wannacry | 5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe
Size

316KB
MD5

b9b3965d1b218c63cd317ac33edcb942
SHA1

02408bb6dc1f3605a7d3f9bad687a858ec147896
SHA256

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
SHA512

18096b1167561c6da5bfcc05e40f7661e21f43521eb47da9520d2744c8a1806d7187894ce0ae8e0a9e97904b345daae09897d80e8754a63c9aa1d6514feaf98e
SSDEEP

6144:xHQFwJYDzVc1aWLn0IU4eFTE3Ijr2Cq6j7+qmOq:Z6wWcYWL0IUzNGqJq

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $200 worth of bitcoin to this bitcoin address: 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) https://www.dropbox.com/s/c1gn29iy8erh1ks/m.rar?dl=1 rar password: wcry123 Run and follow the instructions! �

Wallets

1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4E29.tmp	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4E5C.tmp	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe

Executes dropped EXE 4 IoCs

pid	Process
3000	!WannaDecryptor!.exe
572	!WannaDecryptor!.exe
600	!WannaDecryptor!.exe
1404	!WannaDecryptor!.exe

Loads dropped DLL 9 IoCs

pid	Process
2820	cscript.exe
2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe
2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe
2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe
2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe
1000	cmd.exe
1000	cmd.exe
2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe
2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe\" /r"	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2460	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2052	taskkill.exe
2240	taskkill.exe
3048	taskkill.exe
2016	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	!WannaDecryptor!.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	!WannaDecryptor!.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	!WannaDecryptor!.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1404	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeBackupPrivilege	1088	vssvc.exe
Token: SeRestorePrivilege	1088	vssvc.exe
Token: SeAuditPrivilege	1088	vssvc.exe
Token: SeIncreaseQuotaPrivilege	624	WMIC.exe
Token: SeSecurityPrivilege	624	WMIC.exe
Token: SeTakeOwnershipPrivilege	624	WMIC.exe
Token: SeLoadDriverPrivilege	624	WMIC.exe
Token: SeSystemProfilePrivilege	624	WMIC.exe
Token: SeSystemtimePrivilege	624	WMIC.exe
Token: SeProfSingleProcessPrivilege	624	WMIC.exe
Token: SeIncBasePriorityPrivilege	624	WMIC.exe
Token: SeCreatePagefilePrivilege	624	WMIC.exe
Token: SeBackupPrivilege	624	WMIC.exe
Token: SeRestorePrivilege	624	WMIC.exe
Token: SeShutdownPrivilege	624	WMIC.exe
Token: SeDebugPrivilege	624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	624	WMIC.exe
Token: SeRemoteShutdownPrivilege	624	WMIC.exe
Token: SeUndockPrivilege	624	WMIC.exe
Token: SeManageVolumePrivilege	624	WMIC.exe
Token: 33	624	WMIC.exe
Token: 34	624	WMIC.exe
Token: 35	624	WMIC.exe
Token: SeIncreaseQuotaPrivilege	624	WMIC.exe
Token: SeSecurityPrivilege	624	WMIC.exe
Token: SeTakeOwnershipPrivilege	624	WMIC.exe
Token: SeLoadDriverPrivilege	624	WMIC.exe
Token: SeSystemProfilePrivilege	624	WMIC.exe
Token: SeSystemtimePrivilege	624	WMIC.exe
Token: SeProfSingleProcessPrivilege	624	WMIC.exe
Token: SeIncBasePriorityPrivilege	624	WMIC.exe
Token: SeCreatePagefilePrivilege	624	WMIC.exe
Token: SeBackupPrivilege	624	WMIC.exe
Token: SeRestorePrivilege	624	WMIC.exe
Token: SeShutdownPrivilege	624	WMIC.exe
Token: SeDebugPrivilege	624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	624	WMIC.exe
Token: SeRemoteShutdownPrivilege	624	WMIC.exe
Token: SeUndockPrivilege	624	WMIC.exe
Token: SeManageVolumePrivilege	624	WMIC.exe
Token: 33	624	WMIC.exe
Token: 34	624	WMIC.exe
Token: 35	624	WMIC.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3000	!WannaDecryptor!.exe
3000	!WannaDecryptor!.exe
572	!WannaDecryptor!.exe
572	!WannaDecryptor!.exe
600	!WannaDecryptor!.exe
600	!WannaDecryptor!.exe
1404	!WannaDecryptor!.exe
1404	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2688	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	30
PID 2080 wrote to memory of 2688	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	30
PID 2080 wrote to memory of 2688	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	30
PID 2080 wrote to memory of 2688	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	30
PID 2688 wrote to memory of 2820	2688	cmd.exe	32
PID 2688 wrote to memory of 2820	2688	cmd.exe	32
PID 2688 wrote to memory of 2820	2688	cmd.exe	32
PID 2688 wrote to memory of 2820	2688	cmd.exe	32
PID 2080 wrote to memory of 3000	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	33
PID 2080 wrote to memory of 3000	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	33
PID 2080 wrote to memory of 3000	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	33
PID 2080 wrote to memory of 3000	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	33
PID 2080 wrote to memory of 2240	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	34
PID 2080 wrote to memory of 2240	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	34
PID 2080 wrote to memory of 2240	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	34
PID 2080 wrote to memory of 2240	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	34
PID 2080 wrote to memory of 2052	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	35
PID 2080 wrote to memory of 2052	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	35
PID 2080 wrote to memory of 2052	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	35
PID 2080 wrote to memory of 2052	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	35
PID 2080 wrote to memory of 2016	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	38
PID 2080 wrote to memory of 2016	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	38
PID 2080 wrote to memory of 2016	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	38
PID 2080 wrote to memory of 2016	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	38
PID 2080 wrote to memory of 3048	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	39
PID 2080 wrote to memory of 3048	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	39
PID 2080 wrote to memory of 3048	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	39
PID 2080 wrote to memory of 3048	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	39
PID 2080 wrote to memory of 572	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	45
PID 2080 wrote to memory of 572	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	45
PID 2080 wrote to memory of 572	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	45
PID 2080 wrote to memory of 572	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	45
PID 2080 wrote to memory of 1000	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	46
PID 2080 wrote to memory of 1000	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	46
PID 2080 wrote to memory of 1000	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	46
PID 2080 wrote to memory of 1000	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	46
PID 1000 wrote to memory of 600	1000	cmd.exe	48
PID 1000 wrote to memory of 600	1000	cmd.exe	48
PID 1000 wrote to memory of 600	1000	cmd.exe	48
PID 1000 wrote to memory of 600	1000	cmd.exe	48
PID 2080 wrote to memory of 1404	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	50
PID 2080 wrote to memory of 1404	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	50
PID 2080 wrote to memory of 1404	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	50
PID 2080 wrote to memory of 1404	2080	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	50
PID 600 wrote to memory of 2260	600	!WannaDecryptor!.exe	52
PID 600 wrote to memory of 2260	600	!WannaDecryptor!.exe	52
PID 600 wrote to memory of 2260	600	!WannaDecryptor!.exe	52
PID 600 wrote to memory of 2260	600	!WannaDecryptor!.exe	52
PID 2260 wrote to memory of 2460	2260	cmd.exe	54
PID 2260 wrote to memory of 2460	2260	cmd.exe	54
PID 2260 wrote to memory of 2460	2260	cmd.exe	54
PID 2260 wrote to memory of 2460	2260	cmd.exe	54
PID 2260 wrote to memory of 624	2260	cmd.exe	56
PID 2260 wrote to memory of 624	2260	cmd.exe	56
PID 2260 wrote to memory of 624	2260	cmd.exe	56
PID 2260 wrote to memory of 624	2260	cmd.exe	56

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 163581720549169.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - Loads dropped DLL
    PID:2820
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:3000
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2460
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
7e7a1a23e7ee02bffc2dabb63efd6554

SHA1
e3359f0298b7151c46c576b96110b4435c987d4e

SHA256
ea5bf27142482bc76eb3053a2d129c0a96a1817abcfb76c599f5cc2df7c54192

SHA512
59ae5381f6dc2f88a839dd85daf180f41f323dba931ad364e02a6732cac7c91ce8fc5bb6a6e5acb621f7fdd11e9f6391adc105dffeded5c9ca61267c00472ee0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751

Filesize
471B

MD5
651cd6cd7b0326fae0e52c9fd6a64355

SHA1
40045e10ea63f8b90664b1509aeef6fe93eb1997

SHA256
61b97d69e5e23ae9cb7cb7560ab67629d551236e409363169437c65932169727

SHA512
910c45668e4ff9e812424315c5d7131ba78ba581909b323cddf90ace573520fbf1e4e06bdce22d92420dc47b319da64024fde31977ea1546613eeeff9b127114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
137e80db310ed2a014371d6884146b7e

SHA1
f238cb48e3ab154636c6d7e519375a7160e28b1a

SHA256
7058a8b1786f0f5ed958418209a8ac84f276b75388499ec4a7a46b0eff7c888f

SHA512
49aed779a12b11c73ed1a398b11eca4189c6e66dee3b77d7a61fa7f39482d772f2351acf81f95a651bb5c5b5ff64cc4399fd48b5427b49c619450636b03b146f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bedb3e03ee335fa0a889a51320de432

SHA1
f4abd21808301719b138cb36c67cc9ef96a16c83

SHA256
1cb01eaf5b6227df99225054dba85763a6081863d44ae79b2c27ea26234511cc

SHA512
f26346047e9358cf9ac89583300b6784cda931a59ac1fddfb711c6e41ef7de9ff40251afff63ceb8ea5ae1ad2d5293af70e4f8ddff7fc6eeb0abf8c919210a2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2065a32baa343147e424adff98bc845c

SHA1
da6e2dc43dc8d7fedd12baf1000e086bf47d5ba7

SHA256
ba7658bb852bdc69805746b697a04f544a9dfb636264c5974023955a0255ab52

SHA512
0f6b4a0f3a24896d15f86a958117922893c8e8c3184e8b4f842ad861243ba4ed95a29711a3014144b7e26326b8c0943c7e264e1c9371fd14e8fcc791d6daf677

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a1e478c0af3be2d67299d39dc865867

SHA1
8ba7d5c47964b2cc536a3215a769881b8b78e2db

SHA256
c31afcda84d4d0b89cd7add454dde8891c57cdfb344419792298832daf39708f

SHA512
8904750377c0eb562d37d1aecee40eab26d70accb66ab5698857a2c177f4cdca7204932330e3ed8e1970772c5b8efddf5c019bf9afe349b74b49a873d9f7985c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e62758652bb4212fe15e7a10819afc43

SHA1
14b07a9c8dff3bcc05b43f5c1eef79f56ce3bd0a

SHA256
6dea0d190a6705b2fba03cf47b5ad21e5bdd7a58e3ff1a3cb659887d98bfa152

SHA512
a7df268e677d6acc3403eb3fbd76f140f9a57addcd02d2168877940686e672661a0a75df1f2c0f9d1df19e9bd6b1a329f356c2d648c07501e9105abd4a922355

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05b4c7eb251649d7b33234c67032d932

SHA1
ad10d47cdaf5fc9af1869b62f3261c12a2b31e46

SHA256
1ac6e2cdf707fe142455a2d968fd99aac09403e068705c3ccbc72c95ba3f3de5

SHA512
e6490eb8367f09009501531ca8b9af21e9af6bee21ae65ec4fbe614e49d1302466708c75167342ca99819c13bae5a14de749e99b7cc4bddb516c2cabf2005e81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
5766d40701e9749e034c99eb7cdd76ca

SHA1
fde5d2689c5078593930b09130b62aba60734a8b

SHA256
19cd31e20b28f8285bcc5e0f6badf1c55df43d1b4e9618427a8c998004ea2928

SHA512
89c848b612d2501ecede09594eb3396da1d0db8423951dab04ecb5446e373b3e48562dc8e8a22639286811c55d2fd46a84c777a6838ad6cc032345d9040e0394

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751

Filesize
396B

MD5
46e0ebefeb82d3a775664751476035db

SHA1
8d8062f1e515b8b8e742f6b59fa90e5162a3bf2e

SHA256
3a634f8dac32488c716b70fbd15f8b9d6e73abed342ae38a8529718f16962b6b

SHA512
736b20c32478b389de93190e6c348bd64caf01c0238e1939565cb62ec62859e01565b91f2ccedae6412c79d5b75ad3b91d9c4195addfc9e24018d53e3ef338f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
abcb7d4353abee5083ddd8057c7cd1ff

SHA1
d8a2c1be4b47944d9afdf5e664e5db1364b66a5a

SHA256
eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb

SHA512
7d1ebb730a4c4833f2d690c80a35a73f3b7dbe2a83a642dbcf5e6d1d6aa4204a1513a28f74f32751727074b9f0072071deafea48cbe7d36081efd957a5244508

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
8e1285b2fa0c0db8d1558c8555e61bee

SHA1
0484805e7a890455388493f04d688dc3790840a8

SHA256
4638ffba9bfdba2c7141accd54b3cbdee9466b99c375bcadb78c06f3f4771f38

SHA512
965603bc7bd292e311437d967bc0f1f142b01edc6d2ec020d6acb65151d9a880ba7b96d3145d107d89fe0d0f9aa9f3df56c3c8eabae17cc8d8ee9870bbf9a905

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
43b1ec571faf7b2907bfbcf511e7a896

SHA1
d71aca37bd74e75cc5d89a59278ce3b6653534cb

SHA256
621df757d1b2067a26be76b18b08c1177f5c0e8f8f14708e9a8302c1655d22cb

SHA512
4c07708236125c86ae943b6bd5cdf32665c09cc758a23ae1162d98b1ce0dbcf4d718a8ca3684249a2d807afb54ee8182c160045837017ceb43a7d825b9193035

Download Submit
C:\Users\Admin\AppData\Local\Temp\163581720549169.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab57F4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5816.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wry

Filesize
1.4MB

MD5
99ae8326b4bc406daf54ddc7c5e43abe

SHA1
6ce5002f3cb55a8de0e8e8da77f0d0d0d7679183

SHA256
5054c415757f8a62abe0d61087d31e95065439d9ea1b364a6f207cdceaa24b7c

SHA512
756d7e44eb139501f5b3cf1ed0f76d1e8730c4dfd15f30bc23cda25102b240ad69784d414f995099c57610cf2f9bc9083b20fb4d303f1ca89f75e6819b8cf1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
6c989cda197144a27074165c60ece4e2

SHA1
685d8167f814706dc18d120739ebf1512e8f2018

SHA256
877cf4df6bc090c0e0801366c55f9ab92c2fafea36a6a9ab3c8412cc5a0dab28

SHA512
20d5d56dbf40dd3aa198580609ab758d57858463d505ee0394282b9b2c779aec0d5452a3b763762440ec802f225ad046427b8338a9e14e27f454b27f1774af4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
43KB

MD5
54c0e4aa798ce82886a96ba4bb449188

SHA1
71886d4d410013425243a00f15c270fc4f2a6a3a

SHA256
e5373e95a201b3b676072752097ff5d851a0a34e1be4194ff0c52c33601e576a

SHA512
4415559fa5da1192360b4d6db368179335661120443b812f5bc256466c79ecb6d36ed5d3c00a4e2590bf70e473565287a7db53f6aa3f8faaad46f21e34e84298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0FPP96R9.txt

Filesize
121B

MD5
a971fbcb4062d91fd78a11d7cd3afdcc

SHA1
d72b1a375fbc40bc91cad3477c47dbddde754987

SHA256
d9ba6c61c9faad85345715b6a760a014bdc4c08e96fa139348c47ba1dcd6e189

SHA512
f9dff28d658ba4a50f05d3016479742fd15bee197297110dc3e4904f82bf8a6cb4279aee526911f57ca98529b6eeaa2cb2f4d64a7b5116f4979aa3d63dc448ae

Download Submit
F:\$RECYCLE.BIN\!Please Read Me!.txt

Filesize
849B

MD5
66c169379186555b050c266dd5f9ce29

SHA1
45568656a50454ae85cc49c12872bad0167945ac

SHA256
90bb163d3350460dd30132a16e15d37bc1d5932af354cad83dbedb46275b6861

SHA512
926a185bbe8989f9cbba6fa635883e8514b70fa66247ef5ba51dce19b73bd1d3a6b8c4ab98f4f8b4e55ab19054b19e1ca38e4949e8a042a51db09d8528ced2d0

Download Submit
F:\$RECYCLER\!WannaDecryptor!.exe.lnk

Filesize
921B

MD5
7f55c8b781e356ff3978179ad8078a41

SHA1
394bcfb2ce49580d5f6314cacde487103730247b

SHA256
cd5d84f72a6e5496fe95a69bb088221c8282d0eda7db7e1c2a6ffd829bc6b6f1

SHA512
fe33a898b0e283101ade6f6ae9dfe276f2ce290847e5a0a8655a823e5c58964196d6afcaa449f3374aa544bd271833ff2f3bc223138574809dc75db00f45828e

Download Submit
memory/2080-7-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads