wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry[.]exe

Analysis

max time kernel
107s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2929.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2940.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

3408 !WannaDecryptor!.exe
5808 !WannaDecryptor!.exe
5876 !WannaDecryptor!.exe
5956 !WannaDecryptor!.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

84 raw.githubusercontent.com
85 raw.githubusercontent.com
86 raw.githubusercontent.com

flow	ioc
84	raw.githubusercontent.com
85	raw.githubusercontent.com
86	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

!WannaDecryptor!.exetaskkill.exeWannaCry.exe!WannaDecryptor!.exe!WannaDecryptor!.execmd.execscript.execmd.exetaskkill.exeWannaCry.exeWannaCry.exeWannaCry.exeWannaCry.exe!WannaDecryptor!.execmd.exeWMIC.exeWannaCry.exetaskkill.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3700 taskkill.exe
756 taskkill.exe
3844 taskkill.exe
4608 taskkill.exe

pid	process
3700	taskkill.exe
756	taskkill.exe
3844	taskkill.exe
4608	taskkill.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeIncreaseQuotaPrivilege	6044	WMIC.exe
Token: SeSecurityPrivilege	6044	WMIC.exe
Token: SeTakeOwnershipPrivilege	6044	WMIC.exe
Token: SeLoadDriverPrivilege	6044	WMIC.exe
Token: SeSystemProfilePrivilege	6044	WMIC.exe
Token: SeSystemtimePrivilege	6044	WMIC.exe
Token: SeProfSingleProcessPrivilege	6044	WMIC.exe
Token: SeIncBasePriorityPrivilege	6044	WMIC.exe
Token: SeCreatePagefilePrivilege	6044	WMIC.exe
Token: SeBackupPrivilege	6044	WMIC.exe
Token: SeRestorePrivilege	6044	WMIC.exe
Token: SeShutdownPrivilege	6044	WMIC.exe
Token: SeDebugPrivilege	6044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6044	WMIC.exe
Token: SeRemoteShutdownPrivilege	6044	WMIC.exe
Token: SeUndockPrivilege	6044	WMIC.exe
Token: SeManageVolumePrivilege	6044	WMIC.exe
Token: 33	6044	WMIC.exe
Token: 34	6044	WMIC.exe
Token: 35	6044	WMIC.exe
Token: 36	6044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6044	WMIC.exe
Token: SeSecurityPrivilege	6044	WMIC.exe
Token: SeTakeOwnershipPrivilege	6044	WMIC.exe
Token: SeLoadDriverPrivilege	6044	WMIC.exe
Token: SeSystemProfilePrivilege	6044	WMIC.exe
Token: SeSystemtimePrivilege	6044	WMIC.exe
Token: SeProfSingleProcessPrivilege	6044	WMIC.exe
Token: SeIncBasePriorityPrivilege	6044	WMIC.exe
Token: SeCreatePagefilePrivilege	6044	WMIC.exe
Token: SeBackupPrivilege	6044	WMIC.exe
Token: SeRestorePrivilege	6044	WMIC.exe
Token: SeShutdownPrivilege	6044	WMIC.exe
Token: SeDebugPrivilege	6044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6044	WMIC.exe
Token: SeRemoteShutdownPrivilege	6044	WMIC.exe
Token: SeUndockPrivilege	6044	WMIC.exe
Token: SeManageVolumePrivilege	6044	WMIC.exe
Token: 33	6044	WMIC.exe
Token: 34	6044	WMIC.exe
Token: 35	6044	WMIC.exe
Token: 36	6044	WMIC.exe
Token: SeBackupPrivilege	3844	vssvc.exe
Token: SeRestorePrivilege	3844	vssvc.exe
Token: SeAuditPrivilege	3844	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

!WannaDecryptor!.exe

pid process

5956 !WannaDecryptor!.exe

pid	process
5956	!WannaDecryptor!.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
3408	!WannaDecryptor!.exe
3408	!WannaDecryptor!.exe
5808	!WannaDecryptor!.exe
5808	!WannaDecryptor!.exe
5876	!WannaDecryptor!.exe
5876	!WannaDecryptor!.exe
5956	!WannaDecryptor!.exe
5956	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

WannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exe

description	pid	process	target process
PID 2596 wrote to memory of 2184	2596	WannaCry.exe	cmd.exe
PID 2596 wrote to memory of 2184	2596	WannaCry.exe	cmd.exe
PID 2596 wrote to memory of 2184	2596	WannaCry.exe	cmd.exe
PID 2184 wrote to memory of 4608	2184	cmd.exe	cscript.exe
PID 2184 wrote to memory of 4608	2184	cmd.exe	cscript.exe
PID 2184 wrote to memory of 4608	2184	cmd.exe	cscript.exe
PID 2596 wrote to memory of 3408	2596	WannaCry.exe	!WannaDecryptor!.exe
PID 2596 wrote to memory of 3408	2596	WannaCry.exe	!WannaDecryptor!.exe
PID 2596 wrote to memory of 3408	2596	WannaCry.exe	!WannaDecryptor!.exe
PID 2596 wrote to memory of 3700	2596	WannaCry.exe	taskkill.exe
PID 2596 wrote to memory of 3700	2596	WannaCry.exe	taskkill.exe
PID 2596 wrote to memory of 3700	2596	WannaCry.exe	taskkill.exe
PID 2596 wrote to memory of 756	2596	WannaCry.exe	taskkill.exe
PID 2596 wrote to memory of 756	2596	WannaCry.exe	taskkill.exe
PID 2596 wrote to memory of 756	2596	WannaCry.exe	taskkill.exe
PID 2596 wrote to memory of 4608	2596	WannaCry.exe	taskkill.exe
PID 2596 wrote to memory of 4608	2596	WannaCry.exe	taskkill.exe
PID 2596 wrote to memory of 4608	2596	WannaCry.exe	taskkill.exe
PID 2596 wrote to memory of 3844	2596	WannaCry.exe	taskkill.exe
PID 2596 wrote to memory of 3844	2596	WannaCry.exe	taskkill.exe
PID 2596 wrote to memory of 3844	2596	WannaCry.exe	taskkill.exe
PID 2596 wrote to memory of 5808	2596	WannaCry.exe	!WannaDecryptor!.exe
PID 2596 wrote to memory of 5808	2596	WannaCry.exe	!WannaDecryptor!.exe
PID 2596 wrote to memory of 5808	2596	WannaCry.exe	!WannaDecryptor!.exe
PID 2596 wrote to memory of 5820	2596	WannaCry.exe	cmd.exe
PID 2596 wrote to memory of 5820	2596	WannaCry.exe	cmd.exe
PID 2596 wrote to memory of 5820	2596	WannaCry.exe	cmd.exe
PID 5820 wrote to memory of 5876	5820	cmd.exe	!WannaDecryptor!.exe
PID 5820 wrote to memory of 5876	5820	cmd.exe	!WannaDecryptor!.exe
PID 5820 wrote to memory of 5876	5820	cmd.exe	!WannaDecryptor!.exe
PID 2596 wrote to memory of 5956	2596	WannaCry.exe	!WannaDecryptor!.exe
PID 2596 wrote to memory of 5956	2596	WannaCry.exe	!WannaDecryptor!.exe
PID 2596 wrote to memory of 5956	2596	WannaCry.exe	!WannaDecryptor!.exe
PID 5876 wrote to memory of 6060	5876	!WannaDecryptor!.exe	cmd.exe
PID 5876 wrote to memory of 6060	5876	!WannaDecryptor!.exe	cmd.exe
PID 5876 wrote to memory of 6060	5876	!WannaDecryptor!.exe	cmd.exe
PID 6060 wrote to memory of 6044	6060	cmd.exe	WMIC.exe
PID 6060 wrote to memory of 6044	6060	cmd.exe	WMIC.exe
PID 6060 wrote to memory of 6044	6060	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
1⤵
PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4628,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:1
1⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4772,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:1
1⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4812,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:8
1⤵
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5396,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
1⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5896,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:8
1⤵
PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=6212,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=6244 /prefetch:8
1⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6220,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=6228 /prefetch:1
1⤵
PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5032,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=3788 /prefetch:1
1⤵
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5440,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=5568 /prefetch:8
1⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=5712,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
1⤵
PID:556

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 126951723258969.bat
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
- System Location Discovery: System Language Discovery
PID:4608

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5808

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5820

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6060

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6044

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6260,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=6504 /prefetch:8
1⤵
PID:2044

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:820

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3708

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6012

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
c125b1bd1bfb28a686afecfaa1324b53

SHA1
ead3d6299bda67298dc374c0b1b97faf72c56c79

SHA256
b283543add88425b9a55b98b695fbb0c2b51324c0aaf0d1231a95605908dd2c2

SHA512
1f66b99286a0e3591316b1e0da7fc20d7170d59b314321a4d17784776584719315b31c2a822f6742233a0e497fe7321ccbebabb0668a371c080be7abe85c1447

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
989b2368eac054338e8518dfb3deef15

SHA1
fb6e13d049c8fadb221599e8b4bb39a5196d735c

SHA256
f6bb8ce13024b0e41a4c7fd83985ca5456e9f956a057166d8a479f6142b83e5c

SHA512
0de28a05e58fceabb1f1d3cbf5f34d9789ebbdbebe517d0a84d316c537fe83930a08ad29b66124f4441b671dbcce885ebb9f642aaeebcb192c60ca8cf9c0ba11

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
4205305517796f714c7237cfb49b321d

SHA1
1bf92128de9875347a7b6744287af86a6cb044be

SHA256
70c9a45b457c59ba9fc06fb010996aa0604ce5b6bb6e66a2fe6cfa5f0c646d76

SHA512
4bef3028076c014e60d376eb95715f8745ead5b9668aabc72ee3fc85d679577eaf4a6ef5139c12e468129ceeea87a12031f45c603ee861382f7c528c59c7a883

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
e56cc1ed03e166b10f4067fa85f0e21a

SHA1
5768a9f3fed51f91d3862f9d1014fb3ad85ab2e6

SHA256
002b05cdb42c336ea5cfb20dd9ec51320e85b9f7c102ddd8ed1d19cc239881c8

SHA512
481f0fb76e275dac0e579373551d1aec6008fa8e132a44ecae2f63275638533afa5b93fc6d2b240e502d75a4f250b730489c2fc40de5763d0ef5582728ecc802

Download Submit
C:\Users\Admin\Downloads\126951723258969.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
a2baf72273106e55b3d0eed3e91ba21f

SHA1
12a9356f570e14092bc5d0cc983ee11793df5ccc

SHA256
77100795326165c8d33b6a09f4d42cb8b9a6846eea7fb1b98dd823600dc7e325

SHA512
2c5becf84d7bec1f238a96a240554ab5c4dbb8bc2865c2c7e38775c4ac9ebb43c8dc170f01725fb422706e111c866045b3a82c0865403cfdc5ffc3971c20bc23

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/2596-7-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download