Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 03:08
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://hypeddit.com/extremest/extremestdeadlyvirus
Resource
win10v2004-20240802-en
General
-
Target
https://hypeddit.com/extremest/extremestdeadlyvirus
Malware Config
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD829D.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8286.tmp WannaCry.exe -
Executes dropped EXE 4 IoCs
pid Process 3616 !WannaDecryptor!.exe 3860 !WannaDecryptor!.exe 1984 !WannaDecryptor!.exe 3660 !WannaDecryptor!.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r" WannaCry.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 356 raw.githubusercontent.com 357 raw.githubusercontent.com 358 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 4 IoCs
pid Process 3392 taskkill.exe 4340 taskkill.exe 3124 taskkill.exe 2264 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133712754002564082" msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{4A809610-9541-4BD0-9FA0-C244EDF04EA4} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: 33 3336 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3336 AUDIODG.EXE Token: SeDebugPrivilege 2264 taskkill.exe Token: SeDebugPrivilege 4340 taskkill.exe Token: SeDebugPrivilege 3124 taskkill.exe Token: SeDebugPrivilege 3392 taskkill.exe Token: SeIncreaseQuotaPrivilege 3984 WMIC.exe Token: SeSecurityPrivilege 3984 WMIC.exe Token: SeTakeOwnershipPrivilege 3984 WMIC.exe Token: SeLoadDriverPrivilege 3984 WMIC.exe Token: SeSystemProfilePrivilege 3984 WMIC.exe Token: SeSystemtimePrivilege 3984 WMIC.exe Token: SeProfSingleProcessPrivilege 3984 WMIC.exe Token: SeIncBasePriorityPrivilege 3984 WMIC.exe Token: SeCreatePagefilePrivilege 3984 WMIC.exe Token: SeBackupPrivilege 3984 WMIC.exe Token: SeRestorePrivilege 3984 WMIC.exe Token: SeShutdownPrivilege 3984 WMIC.exe Token: SeDebugPrivilege 3984 WMIC.exe Token: SeSystemEnvironmentPrivilege 3984 WMIC.exe Token: SeRemoteShutdownPrivilege 3984 WMIC.exe Token: SeUndockPrivilege 3984 WMIC.exe Token: SeManageVolumePrivilege 3984 WMIC.exe Token: 33 3984 WMIC.exe Token: 34 3984 WMIC.exe Token: 35 3984 WMIC.exe Token: 36 3984 WMIC.exe Token: SeIncreaseQuotaPrivilege 3984 WMIC.exe Token: SeSecurityPrivilege 3984 WMIC.exe Token: SeTakeOwnershipPrivilege 3984 WMIC.exe Token: SeLoadDriverPrivilege 3984 WMIC.exe Token: SeSystemProfilePrivilege 3984 WMIC.exe Token: SeSystemtimePrivilege 3984 WMIC.exe Token: SeProfSingleProcessPrivilege 3984 WMIC.exe Token: SeIncBasePriorityPrivilege 3984 WMIC.exe Token: SeCreatePagefilePrivilege 3984 WMIC.exe Token: SeBackupPrivilege 3984 WMIC.exe Token: SeRestorePrivilege 3984 WMIC.exe Token: SeShutdownPrivilege 3984 WMIC.exe Token: SeDebugPrivilege 3984 WMIC.exe Token: SeSystemEnvironmentPrivilege 3984 WMIC.exe Token: SeRemoteShutdownPrivilege 3984 WMIC.exe Token: SeUndockPrivilege 3984 WMIC.exe Token: SeManageVolumePrivilege 3984 WMIC.exe Token: 33 3984 WMIC.exe Token: 34 3984 WMIC.exe Token: 35 3984 WMIC.exe Token: 36 3984 WMIC.exe Token: SeBackupPrivilege 1044 vssvc.exe Token: SeRestorePrivilege 1044 vssvc.exe Token: SeAuditPrivilege 1044 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3660 !WannaDecryptor!.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3616 !WannaDecryptor!.exe 3616 !WannaDecryptor!.exe 3860 !WannaDecryptor!.exe 3860 !WannaDecryptor!.exe 1984 !WannaDecryptor!.exe 1984 !WannaDecryptor!.exe 3660 !WannaDecryptor!.exe 3660 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2284 wrote to memory of 4620 2284 WannaCry.exe 125 PID 2284 wrote to memory of 4620 2284 WannaCry.exe 125 PID 2284 wrote to memory of 4620 2284 WannaCry.exe 125 PID 4620 wrote to memory of 3644 4620 cmd.exe 127 PID 4620 wrote to memory of 3644 4620 cmd.exe 127 PID 4620 wrote to memory of 3644 4620 cmd.exe 127 PID 2284 wrote to memory of 3616 2284 WannaCry.exe 128 PID 2284 wrote to memory of 3616 2284 WannaCry.exe 128 PID 2284 wrote to memory of 3616 2284 WannaCry.exe 128 PID 2284 wrote to memory of 3392 2284 WannaCry.exe 129 PID 2284 wrote to memory of 3392 2284 WannaCry.exe 129 PID 2284 wrote to memory of 3392 2284 WannaCry.exe 129 PID 2284 wrote to memory of 4340 2284 WannaCry.exe 130 PID 2284 wrote to memory of 4340 2284 WannaCry.exe 130 PID 2284 wrote to memory of 4340 2284 WannaCry.exe 130 PID 2284 wrote to memory of 2264 2284 WannaCry.exe 131 PID 2284 wrote to memory of 2264 2284 WannaCry.exe 131 PID 2284 wrote to memory of 2264 2284 WannaCry.exe 131 PID 2284 wrote to memory of 3124 2284 WannaCry.exe 133 PID 2284 wrote to memory of 3124 2284 WannaCry.exe 133 PID 2284 wrote to memory of 3124 2284 WannaCry.exe 133 PID 2284 wrote to memory of 3860 2284 WannaCry.exe 138 PID 2284 wrote to memory of 3860 2284 WannaCry.exe 138 PID 2284 wrote to memory of 3860 2284 WannaCry.exe 138 PID 2284 wrote to memory of 1916 2284 WannaCry.exe 139 PID 2284 wrote to memory of 1916 2284 WannaCry.exe 139 PID 2284 wrote to memory of 1916 2284 WannaCry.exe 139 PID 1916 wrote to memory of 1984 1916 cmd.exe 141 PID 1916 wrote to memory of 1984 1916 cmd.exe 141 PID 1916 wrote to memory of 1984 1916 cmd.exe 141 PID 2284 wrote to memory of 3660 2284 WannaCry.exe 143 PID 2284 wrote to memory of 3660 2284 WannaCry.exe 143 PID 2284 wrote to memory of 3660 2284 WannaCry.exe 143 PID 4460 wrote to memory of 4816 4460 msedge.exe 145 PID 4460 wrote to memory of 4816 4460 msedge.exe 145 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 PID 4460 wrote to memory of 4484 4460 msedge.exe 147 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hypeddit.com/extremest/extremestdeadlyvirus1⤵PID:4028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3660,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=2108 /prefetch:11⤵PID:3696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --field-trial-handle=4296,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4936 /prefetch:11⤵PID:4204
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5380,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4504 /prefetch:81⤵PID:824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5384,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:81⤵PID:1348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5388,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5864 /prefetch:11⤵PID:1980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5808,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:81⤵PID:4220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5820,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:11⤵PID:3372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6380,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6388 /prefetch:81⤵PID:4052
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x398 0x3101⤵
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=6608,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6600 /prefetch:81⤵
- Modifies registry class
PID:1976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6628,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6700 /prefetch:11⤵PID:2596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=5760,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6224 /prefetch:11⤵PID:2764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5140,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:11⤵PID:1136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6740,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6612 /prefetch:81⤵PID:1544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6232,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6768 /prefetch:11⤵PID:4504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=5992,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5972 /prefetch:11⤵PID:368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=6252,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:11⤵PID:2208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=6732,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:11⤵PID:3492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=4936,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6980 /prefetch:11⤵PID:2688
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=7088,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=7048 /prefetch:81⤵PID:4628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=5864,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=7284 /prefetch:81⤵PID:4272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=7236,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=7260 /prefetch:11⤵PID:2640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=7660,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=7648 /prefetch:81⤵PID:2740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5412,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:81⤵PID:1940
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 232861726801778.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
- System Location Discovery: System Language Discovery
PID:3644
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3616
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3392
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3860
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1984 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ffe8db5d198,0x7ffe8db5d1a4,0x7ffe8db5d1b02⤵PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2864,i,4440413223219652004,4062558906241245699,262144 --variations-seed-version --mojo-platform-channel-handle=2860 /prefetch:22⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1856,i,4440413223219652004,4062558906241245699,262144 --variations-seed-version --mojo-platform-channel-handle=2920 /prefetch:32⤵PID:4788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2144,i,4440413223219652004,4062558906241245699,262144 --variations-seed-version --mojo-platform-channel-handle=3048 /prefetch:82⤵PID:4032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4224,i,4440413223219652004,4062558906241245699,262144 --variations-seed-version --mojo-platform-channel-handle=4712 /prefetch:82⤵PID:1572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4624,i,4440413223219652004,4062558906241245699,262144 --variations-seed-version --mojo-platform-channel-handle=4732 /prefetch:82⤵PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=2476,i,4440413223219652004,4062558906241245699,262144 --variations-seed-version --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"1⤵PID:1940
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
30KB
MD52d6b915fbcc492c721ca16903e040ba4
SHA11dc157616e1eb386f8829b830074e0a5e6df35ba
SHA2564fc96373920c7900921993f9c45956b4074a8f96f618f52541cff7a6d293637b
SHA5126fd076b195cb74d2e3729ffb0c82f1b0fbaa0f95da99a9234170fc069abe5d29c34ebb88bfeba7ff30186cea90e5bf09eecba65c2e320f05b7ad3e4328b92ea8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a1ea3820-1182-4702-a520-7c95b3af6188.tmp
Filesize15KB
MD5b0da1e0a087ce6bc34efcb4af4b3427a
SHA1e4faa586cc76f94ced49b291513396ca7fa66ef2
SHA25698e92505c4525410fc9fc30a0e1500505a8d9281abd62fd703acf262a0b46c04
SHA5129267b214a66b644c2b1e70d4c6f17a0042687349674c9f0e8b49ab9be04f507416d1eb6982d949f24dfc87808f21d5fff59adb5c6816cf82b992d4edff99d5f4
-
Filesize
95KB
MD5b31932b08eb51a35c83cd797b314c5ea
SHA1341e5b95058a5cee6ccdf356f62d56ef772e1e3e
SHA256a349eebf3eef0a75df857f99e271d70e7838d1ea9a936467c20d019c74d23178
SHA5124603457de4cbfa403c67db6d112ca5fa36e15170a155c4ad9bd5c1bae8c92f5b7018b6901a5c630a1f63f449938e44c8f0a9786f1bb720457c45d0227652fc61
-
Filesize
91KB
MD5ff5d062c0216919e8d41799fee2a8b82
SHA10025bfa715235350db56a4cd71aa5afa7dea4985
SHA25610bab1b31523b2b89ca9af56283755398586664e2ec02749d5fc9f39c567c9c0
SHA512814e587e04f490b87e8e499dde13fac0c42daaf3f2db304f7016deca3e14a3f8482982ed29560aa8be2528f7fdfd822dc433c33ac253b045ecedfc65ef226a35
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
590B
MD5d239fb24e2723327a2cb13f423176bcd
SHA16d109b08037b1527ca8b1313489ce862efe7d488
SHA25671ab287c8e641c43110a0e5350db6d59b677be6f2793f601fcd5f9810fcef3dc
SHA51246f1ad4ef5346b0c704992cc7166fa92f146a23cee36b70e1ee48f340dcdc3a7b80c6ada50d221c9bb445143ece311a464613aada2ca01798f253ca0af21ebf8
-
Filesize
136B
MD507ec9fcf98bf5ae12cc540c0a40f692e
SHA12ce01f16d114b354a0433f920bd9e36ec9e1fece
SHA2561e90c9cb6ad2e1726cd36b8bb5ff46d682bad551321d9286eaae6f90433ce31f
SHA512451a3ca77591457e57248a484ba2e6144cf08e3b1178c7979c5f181f227d0eda0affce5a65919fd3f7b6901a1f2f70f9944f5f6722e93e2d7aa3975ae0e5366a
-
Filesize
136B
MD5e6e592d75f453697847a4223476af210
SHA1a2ecfdf4f3d277b7108838288c43b1f24407033f
SHA256d432b9dc35abe1e4dc71fecb66342281e69beaee62c2cfe502ebe3ff10690de6
SHA5126dcefaead6a0ed2f44c39ad0fc5feb9083bea25d61aa45044b86fe7549e9380bcf0e59f34ff121403e0637bd5334582111070e19417c9a0167af4b00a334d733
-
Filesize
136B
MD591e2068f80abf10632670426d6043c7a
SHA13f72101c14003a54d111656701334f2f65c302f2
SHA2564489233497dc64e39de57f4da4cdfe1f8056e4508157fc5bff7c045e32b2f733
SHA5125a1e0293912484641193fc3959db634f9c03a33ba775d01c0deb77e92cde3352d4b335e6acbc52ad1ac8e1f157deeb239bfa7e8e6f83cf0e22178bd71ca9d05a
-
Filesize
318B
MD5a261428b490a45438c0d55781a9c6e75
SHA1e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e
SHA2564288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44
SHA512304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40
-
Filesize
201B
MD502b937ceef5da308c5689fcdb3fb12e9
SHA1fa5490ea513c1b0ee01038c18cb641a51f459507
SHA2565d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1
SHA512843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653
-
Filesize
628B
MD571b8eb4c00950c5a674f1bb281772cda
SHA1b87978d82478a6bead672c9f966bdc9eac831765
SHA256717f3dab2f05e54fca251c66639349ee1d032239d1a8bcf115bf02e35014480d
SHA512475661aa0deb950b3c8657563a312d690deae66afc55f9a7fde67d4dadfea943104fc781aa5e19a88001dedcd3d4da2ed1a922328af729b9f98373effd909d47
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5