Analysis
-
max time kernel
229s -
max time network
232s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 15:40
Behavioral task
behavioral1
Sample
2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
33 signatures
600 seconds
Errors
Reason
Machine shutdown
General
-
Target
2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe
-
Size
263KB
-
MD5
dc884e3241e125218d69f53f400e8442
-
SHA1
8687422a10ad022925c19c2719381e8bd169331c
-
SHA256
0bf9b5ef693b11181d39deb87556e8f8dfbf7f617c13bd2602547ae73c4fd1e9
-
SHA512
7a34d84e3458ba7da67bd9d9dba797c4b4be000fe8b261feb3b3f10525eaace4a74aa28ba35ac439e934d5f65bd3d44eb09c33a35d96a37de777c008032ce4c6
-
SSDEEP
3072:Dcq9wqyZnCboGSqihQ5Mk/EHCSQ9IiNP8Q1fBLe8vQQ7b8lW76+zGklGT5Ckn/dN:Dcq9HScRiDH6b/e8/8li3GXuE3y74
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\read_it.txt
Ransom Note
Don't worry, you can return all your files!
All your files like documents, photos, databases and other important are encrypted
What guarantees do we give to you?
You can send 3 of your encrypted files and we decrypt it for free.
You must follow these steps To decrypt your files :
1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder
or write us to this e-mail: [email protected])
2) Obtain Bitcoin (You have to pay for decryption in Bitcoins.
After payment we will send you the tool that will decrypt all your files.)
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/memory/2992-0-0x00000000009A0000-0x00000000009E8000-memory.dmp family_chaos behavioral1/files/0x00090000000234a1-75.dat family_chaos -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4548 bcdedit.exe 4220 bcdedit.exe -
pid Process 4332 wbadmin.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe Key value queried \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation svchost.exe -
Deletes itself 1 IoCs
pid Process 1604 svchost.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\read_it.txt taskmgr.exe -
Executes dropped EXE 1 IoCs
pid Process 1604 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini LogonUI.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2480455240-981575606-1030659066-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a6tcqoihy.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4732 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117846" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{01819F11-3E0A-11EF-8BF0-5A1F3CBF1B84} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3588335832" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3588335832" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117846" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062632f928728194692a4b61bc57d3e8f0000000002000000000010660000000100002000000061f37aa5e3a1448a48bb171143c25e944449f04ebccd148de1231f4298de0379000000000e8000000002000020000000e2a41ca40f11a027ec2422a7b993a2261528f3c76dd1467fe6a6666620f5a968200000002370ab84d331d644e49ea717961d2aa29ad01feffcca266efdfdecb0ee324cab40000000d23418bcdcae593a4d8cee7ff08c2f5cf2c5bf1ed53bc3180f86c7efc1b64cc955df24159a0866751e4bafebc876b938c0531a97bbaf6ab9d45b280f29de4060 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31117846" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062632f928728194692a4b61bc57d3e8f0000000002000000000010660000000100002000000044a1eb62ded44b9e8aa4335550319ef0c9ae016748cf3f3a425ad51616ade240000000000e8000000002000020000000eb3790722017085d7bda3e590b1fd622347289e78797ad7053a6700c4a93649520000000c20d76bde1e31cc4f2b956bfda4b4737e0e621d7c287dff641ea0d4b54129e834000000011edbe519a2bbed3312e7656b1bddb8bf54e0a802bb3d3a8759e0f955ccd7df6ecb72b45b4553eeff4cf77a9aaff75897646896ee78a3f8ed24a551a6d65203a iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 100d2cd816d2da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c329d816d2da01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3594117211" IEXPLORE.EXE -
Modifies data under HKEY_USERS 58 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{82715c5d-0000-0000-0000-d01200000000} LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Quick Actions\Pinned LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{82715c5d-0000-0000-0000-d01200000000}\NukeOnDelete = "0" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "139" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 01000000000000000c8280d716d2da01 LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RAS AutoDial LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RAS AutoDial\Default LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{82715c5d-0000-0000-0000-d01200000000}\MaxCapacity = "14116" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Quick Actions LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Quick Actions\Pinned\ LogonUI.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 6016 NOTEPAD.EXE 5576 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 6 IoCs
pid Process 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2480 vlc.exe 1604 svchost.exe 3832 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 3392 taskmgr.exe 3392 taskmgr.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 3392 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 2480 vlc.exe 3832 vlc.exe 3392 taskmgr.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 58 IoCs
description pid Process Token: SeDebugPrivilege 2992 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe Token: SeDebugPrivilege 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe Token: SeDebugPrivilege 2308 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe Token: SeDebugPrivilege 3392 taskmgr.exe Token: SeSystemProfilePrivilege 3392 taskmgr.exe Token: SeCreateGlobalPrivilege 3392 taskmgr.exe Token: SeDebugPrivilege 1604 svchost.exe Token: SeBackupPrivilege 2252 vssvc.exe Token: SeRestorePrivilege 2252 vssvc.exe Token: SeAuditPrivilege 2252 vssvc.exe Token: SeIncreaseQuotaPrivilege 1464 WMIC.exe Token: SeSecurityPrivilege 1464 WMIC.exe Token: SeTakeOwnershipPrivilege 1464 WMIC.exe Token: SeLoadDriverPrivilege 1464 WMIC.exe Token: SeSystemProfilePrivilege 1464 WMIC.exe Token: SeSystemtimePrivilege 1464 WMIC.exe Token: SeProfSingleProcessPrivilege 1464 WMIC.exe Token: SeIncBasePriorityPrivilege 1464 WMIC.exe Token: SeCreatePagefilePrivilege 1464 WMIC.exe Token: SeBackupPrivilege 1464 WMIC.exe Token: SeRestorePrivilege 1464 WMIC.exe Token: SeShutdownPrivilege 1464 WMIC.exe Token: SeDebugPrivilege 1464 WMIC.exe Token: SeSystemEnvironmentPrivilege 1464 WMIC.exe Token: SeRemoteShutdownPrivilege 1464 WMIC.exe Token: SeUndockPrivilege 1464 WMIC.exe Token: SeManageVolumePrivilege 1464 WMIC.exe Token: 33 1464 WMIC.exe Token: 34 1464 WMIC.exe Token: 35 1464 WMIC.exe Token: 36 1464 WMIC.exe Token: SeIncreaseQuotaPrivilege 1464 WMIC.exe Token: SeSecurityPrivilege 1464 WMIC.exe Token: SeTakeOwnershipPrivilege 1464 WMIC.exe Token: SeLoadDriverPrivilege 1464 WMIC.exe Token: SeSystemProfilePrivilege 1464 WMIC.exe Token: SeSystemtimePrivilege 1464 WMIC.exe Token: SeProfSingleProcessPrivilege 1464 WMIC.exe Token: SeIncBasePriorityPrivilege 1464 WMIC.exe Token: SeCreatePagefilePrivilege 1464 WMIC.exe Token: SeBackupPrivilege 1464 WMIC.exe Token: SeRestorePrivilege 1464 WMIC.exe Token: SeShutdownPrivilege 1464 WMIC.exe Token: SeDebugPrivilege 1464 WMIC.exe Token: SeSystemEnvironmentPrivilege 1464 WMIC.exe Token: SeRemoteShutdownPrivilege 1464 WMIC.exe Token: SeUndockPrivilege 1464 WMIC.exe Token: SeManageVolumePrivilege 1464 WMIC.exe Token: 33 1464 WMIC.exe Token: 34 1464 WMIC.exe Token: 35 1464 WMIC.exe Token: 36 1464 WMIC.exe Token: SeBackupPrivilege 1436 wbengine.exe Token: SeRestorePrivilege 1436 wbengine.exe Token: SeSecurityPrivilege 1436 wbengine.exe Token: SeShutdownPrivilege 5700 LogonUI.exe Token: SeCreatePagefilePrivilege 5700 LogonUI.exe Token: SeShutdownPrivilege 5700 LogonUI.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe 3392 taskmgr.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2480 vlc.exe 3832 vlc.exe 5916 OpenWith.exe 6092 iexplore.exe 6092 iexplore.exe 6116 IEXPLORE.EXE 6116 IEXPLORE.EXE 6116 IEXPLORE.EXE 5700 LogonUI.exe 5700 LogonUI.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4768 wrote to memory of 1604 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 113 PID 4768 wrote to memory of 1604 4768 2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe 113 PID 1604 wrote to memory of 4300 1604 svchost.exe 114 PID 1604 wrote to memory of 4300 1604 svchost.exe 114 PID 4300 wrote to memory of 4732 4300 cmd.exe 116 PID 4300 wrote to memory of 4732 4300 cmd.exe 116 PID 4300 wrote to memory of 1464 4300 cmd.exe 120 PID 4300 wrote to memory of 1464 4300 cmd.exe 120 PID 1604 wrote to memory of 744 1604 svchost.exe 121 PID 1604 wrote to memory of 744 1604 svchost.exe 121 PID 744 wrote to memory of 4548 744 cmd.exe 123 PID 744 wrote to memory of 4548 744 cmd.exe 123 PID 744 wrote to memory of 4220 744 cmd.exe 124 PID 744 wrote to memory of 4220 744 cmd.exe 124 PID 1604 wrote to memory of 1420 1604 svchost.exe 125 PID 1604 wrote to memory of 1420 1604 svchost.exe 125 PID 1420 wrote to memory of 4332 1420 cmd.exe 127 PID 1420 wrote to memory of 4332 1420 cmd.exe 127 PID 1604 wrote to memory of 5576 1604 svchost.exe 133 PID 1604 wrote to memory of 5576 1604 svchost.exe 133 PID 6092 wrote to memory of 6116 6092 iexplore.exe 137 PID 6092 wrote to memory of 6116 6092 iexplore.exe 137 PID 6092 wrote to memory of 6116 6092 iexplore.exe 137 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2196
-
C:\Users\Admin\Desktop\2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe"C:\Users\Admin\Desktop\2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe"1⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4732
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:4548
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:4332
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:5576
-
-
-
C:\Users\Admin\Desktop\2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe"C:\Users\Admin\Desktop\2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:3504
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CompareMeasure.avi"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2480
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ExportUninstall.ADTS"1⤵PID:2916
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\StopProtect.mpv2"1⤵PID:2904
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\SetHide.mov"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3832
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2588
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4312
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5916
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\read_it.txt1⤵
- Opens file in notepad (likely ransom note)
PID:6016
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6092 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6092 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:6116
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa393f055 /state1:0x41c64e6d1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5700
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-2480455240-981575606-1030659066-1000\ReadOnly\LockScreen_O\LockScreen___1920_1080_notdimmed.jpg
Filesize619KB
MD514776aad24c9580cc7efd9af690c9066
SHA1b3c143db34bbac8fd737dcf1c1191be466340249
SHA25609e01dea354f9d5c6fac77e610a0914c47199fc8152c276cedc39b731077dbac
SHA51231243280a9f3dee1c8a8432251b4a59946ef335c6e9479394f47c53ef5d9fb47f8a9db75571f3746ae8b75d4a0f0752e1b71c802d733ace4ce944eeae829db2f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2024-07-09_dc884e3241e125218d69f53f400e8442_wannacry.exe.log
Filesize1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
582B
MD5ed5cc52876db869de48a4783069c2a5e
SHA1a9d51ceaeff715ace430f9462ab2ee4e7f33e70e
SHA25645726f2f29967ef016f8d556fb6468a577307d67388cc4530295a9ca10fdfa36
SHA5121745aefb9b4db4cdd7c08ee3a7d133db08f35a336fd18b598211519b481ef25ac84a3e8a3da3db06caef9f531288d1cf0ca8d4b2560637945e7953e8b45421f5
-
Filesize
263KB
MD5dc884e3241e125218d69f53f400e8442
SHA18687422a10ad022925c19c2719381e8bd169331c
SHA2560bf9b5ef693b11181d39deb87556e8f8dfbf7f617c13bd2602547ae73c4fd1e9
SHA5127a34d84e3458ba7da67bd9d9dba797c4b4be000fe8b261feb3b3f10525eaace4a74aa28ba35ac439e934d5f65bd3d44eb09c33a35d96a37de777c008032ce4c6
-
Filesize
304B
MD5781602441469750c3219c8c38b515ed4
SHA1e885acd1cbd0b897ebcedbb145bef1c330f80595
SHA25681970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d
SHA5122b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461
-
Filesize
663B
MD555f4bf3c50ce8b03cf027c22a301cefd
SHA136fc7d0823451c58257b750fcd13c7f6a6c2bbfc
SHA2567e9788f84fb887a6849978fc9fb20874f7f2771ebb08c40d0acd029e88c20f16
SHA512fca3d0de1c2287d06e49fa2ccc96c86e1f1087627c61ff987c2d0cc01563576f9109b60e54fdb923758183d6cca43ef61cf17d117dcbea9cb2767b8f302abbc7
-
Filesize
82B
MD55104ae29a6356fd2ae121a86599af480
SHA1d1c68f07087000a52f3676d240cf1e6b0bcc9bb9
SHA256fa5db22004ab9c658792c1e7c583d6b5184e008b880d8cbdd48539c1bbd69dc3
SHA512d6b275bec01be114273466d6389fd65685458935031b8319e162e247511b63896cf1b265109064b71e2db52267d117acc9f0a9850576583df92056dd1d6ebb82
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
