Malware Analysis Report

2024-08-06 16:21

Sample ID 240614-mcdfyazepp
Target WannaCry.exe
SHA256 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
Tags
wannacry defense_evasion execution impact persistence ransomware spyware stealer worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Threat Level: Known bad

The file WannaCry.exe was found to be: Known bad.

Malicious Activity Summary

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Wannacry

Deletes shadow copies

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Kills process with taskkill

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Defacement
T1491
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 10:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 10:18

Reported

2024-06-14 10:19

Platform

win7-20240611-en

Max time kernel

48s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

Signatures

Wannacry

ransomware worm wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1868.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2944 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2944 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2944 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1936 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1936 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1936 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1936 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1936 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1936 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1936 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1936 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1936 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1936 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 536 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 536 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 536 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1936 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1936 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1936 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1936 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1040 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1652 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1652 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1652 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1652 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1652 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1652 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1652 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c 219521718360337.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

Network

Country Destination Domain Proto
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp

Files

memory/1936-6-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\219521718360337.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 71d5accafcd019faa2ec3c698fbe8745
SHA1 19b6723fd495597cd16b635924781a0ca9788778
SHA256 c8efb78b6011ded9b9e8154e3b3be5d70f6a23cabc07e12a3e0431af5fdc760c
SHA512 94bdfe2c46a012b30b319e1cf41a2fe574ecddb29bdc45120dec76565032079c779ef7a3b5a5826ac9f4b8ad69dd171b3eeca35ad87a1ac2f5e3f1b20695fa0a

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 f3fa8967826de76b71e2714d0a308a1a
SHA1 28b2a4613720f69c56b25203c67b68ed3564d94d
SHA256 28b1b7d0bf110b54c86e7cf2d4ee8624ba3dda77bd041f925c587010208fc879
SHA512 9e23ff447b5ce6b74762c7462d7915dbeabf5355740eff976e17be231357a2a76c6d0f513cbe63ce1142af92dca744316b02d2aaa1634e8f48f8dc06ce5468f3

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 f151916965e38724b1f196cd8b57be30
SHA1 7a0b0a655bc7b31b2aeb2574543b224aca5ae03c
SHA256 cd0dab4e52edcc896a2ff771c188abbef71995d2f19ac0671ba7447fa17cb270
SHA512 25f1db0422639d63e66ff052e77bd8a2648efa558e430ff725ce22f9db28eeafe36b9b2db710cf793682fa9ce3c42f4c5eaa58b9bdb98adf0c3dd7cdfe6ae89a

C:\Users\Admin\Documents\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 642fcd549a20d41472455d5a55b2d4d1
SHA1 91f195033c9d0f2d66fe0ffb7976d1f2542e0b1f
SHA256 4418ae5001e16a2b10def6f05ceca2182eab45b3538adec1a922bf2589d5c7aa
SHA512 daa90273edf45b1c08cc2430f742aa1e9036c704dfb86fc61b93c75818467ac54e56677bc5eca27f00c7e22103c339fe9b47f21d7cce53721736e9f3ef35d750

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 cfa0347c3a4e135efa65968ab7e01ab1
SHA1 f455585d79d5745924c2f2adf95778aebf647b1f
SHA256 d3dbebf601af52de8ad65b579573f5b46db256df7a215abd3f027f36d47ee33a
SHA512 2345e42811a206e8d75c24bdeca2585e25c5f5b63b449869a361e5070d83e8daeaf4182917fa2172f11ca59ee759a0f1675f3e9ca5a2cf882e4fd609b767cf33

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 10:18

Reported

2024-06-14 10:19

Platform

win10v2004-20240611-en

Max time kernel

43s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

Signatures

Wannacry

ransomware worm wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6C97.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6C90.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4332 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4376 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4376 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4332 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4332 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4332 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4332 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4332 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4332 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4332 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4332 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4332 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4332 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4332 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4332 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4332 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4332 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4332 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4332 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4332 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4332 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4332 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 400 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 400 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 400 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4332 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4332 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4332 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2396 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1752 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1752 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 13771718360338.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
BE 88.221.83.233:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 233.83.221.88.in-addr.arpa udp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp

Files

memory/4332-6-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u.wry

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\13771718360338.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 1542fbd8408cf7f68ceb84b6f8daed74
SHA1 9665c79443d8a0366043aa09db913fc708588e88
SHA256 a6d2e04e713d3142521b2f4893abd80558ae2c2d113ac4546127b1d4bb7b6aa7
SHA512 a78c3e48045683ebe3e81e28054d7f58cec6497df1aab6d267e8fea8f4c8326655dc05a123f8ea49d5010e0c65c8656b2b56c0c31bccce0c0d3730a857009a21

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 b179368127781dd0e901910a970133c9
SHA1 0ab77ba13102259ff5cd73272bc793df27ea04f9
SHA256 60d855a050c697e659640ba7a0b235f234193dc8f460800abf1332e65a87dda0
SHA512 d68f67b22ecc94bf5564f22e2242e9636902dd77294565d990d134b538c549983f54f37c881fcc9d42b3cb3645def4930f63bb90c1182cab328102da5c890ca9

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 d1aee691f6eb9b364ca03702f857ffff
SHA1 f0d67bb9e3846934b670caaed934c80afea9a09c
SHA256 b4efa2eae32d6e1063a48a06096d90f26f620ddaa69fb4b080ea8b5442a001c8
SHA512 a916f60e4758742e25b00fcddfe9e08d53fd6536f8ce2a2e14c7503730294eb00bf8b2082b97ef6b6d48ff611e72b73415a21c742c456105dca15fe8362aa1cd

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 2ceb8de8ba8fe300e69f3bfdb25fe759
SHA1 41bed08e864d61303c24594fe663f8c284cd8a87
SHA256 2cf97fb5b25e0e04516a2428c6ab317f8802502c3129c9db47004e217b8da586
SHA512 8f34eba1f97a8ca12ec39e70f0a533f06a027e7ac9af0d9ac59b78b42c23341ef0743b6fbf357d1f0378b96bbd46edf7e05d7c6d5638158a1668e0d8223e92cf

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 e8ee89de32763c7b760197773df32bd1
SHA1 e2716c9bf8ead5ed8a781a0a3bd7b7db4c0f19f7
SHA256 8a85587b71db0147efbec3e2dbba08b8b95664339e717b9695daab0dff7a7588
SHA512 6900e59c629da3f818d115aca0dc3e44bf50580a52b022a774919067d3a1e85565eeccc2366341d18b20967e45c0e7f73184d28a60647bae14814ebe9c166fa0