da535b67fcf1b28e46d03d1f1457e1838
-
Filesize
237KB
MD5e8d4eb9a7998876cf18169600c8e6110
SHA1bae6d1b8042c6b1428eba9b6a46275a3bc116a03
SHA2563459e6831f549dff4fc9ed31aacb47e6e37b99830f3560fa08931fde3078e1fb
SHA5126607a9c0518bb296dbaa7ebf2b2c885e0a05146db7f6e937c92288fa701b3ca1559518303f2af107ab12738cf8489d8e1260dce61a414bbd3502386db573efee
-
Filesize
296B
MD51c489dd69d84b8f9d0a735ecc4976e26
SHA1097daf6c23cc2c50889d53351ac399b53bfd540a
SHA256aa91c55ab21b3fa000e04531fe86138bf757d24166ef074524e3f25cfd80d1ce
SHA512ce8692ecd8c604ee280d58a59a2c307eb88ed9fd50e24e100ce2882c38c0a2983a375d183ba59c7acd8ec8e1698d83978f2d7ecfa8469d81f8f3ee2e483bf96a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e