wannacry | 5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
Size

316KB
MD5

b9b3965d1b218c63cd317ac33edcb942
SHA1

02408bb6dc1f3605a7d3f9bad687a858ec147896
SHA256

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
SHA512

18096b1167561c6da5bfcc05e40f7661e21f43521eb47da9520d2744c8a1806d7187894ce0ae8e0a9e97904b345daae09897d80e8754a63c9aa1d6514feaf98e
SSDEEP

6144:xHQFwJYDzVc1aWLn0IU4eFTE3Ijr2Cq6j7+qmOq:Z6wWcYWL0IUzNGqJq

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $200 worth of bitcoin to this bitcoin address: 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) https://www.dropbox.com/s/c1gn29iy8erh1ks/m.rar?dl=1 rar password: wcry123 Run and follow the instructions! �

Wallets

1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDEF17.tmp	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

Executes dropped EXE 4 IoCs

pid	Process
1624	!WannaDecryptor!.exe
1872	!WannaDecryptor!.exe
1996	!WannaDecryptor!.exe
1032	!WannaDecryptor!.exe

Loads dropped DLL 9 IoCs

pid	Process
2904	cscript.exe
2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
1984	cmd.exe
1984	cmd.exe
2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe\" /r"	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2892	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1616	taskkill.exe
2860	taskkill.exe
1008	taskkill.exe
2540	taskkill.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	!WannaDecryptor!.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	!WannaDecryptor!.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	!WannaDecryptor!.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	!WannaDecryptor!.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1032	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeBackupPrivilege	2076	vssvc.exe
Token: SeRestorePrivilege	2076	vssvc.exe
Token: SeAuditPrivilege	2076	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2196	WMIC.exe
Token: SeSecurityPrivilege	2196	WMIC.exe
Token: SeTakeOwnershipPrivilege	2196	WMIC.exe
Token: SeLoadDriverPrivilege	2196	WMIC.exe
Token: SeSystemProfilePrivilege	2196	WMIC.exe
Token: SeSystemtimePrivilege	2196	WMIC.exe
Token: SeProfSingleProcessPrivilege	2196	WMIC.exe
Token: SeIncBasePriorityPrivilege	2196	WMIC.exe
Token: SeCreatePagefilePrivilege	2196	WMIC.exe
Token: SeBackupPrivilege	2196	WMIC.exe
Token: SeRestorePrivilege	2196	WMIC.exe
Token: SeShutdownPrivilege	2196	WMIC.exe
Token: SeDebugPrivilege	2196	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2196	WMIC.exe
Token: SeRemoteShutdownPrivilege	2196	WMIC.exe
Token: SeUndockPrivilege	2196	WMIC.exe
Token: SeManageVolumePrivilege	2196	WMIC.exe
Token: 33	2196	WMIC.exe
Token: 34	2196	WMIC.exe
Token: 35	2196	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2196	WMIC.exe
Token: SeSecurityPrivilege	2196	WMIC.exe
Token: SeTakeOwnershipPrivilege	2196	WMIC.exe
Token: SeLoadDriverPrivilege	2196	WMIC.exe
Token: SeSystemProfilePrivilege	2196	WMIC.exe
Token: SeSystemtimePrivilege	2196	WMIC.exe
Token: SeProfSingleProcessPrivilege	2196	WMIC.exe
Token: SeIncBasePriorityPrivilege	2196	WMIC.exe
Token: SeCreatePagefilePrivilege	2196	WMIC.exe
Token: SeBackupPrivilege	2196	WMIC.exe
Token: SeRestorePrivilege	2196	WMIC.exe
Token: SeShutdownPrivilege	2196	WMIC.exe
Token: SeDebugPrivilege	2196	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2196	WMIC.exe
Token: SeRemoteShutdownPrivilege	2196	WMIC.exe
Token: SeUndockPrivilege	2196	WMIC.exe
Token: SeManageVolumePrivilege	2196	WMIC.exe
Token: 33	2196	WMIC.exe
Token: 34	2196	WMIC.exe
Token: 35	2196	WMIC.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1624	!WannaDecryptor!.exe
1624	!WannaDecryptor!.exe
1872	!WannaDecryptor!.exe
1872	!WannaDecryptor!.exe
1996	!WannaDecryptor!.exe
1996	!WannaDecryptor!.exe
1032	!WannaDecryptor!.exe
1032	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2936	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	30
PID 2088 wrote to memory of 2936	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	30
PID 2088 wrote to memory of 2936	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	30
PID 2088 wrote to memory of 2936	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	30
PID 2936 wrote to memory of 2904	2936	cmd.exe	32
PID 2936 wrote to memory of 2904	2936	cmd.exe	32
PID 2936 wrote to memory of 2904	2936	cmd.exe	32
PID 2936 wrote to memory of 2904	2936	cmd.exe	32
PID 2088 wrote to memory of 1624	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	33
PID 2088 wrote to memory of 1624	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	33
PID 2088 wrote to memory of 1624	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	33
PID 2088 wrote to memory of 1624	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	33
PID 2088 wrote to memory of 1616	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	34
PID 2088 wrote to memory of 1616	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	34
PID 2088 wrote to memory of 1616	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	34
PID 2088 wrote to memory of 1616	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	34
PID 2088 wrote to memory of 2860	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	35
PID 2088 wrote to memory of 2860	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	35
PID 2088 wrote to memory of 2860	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	35
PID 2088 wrote to memory of 2860	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	35
PID 2088 wrote to memory of 1008	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	37
PID 2088 wrote to memory of 1008	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	37
PID 2088 wrote to memory of 1008	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	37
PID 2088 wrote to memory of 1008	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	37
PID 2088 wrote to memory of 2540	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	38
PID 2088 wrote to memory of 2540	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	38
PID 2088 wrote to memory of 2540	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	38
PID 2088 wrote to memory of 2540	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	38
PID 2088 wrote to memory of 1872	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	45
PID 2088 wrote to memory of 1872	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	45
PID 2088 wrote to memory of 1872	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	45
PID 2088 wrote to memory of 1872	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	45
PID 2088 wrote to memory of 1984	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	46
PID 2088 wrote to memory of 1984	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	46
PID 2088 wrote to memory of 1984	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	46
PID 2088 wrote to memory of 1984	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	46
PID 1984 wrote to memory of 1996	1984	cmd.exe	48
PID 1984 wrote to memory of 1996	1984	cmd.exe	48
PID 1984 wrote to memory of 1996	1984	cmd.exe	48
PID 1984 wrote to memory of 1996	1984	cmd.exe	48
PID 2088 wrote to memory of 1032	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	49
PID 2088 wrote to memory of 1032	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	49
PID 2088 wrote to memory of 1032	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	49
PID 2088 wrote to memory of 1032	2088	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	49
PID 1996 wrote to memory of 1072	1996	!WannaDecryptor!.exe	51
PID 1996 wrote to memory of 1072	1996	!WannaDecryptor!.exe	51
PID 1996 wrote to memory of 1072	1996	!WannaDecryptor!.exe	51
PID 1996 wrote to memory of 1072	1996	!WannaDecryptor!.exe	51
PID 1072 wrote to memory of 2892	1072	cmd.exe	53
PID 1072 wrote to memory of 2892	1072	cmd.exe	53
PID 1072 wrote to memory of 2892	1072	cmd.exe	53
PID 1072 wrote to memory of 2892	1072	cmd.exe	53
PID 1072 wrote to memory of 2196	1072	cmd.exe	55
PID 1072 wrote to memory of 2196	1072	cmd.exe	55
PID 1072 wrote to memory of 2196	1072	cmd.exe	55
PID 1072 wrote to memory of 2196	1072	cmd.exe	55

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
"C:\Users\Admin\AppData\Local\Temp\5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 55321720575447.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - Loads dropped DLL
    PID:2904
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:1624
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2892
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
7e7a1a23e7ee02bffc2dabb63efd6554

SHA1
e3359f0298b7151c46c576b96110b4435c987d4e

SHA256
ea5bf27142482bc76eb3053a2d129c0a96a1817abcfb76c599f5cc2df7c54192

SHA512
59ae5381f6dc2f88a839dd85daf180f41f323dba931ad364e02a6732cac7c91ce8fc5bb6a6e5acb621f7fdd11e9f6391adc105dffeded5c9ca61267c00472ee0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751

Filesize
471B

MD5
651cd6cd7b0326fae0e52c9fd6a64355

SHA1
40045e10ea63f8b90664b1509aeef6fe93eb1997

SHA256
61b97d69e5e23ae9cb7cb7560ab67629d551236e409363169437c65932169727

SHA512
910c45668e4ff9e812424315c5d7131ba78ba581909b323cddf90ace573520fbf1e4e06bdce22d92420dc47b319da64024fde31977ea1546613eeeff9b127114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
33efeeea1e582b809450ea314b1067e0

SHA1
75456d7115044b9dd28116d45a5560022526223b

SHA256
a8cbc4ed347f0f19c9f9bc357664e942ab2e54f8dd274c8a6247d431938d51ac

SHA512
9cb71ca8b47e431ff3fec2485b5ebd73d43e431379e42b99649859b04f184961897aeeba54219f2a77ea8a2857cd11e494b996363f8875567a6cc1af9c4d50e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e1e57c7e31511e569c47e40992bc346

SHA1
818f3b918abe287259666419f49f83e4b0eebbef

SHA256
dfa4f4e345eb6f1528cd16027ce84684c00ade61a0ca4dfda1a93c4f157648a5

SHA512
549dcbb603867b53406f202d7d8d83b4dc79ae82f9e3b351944c63a8bd65945961dc30da26b922c4fe473c3c4b9a94af5797440d4dd9e36f80db63423987d4d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f578f4a711c9d011510a90c5850705f

SHA1
62397dfdfb118d17b5e5651d5c3d49e6a73f1e8e

SHA256
97780598595110dddda5d1b11d7ce31712598f35615401f9b8d6b0a9c50b9951

SHA512
38c291d2585bb28c1a47d2086c19b5d9213420718387021272bb2d49fd28165e9d65a2e39657d351da21d8610eef42499b5c7c8af9d51006973a3ca63c82b089

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f08fb87b90cf0fdb59d3237f7b7c1d90

SHA1
960088f9025ca88fefeb6485e97ecb52a14ad6b8

SHA256
d1f71f3cdebcaf5edd423c1484792acc1e82237055c667aa50a3db040f212c9c

SHA512
6145da0c4fc6f3e156d558a2906cc302f566a5dc807ba8a3360108bf4db00b62fee1b11dad9f9ffd38564b7537a4a14d8e92194edf3a7aa694321401144abad6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67779699c7a20406d2a68ac1c631e7e4

SHA1
7a30c2f9b11b27e1b4c1394b1e4eda2fde5d7027

SHA256
c279711ae1d882fd0d1342b589f2d400011075b9cb2d42bb4e5b4564640e0c76

SHA512
d6e2ba5dcc27c766d36e5dbcbdca4c6e4fceaa9d9277e8f5babbc40365c29034843ae6759990f1906640c354406e1b792c65f2f4aa0a3a12ba976779f5fd4ae4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
57d28bc1a19084f91cc356384d0e7eb2

SHA1
43d05b44d66ef3dc85f73dbe0fdcbd2382c7dc54

SHA256
01526e06a2afb9ccaa010984b31cd35b74139530bbb68aba5fae249b79828178

SHA512
8299734c2a884e51854a78184418baf5799aa50afeddfb11aab95d282b49530c4c94cb959ff8d6bab553a79d4e743bba903a53461d011bbb373b0f49251924c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751

Filesize
396B

MD5
5068362c8a493f0840f7fe88e05ac7f3

SHA1
183ae702e9d4db8e1d63af04f28c3000a9e07239

SHA256
8128658832274d551828fde54e6d630475bc7ec7df8257ddc58d96558bbc85a0

SHA512
a334b02ee7dc4f962d4b945dc374b8c7669e5923d74314639b595d20214e54b74e4bb47bbd660165a5bb7c0c860470fe393761b5eda675d653f91a389406a887

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
abcb7d4353abee5083ddd8057c7cd1ff

SHA1
d8a2c1be4b47944d9afdf5e664e5db1364b66a5a

SHA256
eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb

SHA512
7d1ebb730a4c4833f2d690c80a35a73f3b7dbe2a83a642dbcf5e6d1d6aa4204a1513a28f74f32751727074b9f0072071deafea48cbe7d36081efd957a5244508

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
921B

MD5
7d0f96ee863a25ca3ccf862acebd0bd0

SHA1
91055e2b90463661a23836ae373ba99e016e8b87

SHA256
365cc751d40719b7ec542c626048c3a56db33175024c0f8fd399397a96792ece

SHA512
3366066954b04c8814442f1221500224d86c8bce78677bfb9ecf130570e167fee926a8946e7bd42965f28ecd275da5679ef9556c31e8d5a816d27b06e31fb746

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
e137680a32d500b694d00dbe3c12712d

SHA1
6f5d527ecda1c01347e2b2558a74478e64df3b87

SHA256
34132f0903c91dbd80a479ab4df9f80136c3cd3b2ebda2174d1883ecb43caf9b

SHA512
7717922819b11803d7cc8fafbed527451216038dea8d5fc6936d32774210ffa07aa78307ec782a19fcbe18d79467806caa905a5ff03948a3f6ca83341db104dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
e75bd212b6f8f3732f9db0933e1b7d2f

SHA1
bade5667b2320eb20f9481da486a13023b87588d

SHA256
00f95c01ca2e96f2c6aaa3e37fbf46e479869731f5f48e55c8d01c2ba12d3e72

SHA512
8171d26c642624b22672723d2ab4880aa6f47d8468e489170668427dcbc6a37c3f718bd8bd4baca6326e385146d91f0d42a551828e2095eb258743f2955557ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\55321720575447.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar101.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wry

Filesize
1.4MB

MD5
99ae8326b4bc406daf54ddc7c5e43abe

SHA1
6ce5002f3cb55a8de0e8e8da77f0d0d0d7679183

SHA256
5054c415757f8a62abe0d61087d31e95065439d9ea1b364a6f207cdceaa24b7c

SHA512
756d7e44eb139501f5b3cf1ed0f76d1e8730c4dfd15f30bc23cda25102b240ad69784d414f995099c57610cf2f9bc9083b20fb4d303f1ca89f75e6819b8cf1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
01563f7b26f3be2e78ce4830b23dc3dd

SHA1
0edaedcb93c64242cfb12b2cd826e2f57ff0c4b9

SHA256
de1680e225c5434e8b664616cc07b1fef7faebcf42f37e50fd19fce6c2ab41aa

SHA512
6995b38dcdf61f8345808a92f497f1dc53b8437de7aa23e36db6f82cec723619844d4698f3a61e3416b7897708a42c679b1cf0e7e4fd17d6781b04d67184832f

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
43KB

MD5
54c0e4aa798ce82886a96ba4bb449188

SHA1
71886d4d410013425243a00f15c270fc4f2a6a3a

SHA256
e5373e95a201b3b676072752097ff5d851a0a34e1be4194ff0c52c33601e576a

SHA512
4415559fa5da1192360b4d6db368179335661120443b812f5bc256466c79ecb6d36ed5d3c00a4e2590bf70e473565287a7db53f6aa3f8faaad46f21e34e84298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LFW4WPL4.txt

Filesize
120B

MD5
26a9eb0a99bb60b530613c130ae179ef

SHA1
68f0976088246c669fb42609507a4f3a3ecc5317

SHA256
2aafa77a71c8425c188dead22837cf1bccba48847b3208ffd9a349b55a053a9b

SHA512
15faac03ab5dcd02576a7353375450dda3e6d6b107a1730a1731d5874cfc068a3c4e180e37d56e6b70f1fdc5d9855e85dc723ced6512de7652ac9e9bd18aa84e

Download Submit
F:\$RECYCLE.BIN\!Please Read Me!.txt

Filesize
849B

MD5
66c169379186555b050c266dd5f9ce29

SHA1
45568656a50454ae85cc49c12872bad0167945ac

SHA256
90bb163d3350460dd30132a16e15d37bc1d5932af354cad83dbedb46275b6861

SHA512
926a185bbe8989f9cbba6fa635883e8514b70fa66247ef5ba51dce19b73bd1d3a6b8c4ab98f4f8b4e55ab19054b19e1ca38e4949e8a042a51db09d8528ced2d0

Download Submit
memory/2088-8-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads