wannacry | e572ac2cb59c9efb7d130b6d0b126abdb2c5418eb23eef13257eafcc38ed963f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll
Size

5.0MB
MD5

6aa433b987f747ea18bd1daba29b19a6
SHA1

c4a60a470025c45d224276be50fe9ac8370ddee1
SHA256

e572ac2cb59c9efb7d130b6d0b126abdb2c5418eb23eef13257eafcc38ed963f
SHA512

f5939aa010fc822d3b2017d6091b802f27d96f01c914b659280a862cb11b453a59a379772795c199c377171fc35dcc6208a13c2a716137aca7318bc5212c21e3
SSDEEP

24576:ObLgdeQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKt:OnjQqMSPbcBVQej/1INK

Score

10^/10

wannacry discovery evasion ransomware worm

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	mssecsvc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\mssecsvc.exe = "C:\\WINDOWS\\mssecsvc.exe:*:enabled:@shell32.dll,-1"	mssecsvc.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3326) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 2 IoCs

pid	Process
3084	mssecsvc.exe
2216	mssecsvc.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4172	3084	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3084	mssecsvc.exe
3084	mssecsvc.exe
2216	mssecsvc.exe
2216	mssecsvc.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	mssecsvc.exe
Token: SeDebugPrivilege	2216	mssecsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 3264	1504	rundll32.exe	84
PID 1504 wrote to memory of 3264	1504	rundll32.exe	84
PID 1504 wrote to memory of 3264	1504	rundll32.exe	84
PID 3264 wrote to memory of 3084	3264	rundll32.exe	85
PID 3264 wrote to memory of 3084	3264	rundll32.exe	85
PID 3264 wrote to memory of 3084	3264	rundll32.exe	85
PID 3084 wrote to memory of 632	3084	mssecsvc.exe	5
PID 3084 wrote to memory of 632	3084	mssecsvc.exe	5
PID 3084 wrote to memory of 632	3084	mssecsvc.exe	5
PID 3084 wrote to memory of 632	3084	mssecsvc.exe	5
PID 3084 wrote to memory of 632	3084	mssecsvc.exe	5
PID 3084 wrote to memory of 632	3084	mssecsvc.exe	5
PID 3084 wrote to memory of 680	3084	mssecsvc.exe	7
PID 3084 wrote to memory of 680	3084	mssecsvc.exe	7
PID 3084 wrote to memory of 680	3084	mssecsvc.exe	7
PID 3084 wrote to memory of 680	3084	mssecsvc.exe	7
PID 3084 wrote to memory of 680	3084	mssecsvc.exe	7
PID 3084 wrote to memory of 680	3084	mssecsvc.exe	7
PID 3084 wrote to memory of 780	3084	mssecsvc.exe	8
PID 3084 wrote to memory of 780	3084	mssecsvc.exe	8
PID 3084 wrote to memory of 780	3084	mssecsvc.exe	8
PID 3084 wrote to memory of 780	3084	mssecsvc.exe	8
PID 3084 wrote to memory of 780	3084	mssecsvc.exe	8
PID 3084 wrote to memory of 780	3084	mssecsvc.exe	8
PID 3084 wrote to memory of 788	3084	mssecsvc.exe	9
PID 3084 wrote to memory of 788	3084	mssecsvc.exe	9
PID 3084 wrote to memory of 788	3084	mssecsvc.exe	9
PID 3084 wrote to memory of 788	3084	mssecsvc.exe	9
PID 3084 wrote to memory of 788	3084	mssecsvc.exe	9
PID 3084 wrote to memory of 788	3084	mssecsvc.exe	9
PID 3084 wrote to memory of 804	3084	mssecsvc.exe	10
PID 3084 wrote to memory of 804	3084	mssecsvc.exe	10
PID 3084 wrote to memory of 804	3084	mssecsvc.exe	10
PID 3084 wrote to memory of 804	3084	mssecsvc.exe	10
PID 3084 wrote to memory of 804	3084	mssecsvc.exe	10
PID 3084 wrote to memory of 804	3084	mssecsvc.exe	10
PID 3084 wrote to memory of 912	3084	mssecsvc.exe	11
PID 3084 wrote to memory of 912	3084	mssecsvc.exe	11
PID 3084 wrote to memory of 912	3084	mssecsvc.exe	11
PID 3084 wrote to memory of 912	3084	mssecsvc.exe	11
PID 3084 wrote to memory of 912	3084	mssecsvc.exe	11
PID 3084 wrote to memory of 912	3084	mssecsvc.exe	11
PID 3084 wrote to memory of 960	3084	mssecsvc.exe	12
PID 3084 wrote to memory of 960	3084	mssecsvc.exe	12
PID 3084 wrote to memory of 960	3084	mssecsvc.exe	12
PID 3084 wrote to memory of 960	3084	mssecsvc.exe	12
PID 3084 wrote to memory of 960	3084	mssecsvc.exe	12
PID 3084 wrote to memory of 960	3084	mssecsvc.exe	12
PID 3084 wrote to memory of 388	3084	mssecsvc.exe	13
PID 3084 wrote to memory of 388	3084	mssecsvc.exe	13
PID 3084 wrote to memory of 388	3084	mssecsvc.exe	13
PID 3084 wrote to memory of 388	3084	mssecsvc.exe	13
PID 3084 wrote to memory of 388	3084	mssecsvc.exe	13
PID 3084 wrote to memory of 388	3084	mssecsvc.exe	13
PID 3084 wrote to memory of 752	3084	mssecsvc.exe	14
PID 3084 wrote to memory of 752	3084	mssecsvc.exe	14
PID 3084 wrote to memory of 752	3084	mssecsvc.exe	14
PID 3084 wrote to memory of 752	3084	mssecsvc.exe	14
PID 3084 wrote to memory of 752	3084	mssecsvc.exe	14
PID 3084 wrote to memory of 752	3084	mssecsvc.exe	14
PID 3084 wrote to memory of 980	3084	mssecsvc.exe	15
PID 3084 wrote to memory of 980	3084	mssecsvc.exe	15
PID 3084 wrote to memory of 980	3084	mssecsvc.exe	15
PID 3084 wrote to memory of 980	3084	mssecsvc.exe	15

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:780
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:388

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:804
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3172
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3844
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3940
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4000
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4080
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3560
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4028
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3984
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:2044
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3920
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1664
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:2360
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3508
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1140
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1480
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2068

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2868

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3348

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3544
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll,#1
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\WINDOWS\mssecsvc.exe
      C:\WINDOWS\mssecsvc.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1252
        5⤵
        Program crash
        
        PID:4172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3784

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2112

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3084 -ip 3084
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
b2b0bc696271321075d678c832b9db9c

SHA1
801343b88e1e276da1585564bcf22b9f114a48c0

SHA256
6729590951a87257c5509e08c3d6c12ecdc78645e478c387d660663fb93087ba

SHA512
3106db6137ec2d32e83c6024261878f2bbc2016e95f5213c4e6bdca8d792ca36e0b574fa85d57aaa46de5a91b9759826a72ab3b7f08e54737d0fd7fbb86e569b

Download Submit
memory/2216-19-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2216-10-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/3084-7-0x0000000077483000-0x0000000077484000-memory.dmp

Filesize
4KB

Download
memory/3084-6-0x0000000077482000-0x0000000077483000-memory.dmp

Filesize
4KB

Download
memory/3084-8-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3084-5-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3084-12-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3084-11-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3084-14-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3084-16-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3084-18-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/3084-4-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download