wannacry | 43fafc6b49e4c26e512c2c268108cbed57360337c76711781083d81cc66e7d0e

General

Target

18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe
Size

3.7MB
MD5

18aebed1b042a614a191f67c82847dc3
SHA1

4c547aff8c924460349359e28f5a55d8e4c64fe0
SHA256

43fafc6b49e4c26e512c2c268108cbed57360337c76711781083d81cc66e7d0e
SHA512

6667d0b47c261dd0bf8432c7bffc1c6420b1601170ba095eb40eebdd3ab5d552c26c0dfe6841ac40fcad59af56fada034dbf7a65d3dc89e56b6cb786baeffe9d
SSDEEP

98304:qevW/gJu8PlXLRQ51wSDqUK8ASwJTUcIZ+P48bekAjRr3L3YR9iCHGH:5O6pUKT8oPbbekA9U9iIGH

Score

10^/10

wannacry defense_evasion discovery persistence ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Drops startup file 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

K.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abc

pid	process
316	K.abc
2328	K.abc
2644	K.abc
2664	K.abc
2716	K.abc
832	K.abc
2740	K.abc
2660	K.abc
2796	K.abc
2520	K.abc
2896	K.abc
2548	K.abc
2744	K.abc
2652	K.abc
2684	K.abc
1980	K.abc
2516	K.abc
2544	K.abc
2592	K.abc
3000	K.abc
3004	K.abc
2528	K.abc
1532	K.abc
3036	K.abc
3032	K.abc
3056	K.abc
1376	K.abc
2304	K.abc
2092	K.abc
2060	K.abc
1180	K.abc
2808	K.abc
1300	K.abc
764	K.abc
2176	K.abc
1320	K.abc
1628	K.abc
236	K.abc
2320	K.abc
1508	K.abc
2500	K.abc
2584	K.abc
2816	K.abc
2840	K.abc
2820	K.abc
2836	K.abc
2868	K.abc
2852	K.abc
2984	K.abc
2460	K.abc
2996	K.abc
2956	K.abc
2980	K.abc
1584	K.abc
2064	K.abc
1808	K.abc
624	K.abc
1484	K.abc
1492	K.abc
1516	K.abc
828	K.abc
1384	K.abc
1756	K.abc
1912	K.abc

Loads dropped DLL 64 IoCs

Processes:

18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exeK.abc

pid	process
2216	18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe
2216	18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc
316	K.abc

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1672 icacls.exe

pid	process
1672	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

K.abc

description pid process target process

PID 316 set thread context of 1676 316 K.abc K.abc
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

K.abc

pid process

316 K.abc
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

K.abc

pid process

316 K.abc
316 K.abc

description	pid	process	target process
PID 316 set thread context of 1676	316	K.abc	K.abc

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exeK.abc

description	pid	process	target process
PID 2216 wrote to memory of 316	2216	18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe	K.abc
PID 2216 wrote to memory of 316	2216	18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe	K.abc
PID 2216 wrote to memory of 316	2216	18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe	K.abc
PID 2216 wrote to memory of 316	2216	18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe	K.abc
PID 2216 wrote to memory of 316	2216	18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe	K.abc
PID 2216 wrote to memory of 316	2216	18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe	K.abc
PID 2216 wrote to memory of 316	2216	18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe	K.abc
PID 316 wrote to memory of 2448	316	K.abc	cmd.exe
PID 316 wrote to memory of 2448	316	K.abc	cmd.exe
PID 316 wrote to memory of 2448	316	K.abc	cmd.exe
PID 316 wrote to memory of 2448	316	K.abc	cmd.exe
PID 316 wrote to memory of 2448	316	K.abc	cmd.exe
PID 316 wrote to memory of 2448	316	K.abc	cmd.exe
PID 316 wrote to memory of 2448	316	K.abc	cmd.exe
PID 316 wrote to memory of 2328	316	K.abc	K.abc
PID 316 wrote to memory of 2328	316	K.abc	K.abc
PID 316 wrote to memory of 2328	316	K.abc	K.abc
PID 316 wrote to memory of 2328	316	K.abc	K.abc
PID 316 wrote to memory of 2328	316	K.abc	K.abc
PID 316 wrote to memory of 2328	316	K.abc	K.abc
PID 316 wrote to memory of 2328	316	K.abc	K.abc
PID 316 wrote to memory of 2644	316	K.abc	K.abc
PID 316 wrote to memory of 2644	316	K.abc	K.abc
PID 316 wrote to memory of 2644	316	K.abc	K.abc
PID 316 wrote to memory of 2644	316	K.abc	K.abc
PID 316 wrote to memory of 2644	316	K.abc	K.abc
PID 316 wrote to memory of 2644	316	K.abc	K.abc
PID 316 wrote to memory of 2644	316	K.abc	K.abc
PID 316 wrote to memory of 2664	316	K.abc	K.abc
PID 316 wrote to memory of 2664	316	K.abc	K.abc
PID 316 wrote to memory of 2664	316	K.abc	K.abc
PID 316 wrote to memory of 2664	316	K.abc	K.abc
PID 316 wrote to memory of 2664	316	K.abc	K.abc
PID 316 wrote to memory of 2664	316	K.abc	K.abc
PID 316 wrote to memory of 2664	316	K.abc	K.abc
PID 316 wrote to memory of 2716	316	K.abc	K.abc
PID 316 wrote to memory of 2716	316	K.abc	K.abc
PID 316 wrote to memory of 2716	316	K.abc	K.abc
PID 316 wrote to memory of 2716	316	K.abc	K.abc
PID 316 wrote to memory of 2716	316	K.abc	K.abc
PID 316 wrote to memory of 2716	316	K.abc	K.abc
PID 316 wrote to memory of 2716	316	K.abc	K.abc
PID 316 wrote to memory of 2740	316	K.abc	K.abc
PID 316 wrote to memory of 2740	316	K.abc	K.abc
PID 316 wrote to memory of 2740	316	K.abc	K.abc
PID 316 wrote to memory of 2740	316	K.abc	K.abc
PID 316 wrote to memory of 2740	316	K.abc	K.abc
PID 316 wrote to memory of 2740	316	K.abc	K.abc
PID 316 wrote to memory of 2740	316	K.abc	K.abc
PID 316 wrote to memory of 832	316	K.abc	K.abc
PID 316 wrote to memory of 832	316	K.abc	K.abc
PID 316 wrote to memory of 832	316	K.abc	K.abc
PID 316 wrote to memory of 832	316	K.abc	K.abc
PID 316 wrote to memory of 832	316	K.abc	K.abc
PID 316 wrote to memory of 832	316	K.abc	K.abc
PID 316 wrote to memory of 832	316	K.abc	K.abc
PID 316 wrote to memory of 2660	316	K.abc	K.abc
PID 316 wrote to memory of 2660	316	K.abc	K.abc
PID 316 wrote to memory of 2660	316	K.abc	K.abc
PID 316 wrote to memory of 2660	316	K.abc	K.abc
PID 316 wrote to memory of 2660	316	K.abc	K.abc
PID 316 wrote to memory of 2660	316	K.abc	K.abc
PID 316 wrote to memory of 2660	316	K.abc	K.abc
PID 316 wrote to memory of 2796	316	K.abc	K.abc

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1500 attrib.exe

pid	process
1500	attrib.exe

C:\Users\Admin\AppData\Local\Temp\18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
3⤵
- Drops startup file
PID:2448

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2328

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2644

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2664

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2716

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2740

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:832

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2660

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2796

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2520

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2896

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2548

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2744

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2652

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2684

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2516

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2592

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3000

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3004

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2528

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1532

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3036

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3056

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2304

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2092

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2060

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1180

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2808

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1300

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:764

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2176

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1628

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:236

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1508

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2500

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2584

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2816

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2840

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2820

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2836

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2868

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2852

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2984

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2460

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2996

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2956

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1584

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2064

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1808

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:624

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1492

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1516

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:828

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1384

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1756

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1912

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:1676

C:\Windows\SysWOW64\attrib.exe
attrib +h .
4⤵
- Views/modifies file attributes
PID:1500

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
4⤵
- Modifies file permissions
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

2

T1222

Windows File and Directory Permissions Modification

1

T1222.001

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.ab_

Filesize
3.4MB

MD5
036d27847b6f3d4945fff8807681d2dc

SHA1
16f93070455c9f41114c8c55468c5e5fc93bc52f

SHA256
7a5ab94042610429b0e50bca61ac79fe7c8642f1581302e17939d46b45c88485

SHA512
acb4e0855675001096c9399879b02db3a87bacb4ec6c373ce32b43e9dab1e41765dfa73cd9f0724790cc6e9b6b22a94ee73efa2c52fe109b58637c75155ef67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc

Filesize
408KB

MD5
e8701e7b0547b2cbd818e3323636deb0

SHA1
a61eaddb6b6131e4eda1c2a04994501b1e2b2109

SHA256
313cb04166d84b21ef581dd6e3969629842b86a1e548a0125c03b218f387d820

SHA512
53d6e40fa9b5ad63573fb0d2d033f525d06a29ec712c2d7829c7da586a9792d66ccf72a8a05816131ef3a2d0b8352be4f128445e285ead13b3a73a473fcba80b

Download Submit
memory/316-20-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/316-19-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/1676-108-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/1676-101-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1676-94-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/1676-95-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/1676-105-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/1676-83-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/1676-102-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/1676-88-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/1676-81-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1676-144-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1676-99-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/1676-103-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/1676-97-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/1676-92-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/1676-89-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/1676-85-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads