wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
293s
max time network
281s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDCB02.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDCB18.tmp	WannaCry.exe

Executes dropped EXE 11 IoCs

pid	Process
4464	!WannaDecryptor!.exe
2788	!WannaDecryptor!.exe
1272	!WannaDecryptor!.exe
1536	!WannaDecryptor!.exe
4196	!WannaDecryptor!.exe
5020	!WannaDecryptor!.exe
2240	!WannaDecryptor!.exe
4916	!WannaDecryptor!.exe
3232	!WannaDecryptor!.exe
3940	!WannaDecryptor!.exe
3648	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1652	taskkill.exe
2356	taskkill.exe
1160	taskkill.exe
1404	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2844	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3012	msedge.exe
3012	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1288	msedge.exe
1288	msedge.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4304	WMIC.exe
Token: SeSecurityPrivilege	4304	WMIC.exe
Token: SeTakeOwnershipPrivilege	4304	WMIC.exe
Token: SeLoadDriverPrivilege	4304	WMIC.exe
Token: SeSystemProfilePrivilege	4304	WMIC.exe
Token: SeSystemtimePrivilege	4304	WMIC.exe
Token: SeProfSingleProcessPrivilege	4304	WMIC.exe
Token: SeIncBasePriorityPrivilege	4304	WMIC.exe
Token: SeCreatePagefilePrivilege	4304	WMIC.exe
Token: SeBackupPrivilege	4304	WMIC.exe
Token: SeRestorePrivilege	4304	WMIC.exe
Token: SeShutdownPrivilege	4304	WMIC.exe
Token: SeDebugPrivilege	4304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4304	WMIC.exe
Token: SeRemoteShutdownPrivilege	4304	WMIC.exe
Token: SeUndockPrivilege	4304	WMIC.exe
Token: SeManageVolumePrivilege	4304	WMIC.exe
Token: 33	4304	WMIC.exe
Token: 34	4304	WMIC.exe
Token: 35	4304	WMIC.exe
Token: 36	4304	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4304	WMIC.exe
Token: SeSecurityPrivilege	4304	WMIC.exe
Token: SeTakeOwnershipPrivilege	4304	WMIC.exe
Token: SeLoadDriverPrivilege	4304	WMIC.exe
Token: SeSystemProfilePrivilege	4304	WMIC.exe
Token: SeSystemtimePrivilege	4304	WMIC.exe
Token: SeProfSingleProcessPrivilege	4304	WMIC.exe
Token: SeIncBasePriorityPrivilege	4304	WMIC.exe
Token: SeCreatePagefilePrivilege	4304	WMIC.exe
Token: SeBackupPrivilege	4304	WMIC.exe
Token: SeRestorePrivilege	4304	WMIC.exe
Token: SeShutdownPrivilege	4304	WMIC.exe
Token: SeDebugPrivilege	4304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4304	WMIC.exe
Token: SeRemoteShutdownPrivilege	4304	WMIC.exe
Token: SeUndockPrivilege	4304	WMIC.exe
Token: SeManageVolumePrivilege	4304	WMIC.exe
Token: 33	4304	WMIC.exe
Token: 34	4304	WMIC.exe
Token: 35	4304	WMIC.exe
Token: 36	4304	WMIC.exe
Token: SeBackupPrivilege	3828	vssvc.exe
Token: SeRestorePrivilege	3828	vssvc.exe
Token: SeAuditPrivilege	3828	vssvc.exe
Token: SeRestorePrivilege	1952	7zFM.exe
Token: 35	1952	7zFM.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1536	!WannaDecryptor!.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1952	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4464	!WannaDecryptor!.exe
4464	!WannaDecryptor!.exe
2788	!WannaDecryptor!.exe
2788	!WannaDecryptor!.exe
1272	!WannaDecryptor!.exe
1272	!WannaDecryptor!.exe
1536	!WannaDecryptor!.exe
1536	!WannaDecryptor!.exe
4196	!WannaDecryptor!.exe
5020	!WannaDecryptor!.exe
2240	!WannaDecryptor!.exe
4916	!WannaDecryptor!.exe
3232	!WannaDecryptor!.exe
3940	!WannaDecryptor!.exe
3648	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1280	1712	WannaCry.exe	84
PID 1712 wrote to memory of 1280	1712	WannaCry.exe	84
PID 1712 wrote to memory of 1280	1712	WannaCry.exe	84
PID 1280 wrote to memory of 4884	1280	cmd.exe	87
PID 1280 wrote to memory of 4884	1280	cmd.exe	87
PID 1280 wrote to memory of 4884	1280	cmd.exe	87
PID 1712 wrote to memory of 4464	1712	WannaCry.exe	89
PID 1712 wrote to memory of 4464	1712	WannaCry.exe	89
PID 1712 wrote to memory of 4464	1712	WannaCry.exe	89
PID 1712 wrote to memory of 1652	1712	WannaCry.exe	90
PID 1712 wrote to memory of 1652	1712	WannaCry.exe	90
PID 1712 wrote to memory of 1652	1712	WannaCry.exe	90
PID 1712 wrote to memory of 2356	1712	WannaCry.exe	91
PID 1712 wrote to memory of 2356	1712	WannaCry.exe	91
PID 1712 wrote to memory of 2356	1712	WannaCry.exe	91
PID 1712 wrote to memory of 1160	1712	WannaCry.exe	92
PID 1712 wrote to memory of 1160	1712	WannaCry.exe	92
PID 1712 wrote to memory of 1160	1712	WannaCry.exe	92
PID 1712 wrote to memory of 1404	1712	WannaCry.exe	93
PID 1712 wrote to memory of 1404	1712	WannaCry.exe	93
PID 1712 wrote to memory of 1404	1712	WannaCry.exe	93
PID 1712 wrote to memory of 2788	1712	WannaCry.exe	105
PID 1712 wrote to memory of 2788	1712	WannaCry.exe	105
PID 1712 wrote to memory of 2788	1712	WannaCry.exe	105
PID 1712 wrote to memory of 2728	1712	WannaCry.exe	106
PID 1712 wrote to memory of 2728	1712	WannaCry.exe	106
PID 1712 wrote to memory of 2728	1712	WannaCry.exe	106
PID 2728 wrote to memory of 1272	2728	cmd.exe	108
PID 2728 wrote to memory of 1272	2728	cmd.exe	108
PID 2728 wrote to memory of 1272	2728	cmd.exe	108
PID 1712 wrote to memory of 1536	1712	WannaCry.exe	111
PID 1712 wrote to memory of 1536	1712	WannaCry.exe	111
PID 1712 wrote to memory of 1536	1712	WannaCry.exe	111
PID 1272 wrote to memory of 2192	1272	!WannaDecryptor!.exe	112
PID 1272 wrote to memory of 2192	1272	!WannaDecryptor!.exe	112
PID 1272 wrote to memory of 2192	1272	!WannaDecryptor!.exe	112
PID 2192 wrote to memory of 4304	2192	cmd.exe	114
PID 2192 wrote to memory of 4304	2192	cmd.exe	114
PID 2192 wrote to memory of 4304	2192	cmd.exe	114
PID 1536 wrote to memory of 1288	1536	!WannaDecryptor!.exe	118
PID 1536 wrote to memory of 1288	1536	!WannaDecryptor!.exe	118
PID 1288 wrote to memory of 4744	1288	msedge.exe	119
PID 1288 wrote to memory of 4744	1288	msedge.exe	119
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120
PID 1288 wrote to memory of 3416	1288	msedge.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 161021725715938.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4884
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4464
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.btcfrog.com/qr/bitcoinPNG.php?address=15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb9ad146f8,0x7ffb9ad14708,0x7ffb9ad14718
      4⤵
      PID:4744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1957769763119854718,1388195918898055703,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
      4⤵
      PID:3416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,1957769763119854718,1388195918898055703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,1957769763119854718,1388195918898055703,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8
      4⤵
      PID:4772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1957769763119854718,1388195918898055703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
      4⤵
      PID:1000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1957769763119854718,1388195918898055703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:2836

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!Please Read Me!.txt
1⤵
PID:3908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5000

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\WatchDismount.wav.WCRY"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1952

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\InvokeDebug.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2844

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\d29e15f27b2949eabce4d421400f4511 /t 60 /p 2844
1⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4196

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5020

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3232

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
183B

MD5
6c5f27af7e423085ccd0ff73d2ceae17

SHA1
59ec81201b9f335cb0e53aee94605f93d8cc08e6

SHA256
c50ffe3315b9339798fc6689450ca668f48cf42687649830e257194e6899e6b3

SHA512
9651e989aed07128f9451cfab110598eb87913f258eadd3f5883dac2cf24c7cae5731575c15e1588bc8fa7ba4158b84790f37092a4fea437b9bc47b24f27a987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5c6916627626cce689a8a7ba91c5503e

SHA1
ae35330a3fb3729c1907533c22e433338ddeeb33

SHA256
4a9835dece10412dc3e257978ba6f3c1fa7f59e37d3360a6ddadfecde5ea378a

SHA512
81e0749073626e1fb4fcb35a86f459bd9b83cdcb18ee131a66ec6800697432bb83a406315a753cd3dafa83bd6d575a9b313b0bf6c29f191cfac5484c2f165b72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
997eb704c850e278aafc711e9e64416c

SHA1
cee8f2070ab3913920d8f00f50fae6c3f9c7078e

SHA256
0e2f9d03b42885fd586f89622ae1faa29f1284cd31b7296f032b324758313abb

SHA512
d76f525f7c1323c28680cae4a53eaa657adf3cd1e058d22359f7db58ecc02c3734945f2997f425143c296e8340b0c40ce5fe34d5fcc25447a20f97e4b9e05b78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ff9719d7c5ec3eae08bbd8bc4b6bd524

SHA1
8d5b311749bd1658557b216157a84451ba9d09db

SHA256
93ee3f550707e459b88c844a1aaae80792ccba126459b4c5d0309beae7e167be

SHA512
3b7003d651092d1065bff6c974aa39d076f3173891ec8ab4071d4e043eaef735e36b95c2d3ac4a7bdb940c8b4583ac3695477c621b5c2f6bc0cfa38ecf00cf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
805a6cddcf8b63dc47446be367499ade

SHA1
7bd88024e64f541de20a1fd70a7f110f2604aeaf

SHA256
ce44b911529f046e463d5321519fe404837ef1b58a0789accdee12f814c2b089

SHA512
1ca692df6f29acdc99159f79d54506bd397b9dc55a0e0b5cb1422c4f0439b9777a8c1e996dd5b90026564fea01de5e84939cf10dc16450be752b3f3cf5d0132f

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.eky

Filesize
1KB

MD5
bc67002e93ce3cab0e6d783722f11b9f

SHA1
beb20688e1efc8502af0e6dc8ca66257825c8239

SHA256
e5dafda90f2f1f7cdd94ca08033ca00b065ec0c05495defdd1f461993ae26cb2

SHA512
3ad66aad060dead87ec7687adcf8ebc54a7cfdd4eb81ee7a60668e556f84fc66ece06081a45ba8b7bfba30eef668feb3364e7e293e09d8abe1f09da59a7c65a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
366b7b498906e5431b12d9ed0f6192cb

SHA1
2e2addefd45b5468ffc7331e6664be4ce5a3d6d3

SHA256
9f7efe0de9c15602a0d4c6a9fb4a78c76290ebac097484a11a2f493eeeabd887

SHA512
93344189e7840bd35bc798d692f90f8922bd4f65737a4f5819315363ff559d1fda53ee78ca97d6e960dcc7e27e2824d631cd5388dc2c7c93665502175cce1a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
0766e579bb58fef6a4701994286514fc

SHA1
f550d4d93e9d8d6d038dd09d0914821a48065f21

SHA256
2971e48e86135024e58b4a46e176c4b94e36a99bee95f75715122143652deb31

SHA512
1ab2ffe319287ba2b0c12508a9b25f522e709dbe94b293c40c7404bd021a70d32cc67779403cdc256d353aa6968cbcf29cee4f53fa02e9cfb19025d675a97654

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
a99d9e302589be66d09e2b2bd44a251f

SHA1
60715322d6d4cbf99533bb6fe01fd1f9aa9c863c

SHA256
f377b452119ed9c2d24309ec783eaf1f7405e41a7fde92caf541e4ea95b23d25

SHA512
3c212d35eed26620155e129eaf778acdab52ae4a7e1bb9154c149e6c9116b17bf85d3a533397e23d2d735859111ebe3067cbb214ec3439ce4d59854dc86c9cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
412a286fa42de8b4d24258a8591943bb

SHA1
25b95590fe504ff255f89c4b225d388452233525

SHA256
bf36cefb2839e5fe778ed516e64064ade2a2798a3a5c138de76ccb2b1f82203e

SHA512
49ce18cc9c06019c0896767daf09ff7448caabdaaf70a80459cf0e4fd3cb82d0d28fa81ae1b2921bc83d649477a96a8a7e084563c0a4058960496ae722e1abad

Download Submit
C:\Users\Admin\AppData\Local\Temp\161021725715938.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
e4fb8d8ae58db5798b9f94984d2dd65b

SHA1
8e4e62e72ec25cd3ea33dcaabb2f7c677f6ec3b6

SHA256
66f10dc480c637617ab19008dae5ec7343495a49b558710610856570470190e3

SHA512
6f9c195c92932c8e3d3f5583343e8f6e24c1012635bb30b70602429b30c9fdb6e5ba4111b9beb3e9bd0b37a034816ddd57c2137de67ac8346f840c92c5845be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Desktop\WatchDismount.wav.WCRY

Filesize
533KB

MD5
df573ca887aff1da4447f2551596dd71

SHA1
037bc3092df83b6ed31bfa89b3fae38461df4161

SHA256
7815acc3cf2ec97173c2fb255d703eacf6ed82072efca4ed75dc2fc59be99eb5

SHA512
b2d1bdad3451c95208b8e5b77b462cde5c955bcd8994d7dd451a010012b6a8c9f170a29ad950add4142010a70dedbe397416ef69c1e661c45fbc3cf9dee069ea

Download Submit
memory/1712-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download