wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
65s
max time network
40s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-09-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBD54.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBD5B.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

pid	Process
2152	!WannaDecryptor!.exe
4488	!WannaDecryptor!.exe
1532	!WannaDecryptor!.exe
2820	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4676	taskkill.exe
1000	taskkill.exe
2524	taskkill.exe
1792	taskkill.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3052	msedge.exe
3052	msedge.exe
4368	msedge.exe
4368	msedge.exe
4984	msedge.exe
4984	msedge.exe
2164	identity_helper.exe
2164	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeIncreaseQuotaPrivilege	712	WMIC.exe
Token: SeSecurityPrivilege	712	WMIC.exe
Token: SeTakeOwnershipPrivilege	712	WMIC.exe
Token: SeLoadDriverPrivilege	712	WMIC.exe
Token: SeSystemProfilePrivilege	712	WMIC.exe
Token: SeSystemtimePrivilege	712	WMIC.exe
Token: SeProfSingleProcessPrivilege	712	WMIC.exe
Token: SeIncBasePriorityPrivilege	712	WMIC.exe
Token: SeCreatePagefilePrivilege	712	WMIC.exe
Token: SeBackupPrivilege	712	WMIC.exe
Token: SeRestorePrivilege	712	WMIC.exe
Token: SeShutdownPrivilege	712	WMIC.exe
Token: SeDebugPrivilege	712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	712	WMIC.exe
Token: SeRemoteShutdownPrivilege	712	WMIC.exe
Token: SeUndockPrivilege	712	WMIC.exe
Token: SeManageVolumePrivilege	712	WMIC.exe
Token: 33	712	WMIC.exe
Token: 34	712	WMIC.exe
Token: 35	712	WMIC.exe
Token: 36	712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	712	WMIC.exe
Token: SeSecurityPrivilege	712	WMIC.exe
Token: SeTakeOwnershipPrivilege	712	WMIC.exe
Token: SeLoadDriverPrivilege	712	WMIC.exe
Token: SeSystemProfilePrivilege	712	WMIC.exe
Token: SeSystemtimePrivilege	712	WMIC.exe
Token: SeProfSingleProcessPrivilege	712	WMIC.exe
Token: SeIncBasePriorityPrivilege	712	WMIC.exe
Token: SeCreatePagefilePrivilege	712	WMIC.exe
Token: SeBackupPrivilege	712	WMIC.exe
Token: SeRestorePrivilege	712	WMIC.exe
Token: SeShutdownPrivilege	712	WMIC.exe
Token: SeDebugPrivilege	712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	712	WMIC.exe
Token: SeRemoteShutdownPrivilege	712	WMIC.exe
Token: SeUndockPrivilege	712	WMIC.exe
Token: SeManageVolumePrivilege	712	WMIC.exe
Token: 33	712	WMIC.exe
Token: 34	712	WMIC.exe
Token: 35	712	WMIC.exe
Token: 36	712	WMIC.exe
Token: SeBackupPrivilege	2376	vssvc.exe
Token: SeRestorePrivilege	2376	vssvc.exe
Token: SeAuditPrivilege	2376	vssvc.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2152	!WannaDecryptor!.exe
2152	!WannaDecryptor!.exe
4488	!WannaDecryptor!.exe
4488	!WannaDecryptor!.exe
1532	!WannaDecryptor!.exe
1532	!WannaDecryptor!.exe
2820	!WannaDecryptor!.exe
2820	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 3848	2872	WannaCry.exe	81
PID 2872 wrote to memory of 3848	2872	WannaCry.exe	81
PID 2872 wrote to memory of 3848	2872	WannaCry.exe	81
PID 3848 wrote to memory of 4724	3848	cmd.exe	83
PID 3848 wrote to memory of 4724	3848	cmd.exe	83
PID 3848 wrote to memory of 4724	3848	cmd.exe	83
PID 2872 wrote to memory of 2152	2872	WannaCry.exe	84
PID 2872 wrote to memory of 2152	2872	WannaCry.exe	84
PID 2872 wrote to memory of 2152	2872	WannaCry.exe	84
PID 2872 wrote to memory of 1792	2872	WannaCry.exe	85
PID 2872 wrote to memory of 1792	2872	WannaCry.exe	85
PID 2872 wrote to memory of 1792	2872	WannaCry.exe	85
PID 2872 wrote to memory of 2524	2872	WannaCry.exe	86
PID 2872 wrote to memory of 2524	2872	WannaCry.exe	86
PID 2872 wrote to memory of 2524	2872	WannaCry.exe	86
PID 2872 wrote to memory of 1000	2872	WannaCry.exe	87
PID 2872 wrote to memory of 1000	2872	WannaCry.exe	87
PID 2872 wrote to memory of 1000	2872	WannaCry.exe	87
PID 2872 wrote to memory of 4676	2872	WannaCry.exe	88
PID 2872 wrote to memory of 4676	2872	WannaCry.exe	88
PID 2872 wrote to memory of 4676	2872	WannaCry.exe	88
PID 2872 wrote to memory of 4488	2872	WannaCry.exe	95
PID 2872 wrote to memory of 4488	2872	WannaCry.exe	95
PID 2872 wrote to memory of 4488	2872	WannaCry.exe	95
PID 2872 wrote to memory of 4028	2872	WannaCry.exe	96
PID 2872 wrote to memory of 4028	2872	WannaCry.exe	96
PID 2872 wrote to memory of 4028	2872	WannaCry.exe	96
PID 4028 wrote to memory of 1532	4028	cmd.exe	98
PID 4028 wrote to memory of 1532	4028	cmd.exe	98
PID 4028 wrote to memory of 1532	4028	cmd.exe	98
PID 2872 wrote to memory of 2820	2872	WannaCry.exe	100
PID 2872 wrote to memory of 2820	2872	WannaCry.exe	100
PID 2872 wrote to memory of 2820	2872	WannaCry.exe	100
PID 1532 wrote to memory of 2184	1532	!WannaDecryptor!.exe	101
PID 1532 wrote to memory of 2184	1532	!WannaDecryptor!.exe	101
PID 1532 wrote to memory of 2184	1532	!WannaDecryptor!.exe	101
PID 2184 wrote to memory of 712	2184	cmd.exe	103
PID 2184 wrote to memory of 712	2184	cmd.exe	103
PID 2184 wrote to memory of 712	2184	cmd.exe	103
PID 2820 wrote to memory of 4368	2820	!WannaDecryptor!.exe	106
PID 2820 wrote to memory of 4368	2820	!WannaDecryptor!.exe	106
PID 4368 wrote to memory of 928	4368	msedge.exe	107
PID 4368 wrote to memory of 928	4368	msedge.exe	107
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108
PID 4368 wrote to memory of 420	4368	msedge.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 40091725576303.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4724
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2152
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.btcfrog.com/qr/bitcoinPNG.php?address=15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff917ce3cb8,0x7ff917ce3cc8,0x7ff917ce3cd8
      4⤵
      PID:928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,11299137231145005209,12054459614462251527,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
      4⤵
      PID:420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,11299137231145005209,12054459614462251527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,11299137231145005209,12054459614462251527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
      4⤵
      PID:4412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11299137231145005209,12054459614462251527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:4752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11299137231145005209,12054459614462251527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      PID:3392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,11299137231145005209,12054459614462251527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,11299137231145005209,12054459614462251527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11299137231145005209,12054459614462251527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
      4⤵
      PID:3216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11299137231145005209,12054459614462251527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
      4⤵
      PID:4216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11299137231145005209,12054459614462251527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
      4⤵
      PID:332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11299137231145005209,12054459614462251527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
      4⤵
      PID:3116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11299137231145005209,12054459614462251527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
      4⤵
      PID:2452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11299137231145005209,12054459614462251527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
      4⤵
      PID:2112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11299137231145005209,12054459614462251527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
      4⤵
      PID:4680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\9cbf8bde-ede5-437f-bd63-24f5032b8723.tmp

Filesize
10KB

MD5
b36ac21068586fca74d66e37200ceb1e

SHA1
ee1b41eaed7a28b6a34564e8b80e31ad05dfcc92

SHA256
abed400ae382d68668e3f1e8069ddec2b79d0a73913ae64b39d30118d5cca449

SHA512
5c7cd8ad581402011e60a526268226f805d3f897b40f73c125d58bb0d4a8726b7a63ac43089680c7ec64db25d461c6f8e9b231bf11346aa0e4bfb9e1144e44d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
9e911748e9f9454b30ba617055eeda74

SHA1
e7432622f7b00ea9bc4772915ff3b1514a333f35

SHA256
9384d24cfbb1d36d1eee02530e4856943d0dd179923cf805527082d924dd95ac

SHA512
98776041cbebed5aab2265d225a03445dcaceebebe78b56c32a52c0e1769e49e364c1ee4a57b1189856a5435c5049026ed10bebe5b825de52939dbc5dee2412e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
f9d26284f05ed1e2389d8dd704250944

SHA1
5a6319b0d32a9ec11e0b6498fe123ca6bb741ef2

SHA256
b1a5a5600182e7c8de22fb8055e3a19bc5c92bfe7c97da02622e1ceee6d0588f

SHA512
59e644c8ef7c67804d071e405da6eba449ec3833e8f14e939640f335ee269ef4ab16dc07f39b2ea8541af5feb4f365532cc7606e0f070dea780b618bcfbfd8c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2dfa75501a1f4bea330e2bb72df6e69f

SHA1
6cb4b49ad598b335b6046a1a244d1596971e0dec

SHA256
6082de3c8b7c9a5d6a7fe939ade35b9533755543af10419b3f5b65ffb96004ee

SHA512
360c0f9738f94efc1e333e4b1d709a7613b4fb53cbd7d5d8579e767299eab34eb9e08aca43b9c86aec34081b33c9d251d2da940c1ae0eca7713e2f8b8242ef33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
62c36cb3bea54b51d5507839d23c1ab9

SHA1
15b831302d08ffa32ee0a8d367c31ecfd4f7aca6

SHA256
fdbb8a25bf881f8d119b0c4abebc41aac371a5313fcca6d4b6290d29bf459091

SHA512
6cc4f300f1beb94e9aefe627d15d19be420617c5f652e53ef630eb0bf71a61634d7910f8605495d00fad111782ecb9bf457ea153f55ca90c95969f7143dde2a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d253f0a13fd8c09b51b5c39a4e68452c

SHA1
481adcc3736acf9e707ef230727018b2c1e67fa6

SHA256
9bf25c1513e54f7b6fe37f5ecf555579f57d55208480402c63ea5cb205ecdf07

SHA512
fcbe581725cbda1cd74892180684e1381c611da91892afcd3f3836e93c65b00ce8ae3f78a9ec51decb579f6e7df65480bf029c99f4b9b52315c25e717e97b7dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
bb60ffb8f2fc7edda8c0d38f623523f0

SHA1
1dbc09143033f9a76ecbf8f7c8e7ca61c1d6d195

SHA256
92d79ce71cff54a8c97c6c471bf6494d889e9e60ec7bb331d8d2cc91092e2765

SHA512
22c8242b539c56c5f089398105437874b5a59ede79168bce957f1f0b4012d6cec73f275484006683beef315a7464ec84b26e2f21dec724b8b25656c96832fd6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.eky

Filesize
1KB

MD5
75adfaca294fcdd05d0ae0116de21cd3

SHA1
b932d34b8ecdf558244e4ca9d652e5fd7c5017dd

SHA256
95c94db078f906933ccac3097b4b6152498d843dd4398f14171ff3af8a9de3b1

SHA512
09a3fbd01714b75df5b2ee583ec0f4a7985b9752e041618025b9e191cfbee5609f78b6d6c0642c5bf0da9c9d2f24419d89308c9e39affd0064118bf69f232428

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
e52ecc9e94b6a46eb32a7c99e8e59098

SHA1
17c8036eb4dfdf9399ccac45165f6dcfd460f63e

SHA256
92e75b4102bec9af43f27f28c54bc913ab139a906dc70c1935d4821715ba1c90

SHA512
df6a0606be86bd825630248d651e276ac0c1d8e2638e9a11665ae182b4401b440c90e8f93ea240bfe33c90cbd7b8031f3f8299878b9333da2c9e3ce06aa7266b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
d354d59ad68ec7af20e63b8db63b0bd1

SHA1
2aeac542b8bcd201a3d27d32b041a02ae8d316a8

SHA256
ee110c26133586a5d32dd110ae6e54eeb634965c3793a1f67950b6d80a01949e

SHA512
7397dea4628c70ffe9c30bdb917e069f28b5edd89d285636501df1914a5a22b3c2f090764e804e114708ccd582df63839a7143cbc508dc2de7dfffdcf3f75b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
69de2270301e132646df099611d79895

SHA1
aa32c30f5c4aa28f1bf58514044914a57705b3a5

SHA256
828ccf2927af408ad3027c531165840358697f45640c5f90542c0c429c4dcb92

SHA512
c78afe4733af80e2bd4a97deb67e9f27fe2d75b53eac6fa6a8a396e0613e20280b10c43a466f3ed5ad1fc0209801793b8c98fd0e96f820adcf389ed85ee19a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
cc5c9d02653e0622e7b71078458df7f8

SHA1
c9a11c6f6f8fbe6e02796d884d6c1807435e5907

SHA256
07381a16fe6723878642ca351022bf7d373d1cb0e2db1b5f115c055697b8357d

SHA512
2575a54ced639553da7f92df3d3b9559839c2c9f83a172e52b4abf7a2eb18c54e197a4bbe2f45fa9e115950450ee507d64164b864cafe2839ae0188674542d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\40091725576303.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
903727dd27bc73a911e2c73817487bad

SHA1
c0553a1e9956ed24d1eccc2a1d035e52e4709ef5

SHA256
54d98f0a1ff5ef5c1c1fa2cd83ad7fef15399a9e53a0316cbb80ae41b0db8737

SHA512
dad947f3edf94384398ae9716d0314c26f424c627dc09441b434664a0400e844ae5a0b0f4ebc8e8714e84e09509830b49d6aaa3224002ef61c0eb1975577e4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/2872-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download