Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 18:29
Behavioral task
behavioral1
Sample
2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe
Resource
win7-20240221-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe
-
Size
26KB
-
MD5
558083340ab1deb29d6ec5ac959c7c1e
-
SHA1
d4102d270a9e09741896bb2f473257d3911ec168
-
SHA256
3c4c1c5b2e0fd02097afcc2e847c6f4808fb1d4ccae4dbfd58749992dea3eadf
-
SHA512
e23dd209d654facd57566adade5c04f7a32200619b8da157acbabe31d16cbe0c38c76b84e3ae04f689dfbc29973ac00e0c0916cc2a355d6f32b716fc9076ac15
-
SSDEEP
384:RtWZPzzxAm1vM56qlx7fbChvLKeGS2NinUlPOy5o91clSw282vp:Y7zxAmwHrTmeeGSSiyho9oSB82R
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral2/memory/4528-1-0x0000000000820000-0x000000000082C000-memory.dmp family_chaos behavioral2/files/0x0009000000023420-7.dat family_chaos -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3344 bcdedit.exe 5116 bcdedit.exe -
pid Process 388 wbadmin.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read.html svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2860 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4024 vssadmin.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 2860 svchost.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
pid Process 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2320 msedge.exe 2320 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 1576 identity_helper.exe 1576 identity_helper.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe Token: SeDebugPrivilege 2860 svchost.exe Token: SeBackupPrivilege 1540 vssvc.exe Token: SeRestorePrivilege 1540 vssvc.exe Token: SeAuditPrivilege 1540 vssvc.exe Token: SeIncreaseQuotaPrivilege 464 WMIC.exe Token: SeSecurityPrivilege 464 WMIC.exe Token: SeTakeOwnershipPrivilege 464 WMIC.exe Token: SeLoadDriverPrivilege 464 WMIC.exe Token: SeSystemProfilePrivilege 464 WMIC.exe Token: SeSystemtimePrivilege 464 WMIC.exe Token: SeProfSingleProcessPrivilege 464 WMIC.exe Token: SeIncBasePriorityPrivilege 464 WMIC.exe Token: SeCreatePagefilePrivilege 464 WMIC.exe Token: SeBackupPrivilege 464 WMIC.exe Token: SeRestorePrivilege 464 WMIC.exe Token: SeShutdownPrivilege 464 WMIC.exe Token: SeDebugPrivilege 464 WMIC.exe Token: SeSystemEnvironmentPrivilege 464 WMIC.exe Token: SeRemoteShutdownPrivilege 464 WMIC.exe Token: SeUndockPrivilege 464 WMIC.exe Token: SeManageVolumePrivilege 464 WMIC.exe Token: 33 464 WMIC.exe Token: 34 464 WMIC.exe Token: 35 464 WMIC.exe Token: 36 464 WMIC.exe Token: SeIncreaseQuotaPrivilege 464 WMIC.exe Token: SeSecurityPrivilege 464 WMIC.exe Token: SeTakeOwnershipPrivilege 464 WMIC.exe Token: SeLoadDriverPrivilege 464 WMIC.exe Token: SeSystemProfilePrivilege 464 WMIC.exe Token: SeSystemtimePrivilege 464 WMIC.exe Token: SeProfSingleProcessPrivilege 464 WMIC.exe Token: SeIncBasePriorityPrivilege 464 WMIC.exe Token: SeCreatePagefilePrivilege 464 WMIC.exe Token: SeBackupPrivilege 464 WMIC.exe Token: SeRestorePrivilege 464 WMIC.exe Token: SeShutdownPrivilege 464 WMIC.exe Token: SeDebugPrivilege 464 WMIC.exe Token: SeSystemEnvironmentPrivilege 464 WMIC.exe Token: SeRemoteShutdownPrivilege 464 WMIC.exe Token: SeUndockPrivilege 464 WMIC.exe Token: SeManageVolumePrivilege 464 WMIC.exe Token: 33 464 WMIC.exe Token: 34 464 WMIC.exe Token: 35 464 WMIC.exe Token: 36 464 WMIC.exe Token: SeBackupPrivilege 3840 wbengine.exe Token: SeRestorePrivilege 3840 wbengine.exe Token: SeSecurityPrivilege 3840 wbengine.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4528 wrote to memory of 2860 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 83 PID 4528 wrote to memory of 2860 4528 2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe 83 PID 2860 wrote to memory of 3152 2860 svchost.exe 86 PID 2860 wrote to memory of 3152 2860 svchost.exe 86 PID 3152 wrote to memory of 4024 3152 cmd.exe 88 PID 3152 wrote to memory of 4024 3152 cmd.exe 88 PID 3152 wrote to memory of 464 3152 cmd.exe 91 PID 3152 wrote to memory of 464 3152 cmd.exe 91 PID 2860 wrote to memory of 2768 2860 svchost.exe 92 PID 2860 wrote to memory of 2768 2860 svchost.exe 92 PID 2768 wrote to memory of 3344 2768 cmd.exe 94 PID 2768 wrote to memory of 3344 2768 cmd.exe 94 PID 2768 wrote to memory of 5116 2768 cmd.exe 95 PID 2768 wrote to memory of 5116 2768 cmd.exe 95 PID 2860 wrote to memory of 1668 2860 svchost.exe 96 PID 2860 wrote to memory of 1668 2860 svchost.exe 96 PID 1668 wrote to memory of 388 1668 cmd.exe 98 PID 1668 wrote to memory of 388 1668 cmd.exe 98 PID 2860 wrote to memory of 3376 2860 svchost.exe 104 PID 2860 wrote to memory of 3376 2860 svchost.exe 104 PID 3376 wrote to memory of 3464 3376 msedge.exe 105 PID 3376 wrote to memory of 3464 3376 msedge.exe 105 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 4932 3376 msedge.exe 107 PID 3376 wrote to memory of 2320 3376 msedge.exe 108 PID 3376 wrote to memory of 2320 3376 msedge.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe"1⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4024
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3344
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:5116
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:388
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\read.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb98c46f8,0x7ffcb98c4708,0x7ffcb98c47184⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,7393390764434577156,14071175263768568179,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:24⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,7393390764434577156,14071175263768568179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:2320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,7393390764434577156,14071175263768568179,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:84⤵PID:1092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7393390764434577156,14071175263768568179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:14⤵PID:288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7393390764434577156,14071175263768568179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:14⤵PID:3660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,7393390764434577156,14071175263768568179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:84⤵PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,7393390764434577156,14071175263768568179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7393390764434577156,14071175263768568179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:14⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7393390764434577156,14071175263768568179,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:14⤵PID:4364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7393390764434577156,14071175263768568179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:14⤵PID:436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7393390764434577156,14071175263768568179,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:14⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,7393390764434577156,14071175263768568179,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:4116
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3256
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2848
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2356
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4504
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD58e8d2bdd461b3db1a25d25b8678968b3
SHA1729f0c9707612f55c186205460987aaadffefc61
SHA25668cc373452950aca274fb88a401d848743e1ce56d49de25cbe75709bff28f57d
SHA51248ec79a83329e27c33332896bc5d0aac749524ca79b14442440b6fb017b78766df5a959c9a689c029986adfb5570b2f04b4d8e5a703d89408e9520e0e40b671a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2024-06-24_558083340ab1deb29d6ec5ac959c7c1e_destroyer_wannacry.exe.log
Filesize1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
Filesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
Filesize
5KB
MD59d1a492a757ead362f283fcbe9f97d0b
SHA123e14c4212e2afc8cf373a9eb7872ec56ce7aa55
SHA2568e254b3cc511805ee5c48e369914db27495ca263b5978123871cb6ae191c3616
SHA512a6e0bf9850625e23737c7b52c9fb0c2f150f362efdd17bbe0fdf65eaf0bbe1bd1fdc509a12919847d4f3db3f6e281002e73dd6241e7ed249be22a71a92ee8dc2
-
Filesize
6KB
MD5df3b30e25005494be0196ad32af20798
SHA1c1842916970be5ed7c06aa7c8229d04314e6d4e2
SHA256755a85fc91ad362332bb437b4feb7e2b069f199c4c32b456d2223cc6aaa6ae46
SHA5128f3d8c03bbedf8db1481788a62a9b29fd30eaf11b2f67c5add7df3b335f18e03ad432618304dcca069b72a78b74e4c073b2f8d74d9c02ad08af74108c8deb0aa
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5d9c3d00f059ecdd8044dc533af00fe0f
SHA1d706042ff0463811d2dd94c92933359f9c2672eb
SHA256e8b3e49b0be0f4510f3f294d944cfd3385015ec3406a582fa7b45ba9ccd73fc9
SHA51288b223788dbbb4f0abad1658f6e59ae9103317d8c728e7069cf04c96c5b6863d556a1fcd20abb49496823ee4688bb56ba62938ece9ea9b6a61f50df76c9d9257
-
Filesize
26KB
MD5558083340ab1deb29d6ec5ac959c7c1e
SHA1d4102d270a9e09741896bb2f473257d3911ec168
SHA2563c4c1c5b2e0fd02097afcc2e847c6f4808fb1d4ccae4dbfd58749992dea3eadf
SHA512e23dd209d654facd57566adade5c04f7a32200619b8da157acbabe31d16cbe0c38c76b84e3ae04f689dfbc29973ac00e0c0916cc2a355d6f32b716fc9076ac15
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0