Malware Analysis Report

2024-10-23 19:52

Sample ID 240926-sxwqxaxfkf
Target 2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry
SHA256 9d898d6795f3d5cab2fbdb217d24d7504d7da4e67c7ed41e9c1468e49f96de00
Tags
chaos ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d898d6795f3d5cab2fbdb217d24d7504d7da4e67c7ed41e9c1468e49f96de00

Threat Level: Known bad

The file 2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry was found to be: Known bad.

Malicious Activity Summary

chaos ransomware spyware stealer

Chaos Ransomware

Chaos family

Chaos

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Checks computer location settings

Drops desktop.ini file(s)

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-26 15:30

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-26 15:30

Reported

2024-09-26 15:33

Platform

win7-20240704-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

N/A

Files

memory/2732-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

memory/2732-1-0x0000000000920000-0x000000000092C000-memory.dmp

memory/2732-2-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 a1a903c5a6cb70282502e31c0a5baab7
SHA1 0a452c52690ed627a3f072d372454b3e8f6ce73a
SHA256 9d898d6795f3d5cab2fbdb217d24d7504d7da4e67c7ed41e9c1468e49f96de00
SHA512 f8b48b0a04f8bbf6f9a63999ad1ded375ace71bb432c18f421c5832ccf65984bab876af4220212a40e45596c9f3fdcc0c5ef8a0facf4a401a54617c7cda53559

memory/2708-8-0x0000000000270000-0x000000000027C000-memory.dmp

C:\Users\Admin\Desktop\read_it.txt

MD5 f3467a18bc9bff5d1fa6fde886434b25
SHA1 a99e70caecf250cbb3b99407225305dd13a5c397
SHA256 214e91de820244192eba3647e738b19807fd67cdb7c63cabbcdc17c8de03e783
SHA512 cdd9b1f4037e8e2f111b0331666dfdcf33a7a86c075b548148608e2c6410eda510afe4817b3375b0d6acb0e923c9e54b359226d538f8b74db921eac70b8fe840

memory/2708-18-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

memory/2708-83-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

memory/2708-84-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-26 15:30

Reported

2024-09-26 15:33

Platform

win10v2004-20240802-en

Max time kernel

97s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4700-0-0x00007FFD8BFE3000-0x00007FFD8BFE5000-memory.dmp

memory/4700-1-0x0000000000710000-0x000000000071C000-memory.dmp

memory/4700-2-0x00007FFD8BFE3000-0x00007FFD8BFE5000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 a1a903c5a6cb70282502e31c0a5baab7
SHA1 0a452c52690ed627a3f072d372454b3e8f6ce73a
SHA256 9d898d6795f3d5cab2fbdb217d24d7504d7da4e67c7ed41e9c1468e49f96de00
SHA512 f8b48b0a04f8bbf6f9a63999ad1ded375ace71bb432c18f421c5832ccf65984bab876af4220212a40e45596c9f3fdcc0c5ef8a0facf4a401a54617c7cda53559

memory/2580-15-0x00007FFD8BFE0000-0x00007FFD8CAA1000-memory.dmp

C:\Users\Admin\Desktop\read_it.txt

MD5 f3467a18bc9bff5d1fa6fde886434b25
SHA1 a99e70caecf250cbb3b99407225305dd13a5c397
SHA256 214e91de820244192eba3647e738b19807fd67cdb7c63cabbcdc17c8de03e783
SHA512 cdd9b1f4037e8e2f111b0331666dfdcf33a7a86c075b548148608e2c6410eda510afe4817b3375b0d6acb0e923c9e54b359226d538f8b74db921eac70b8fe840

memory/2580-69-0x00007FFD8BFE0000-0x00007FFD8CAA1000-memory.dmp