wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

04-09-2024 04:57

240904-flrllawfqa 8

24-06-2024 08:12

240624-j3yysawank 1

24-06-2024 08:03

240624-jx4xvascjg 10

Analysis

max time kernel
441s
max time network
411s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 08:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

wannacry bootkit defense_evasion execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD27C5.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD27CC.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

pid	Process
4552	!WannaDecryptor!.exe
1256	!WannaDecryptor!.exe
2800	!WannaDecryptor!.exe
1552	!WannaDecryptor!.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\WannaCry.exe\" /r"	WannaCry.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2768	taskkill.exe
780	taskkill.exe
4288	taskkill.exe
4400	taskkill.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1008	msedge.exe
1008	msedge.exe
2180	msedge.exe
2180	msedge.exe
872	identity_helper.exe
872	identity_helper.exe
780	msedge.exe
780	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
4768	msedge.exe
4768	msedge.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	780	taskkill.exe
Token: SeDebugPrivilege	4400	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1504	WMIC.exe
Token: SeSecurityPrivilege	1504	WMIC.exe
Token: SeTakeOwnershipPrivilege	1504	WMIC.exe
Token: SeLoadDriverPrivilege	1504	WMIC.exe
Token: SeSystemProfilePrivilege	1504	WMIC.exe
Token: SeSystemtimePrivilege	1504	WMIC.exe
Token: SeProfSingleProcessPrivilege	1504	WMIC.exe
Token: SeIncBasePriorityPrivilege	1504	WMIC.exe
Token: SeCreatePagefilePrivilege	1504	WMIC.exe
Token: SeBackupPrivilege	1504	WMIC.exe
Token: SeRestorePrivilege	1504	WMIC.exe
Token: SeShutdownPrivilege	1504	WMIC.exe
Token: SeDebugPrivilege	1504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1504	WMIC.exe
Token: SeRemoteShutdownPrivilege	1504	WMIC.exe
Token: SeUndockPrivilege	1504	WMIC.exe
Token: SeManageVolumePrivilege	1504	WMIC.exe
Token: 33	1504	WMIC.exe
Token: 34	1504	WMIC.exe
Token: 35	1504	WMIC.exe
Token: 36	1504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1504	WMIC.exe
Token: SeSecurityPrivilege	1504	WMIC.exe
Token: SeTakeOwnershipPrivilege	1504	WMIC.exe
Token: SeLoadDriverPrivilege	1504	WMIC.exe
Token: SeSystemProfilePrivilege	1504	WMIC.exe
Token: SeSystemtimePrivilege	1504	WMIC.exe
Token: SeProfSingleProcessPrivilege	1504	WMIC.exe
Token: SeIncBasePriorityPrivilege	1504	WMIC.exe
Token: SeCreatePagefilePrivilege	1504	WMIC.exe
Token: SeBackupPrivilege	1504	WMIC.exe
Token: SeRestorePrivilege	1504	WMIC.exe
Token: SeShutdownPrivilege	1504	WMIC.exe
Token: SeDebugPrivilege	1504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1504	WMIC.exe
Token: SeRemoteShutdownPrivilege	1504	WMIC.exe
Token: SeUndockPrivilege	1504	WMIC.exe
Token: SeManageVolumePrivilege	1504	WMIC.exe
Token: 33	1504	WMIC.exe
Token: 34	1504	WMIC.exe
Token: 35	1504	WMIC.exe
Token: 36	1504	WMIC.exe
Token: SeBackupPrivilege	3724	vssvc.exe
Token: SeRestorePrivilege	3724	vssvc.exe
Token: SeAuditPrivilege	3724	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4552	!WannaDecryptor!.exe
4552	!WannaDecryptor!.exe
1256	!WannaDecryptor!.exe
1256	!WannaDecryptor!.exe
2800	!WannaDecryptor!.exe
2800	!WannaDecryptor!.exe
1552	!WannaDecryptor!.exe
1552	!WannaDecryptor!.exe
2016	MEMZ.exe
3684	MEMZ.exe
2296	MEMZ.exe
900	MEMZ.exe
4144	MEMZ.exe
4764	MEMZ.exe
3452	MEMZ.exe
4144	MEMZ.exe
900	MEMZ.exe
2296	MEMZ.exe
3684	MEMZ.exe
900	MEMZ.exe
4144	MEMZ.exe
2296	MEMZ.exe
3684	MEMZ.exe
2296	MEMZ.exe
4144	MEMZ.exe
900	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
900	MEMZ.exe
4144	MEMZ.exe
2296	MEMZ.exe
3684	MEMZ.exe
2296	MEMZ.exe
4144	MEMZ.exe
900	MEMZ.exe
3684	MEMZ.exe
900	MEMZ.exe
4144	MEMZ.exe
2296	MEMZ.exe
3684	MEMZ.exe
2296	MEMZ.exe
900	MEMZ.exe
4144	MEMZ.exe
3684	MEMZ.exe
900	MEMZ.exe
4144	MEMZ.exe
2296	MEMZ.exe
3684	MEMZ.exe
2296	MEMZ.exe
900	MEMZ.exe
4144	MEMZ.exe
3684	MEMZ.exe
2296	MEMZ.exe
4144	MEMZ.exe
900	MEMZ.exe
3684	MEMZ.exe
2296	MEMZ.exe
900	MEMZ.exe
4144	MEMZ.exe
3684	MEMZ.exe
2296	MEMZ.exe
4144	MEMZ.exe
900	MEMZ.exe
3684	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 4244	2180	msedge.exe	81
PID 2180 wrote to memory of 4244	2180	msedge.exe	81
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 4892	2180	msedge.exe	82
PID 2180 wrote to memory of 1008	2180	msedge.exe	83
PID 2180 wrote to memory of 1008	2180	msedge.exe	83
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84
PID 2180 wrote to memory of 4580	2180	msedge.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8bf1c3cb8,0x7ff8bf1c3cc8,0x7ff8bf1c3cd8
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,8213983100916254755,13669443240465118967,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,8213983100916254755,13669443240465118967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,8213983100916254755,13669443240465118967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8213983100916254755,13669443240465118967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8213983100916254755,13669443240465118967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,8213983100916254755,13669443240465118967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8213983100916254755,13669443240465118967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8213983100916254755,13669443240465118967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,8213983100916254755,13669443240465118967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8213983100916254755,13669443240465118967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8213983100916254755,13669443240465118967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8213983100916254755,13669443240465118967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1868 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,8213983100916254755,13669443240465118967,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4776 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,8213983100916254755,13669443240465118967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1540

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\WannaCry.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
PID:832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 35611719216559.bat
  2⤵
  PID:460
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    PID:4032
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4552
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4288
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  PID:8
- - C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:3376
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of SetWindowsHookEx
  PID:1552

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!Please Read Me!.txt
1⤵
PID:2604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2016
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3684
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2296
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:900
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4144
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4764
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:3452
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f717f56b5d8e2e057c440a5a81043662

SHA1
0ad6c9bbd28dab5c9664bad04db95fd50db36b3f

SHA256
4286cd3f23251d0a607e47eccb5e0f4af8542d38b32879d2db2ab7f4e6031945

SHA512
61e263935d51028ec0aab51b938b880945a950cec9635a0dafddf795658ea0a2dfcf9cfc0cab5459b659bb7204347b047a5c6b924fabea44ce389b1cbb9867d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
196eaa9f7a574c29bd419f9d8c2d9349

SHA1
19982d15d1e2688903b0a3e53a8517ab537b68ed

SHA256
df1e96677bcfffe5044826aa14a11e85ef2ebb014ee9e890e723a14dc5f31412

SHA512
e066d74da36a459c19db30e68b703ec9f92019f2d5f24fd476a5fd3653c0b453871e2c08cdc47f2b4d4c4be19ff99e6ef3956d93b2d7d0a69645577d44125ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6ad9793f032135aa9ab1c93ce52f186a

SHA1
56675d1628c507b2d0bdd80d19e34addc777da6e

SHA256
6ee4883501fde2d50470a01a2cc7db1b0c1c73c8d45b3760a977e279c87febd5

SHA512
630dd315c7bf055b2c568bdc807b546914ae1cae17db055a75891fd82049842c79e19fb26153be744c36d322d50c79228a938fa2b67773f0fd34a50c50abbd86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
7df1a20d1dccadda213182dd9dba6a75

SHA1
4a526da0ddc95c285a895f70203dfd2178d24b33

SHA256
715cb6a928b115cdff9977761b45db4751eaa015d46f3e99aed4f90ea2cd8fee

SHA512
7a89dbb0a928e31dfe117e144e23555befd1c5a499128f651ee1ddf96b4e9e5112303e5c6c73439ae99bfcd894ded94b91e7d732f477d3a93864324e46083766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
eb478a741100b8ea7f52272a8a99e9a3

SHA1
9ba5c310aebe660495edbd1795b486c05775bf11

SHA256
56dacaa0c9d1d0d89fe67c40fe4fe4902e4b960f13912310dd84f3123f900326

SHA512
2daedc217e4d51be953e743863fcf8584abda5f5b284eae74fbd1c49dc3687b48414f0656802812ecf09ac74903f084c39af5a3806e763f50e7f1837d6207500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1232806acbf56ab72af7c29b62910757

SHA1
5be0c3253b50bafa1e4ac40364f2aa391ed195d6

SHA256
63fd12b876832ca5f970162ca8c608913487919614212c29efb14ad51d848cfb

SHA512
c90e46b47bb93640525601c9235107b24933acdedaa97f3b5993a88a1b1d8a007d3247d9139078b12211206488b7e5e857904a776d0fc270371391c56b8d1214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
95e67fb619aadc30065cf5bd6d7f38ac

SHA1
47e90b2674f69b4d583bf17b72cf2dd9ee4c1c8a

SHA256
ad37d3de6b2018761052879e91d622b9bbfb5972fe59ae3865febb8365363b8a

SHA512
cfcaa9e7eb1da2f150d14b5002217e1556c0856bce76af71cdf0f19faaba84080b891c002acc05584defc091b90dc5a9160d214cfa8194f5b357e5e48452daf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c2f8c887c1b91e58598d572de29e0bed

SHA1
82d9ee6dbb9767078b1b589653b484991dad4fed

SHA256
3b0094a52b17755f4c3f7e6286ee5f2ea39450b4cffd850ef708f63710a906a2

SHA512
b0611a6f42f797ae6283860ac841a12ae77a445b95ac28f9de35e99b96a795eb057f51068310b69f0fdd4759e10e9521d65f2daf08e83702c2e4bc03874b400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
416b80da6ba9a4c6669548e834bc93e8

SHA1
8217f2590c08394ff436456b9522cb42682eb412

SHA256
55a1985fa22c8f69fb7e35e7b5335f3acee4732513972701f95c2a8829c947cf

SHA512
6dd553e361faeb85de230cb5d2323df6ce38e191213bc24440470f9645710f30c8ba668edf620fdc60bdcf21d3535210b77d3cb442b775e33892644fdd49b787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
410399ffe68fb62f624a905751d9542a

SHA1
428bf43e34a776811df8827c750873d0d115b908

SHA256
e59620e216faec8c9e5ee7fcbcc2973f4447bf4959f910bb421352ab23d585cf

SHA512
9105f35f34ba495e67c0959ac1a231c8325778f92849040999555202ed4db33c6514281d8ea722cbd21a1bc7559c2ac148b0b41bfc45ebb98ec1910be8e1a33f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58ec30.TMP

Filesize
874B

MD5
2b0ee412a274bca52f4ebf0d22b5f2b7

SHA1
5ec84ab0831ff46e9668e335279e2efb515ef380

SHA256
310d375b69b66e6a41aa121b3e1c12492bc3d16ae783ab9fe3e858c97b32848c

SHA512
1c1d11ce8f066ce7e5d9ff11011a17bbdae81ab18cc1e27bde8c5210aabd8d3457dc4ed8133c804d244c46f7be13ac077e262cb4a3591a78c3e0b9ac2a151777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d18fdc382639223f24f1840d216c0fef

SHA1
35b64f62cf0e8898028cf79578cab706acd5b503

SHA256
84fa6c79f026cbad855980defa36c821b525fb9b7fcbaf758c93df5cbe01152e

SHA512
cbf8d1668815f6a3e79da4f027f65b932419a83a9e1321286385f615fec3444e1016ace9bfcbf50a6abc40ffbee8c66f3bfef1335cafb3b6fafcda40459e819a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8b4a38c8d99ff47783f1ec5d208e5bd9

SHA1
6e6eb740d36c2b5c1be4a01ff24c6ef39a16377b

SHA256
663d04e8e57af4386785d8e57811fe6074db5625d889c2d5881d79a80d9f9617

SHA512
0c49c70da509f7831bf257291d2b93b4f7cbb7d8abc659a3dac13d286c77316709f8a45f3aace0f7810b7af3740ca3accca73e6c95544ace4324d5e1c7f73785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6f0320970ec2a2e1c47fd835509af3e0

SHA1
813408e1af46c40e78ab6f90f1a04f42bb82e80e

SHA256
f9abb5b36aed8cdb260ab750cead228c3dfdf9305ec5ee56c1432ec3731363d0

SHA512
55dc0dd64b1c02af82641d5a04af83d05c0c3e05b5ec1c49fd3a3065ad95059443915cb0ee3ed76d2c552d8b47ab0289658cbcee6649c7988a663dd0606d140c

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe.lnk

Filesize
983B

MD5
a6bfd67d82250b80b120a1f02dfeef6e

SHA1
760222a933a835e72c2f5aa88d8ba643cb3902ad

SHA256
8439bc409be7782a82947b0056f2ddd5a729346cda2b01c570191aa5cab2e595

SHA512
ad496eae0509b6ee58760aa17be62508b5e4c8e5d5c36076d2d8a134a1fe4437e11aacaaee0b5b953f47e3bd6865badb07635edcabbab9510ab5220097b650af

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\00000000.res

Filesize
136B

MD5
5ab3cf6e6a591d02ec4615a4cbca3d33

SHA1
0d57099f63b1161a2e9fda775753d7243ef0506b

SHA256
04e0218d094a046bd996650e952734e9c5741c227f0621a7c6e61f4b82a310e9

SHA512
5a3f8652f9cd61038d8ab8b4f1c0afcb6a5b738b8f7e6f24d84d331d3d2324878b83a606702daf1b3511a5c45c934c6e0d0bc775c974e95064ba0d275ea2aaca

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\00000000.res

Filesize
136B

MD5
caff8654548571f5c5fdc252b08b307a

SHA1
850ee10fe513deb36e7a01df3a0c030437aa2077

SHA256
a7dcbad8e694f1a1e0c04840931b3475b607a4c39382bde314197950cb5e8062

SHA512
ee8fd5fe988431e96ffbb880843dcce1f44036b7e311727229292d35e353f7af6cfa3225dc66d6463038fabf8b3d9fe6c55ca55e513df7e186e255dd29366e01

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\00000000.res

Filesize
136B

MD5
a341fcce8483dd8588a3f37d6bd0c7c0

SHA1
3eb1a27aa9d65080c79115558c18f95e64ae3c9d

SHA256
47cd76c7de2f73b91b49843685338a9eb391b1fd7faf06c06d38b02ec0901096

SHA512
d3bb74abb3e9c16a7b306eb524a82d0b06beeb07cc18430d83ccdad880981970983c2e9658c7575ef4d2eb805fd05b1e61e7c2668a9ac9e1611208a3c1be3432

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\35611719216559.bat

Filesize
436B

MD5
9198a1130ff204dddf404f3f212bfdbf

SHA1
e8938d6d3fb4cc0c117ef941bd9f32e4a9fd9850

SHA256
0752776882e539c7f2d222fadafdf4dc2558cb652bc4509d87af2811d9a321ab

SHA512
15f096184a49f2e06aa4d7df1ad75611cae71d3846885cb4b9d37564cf990e7dbefa9332ea8782e6e24e7789c931982f31f1ad73e0a197733594a1acf0576c05

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\c.vbs

Filesize
319B

MD5
6da79e0e7a92ac521a3e74479e1b4115

SHA1
d0e761fc3ddb1e89bdd2415eb41368e7f433dbea

SHA256
3b6be4e80faddaea9ace661558d83e6c8c7232823b235e4159b11f7eac4c17f5

SHA512
4e24c8ece64e10637a9c0c95b59fdd23e2f83e7a8453315742b705e91989bf2febd2490376c8ad7bd000cacdd4e3d1bec374b091e4b2916fec4c4915b97f84cf

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\c.wry

Filesize
628B

MD5
9f8566471c822df5436a2eaed69243e9

SHA1
74bb3e6f3c73739bdef93d93ea6e234bb83575c0

SHA256
a06df1091b77acd816b9ddf610ab505dc43e4dae2e655cb1005781650239621b

SHA512
11c7c77161ae704b5ca57b5f8d9d143c35012120dd8f2ceb33087173063fda3e8bab4ff7665fe80f8af92a855cb69a1adec4b34d954aba08180fa9ccc46872b8

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/832-361-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads