Analysis
-
max time kernel
397s -
max time network
398s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
03-10-2024 00:00
General
-
Target
https://hatching.io/blog/tt-2024-09-26/
Malware Config
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (564) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 7 IoCs
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 4 IoCs
-
NTFS ADS 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hatching.io/blog/tt-2024-09-26/1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff837233cb8,0x7ff837233cc8,0x7ff837233cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3248 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6456 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 12483⤵
- Program crash
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4912 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6796 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6976 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6992 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,887855538904608390,13834623904096191702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 111741727913915.bat3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe f3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe c3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v3⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe v4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8 -ip 81⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\3bb9453f06fb4098ae133d8189aefdbe /t 20032 /p 200401⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\c09d058610eb4073beed88303f37e2d1 /t 20224 /p 202081⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
590B
MD56ac7c605c6f9edde9473b8ef62268af6
SHA11982d4056635a0263fb98b780a7819eebda5de73
SHA256fe5644273d5898e7b4a11b1e44f6772ddac0cb40163a0c739f339e1746741d00
SHA512601ae49110b34492433ffc7b9ba2bf3b25d7d7af70c6abe642e8b3699de3709f63d5b6ecbd780fc64acdfb5d0231240ac9b90f588cd3ef1b41dba6b7a8f84c68
-
Filesize
3.2MB
MD587535db25f6b2a302fa6680706978f03
SHA19c3c41eb16c31a00a96fedaafaacc25414a32041
SHA25696da59e21a6eac2c5a38a0b9cb964aee4afa12ae465fafd50162c78a2bba2ca2
SHA512e157d32025fa915520c00254b35016aca13a5b24791afb71fe8375b2c3a1b4e647fdd2598cd0c99cd3b0bdef614a8aa81b2a05d846263b2d71d97340ee951f65
-
Filesize
152B
MD5b4ae6009e2df12ce252d03722e8f4288
SHA144de96f65d69cbae416767040f887f68f8035928
SHA2567778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d
SHA512bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1
-
Filesize
152B
MD54bf4b59c3deb1688a480f8e56aab059d
SHA1612c83e7027b3bfb0e9d2c9efad43c5318e731bb
SHA256867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82
SHA5122ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9
-
Filesize
3KB
MD50920d3b340b5c1d70dff12ad54493ebb
SHA141ce9d92e940f3f7a7da5647f2f9a13766b707ed
SHA256ec7fce1cc0305bece205295f755d2820875a173e19dd7ed2337f292134352d0d
SHA5126511822ea109639b89d98fecb471f73c867a3e1a703d09ac2e0170bbb02731b3a367375b76b957b1b46d06b627f398f785d32ac7d66faca5f0ede05efeb03e25
-
Filesize
2KB
MD58b964296f3ffc0f0e8a7d946a1a5e728
SHA172071297d0c5a4f88c251474484e2be0fb9418e7
SHA256d6d3aafb3355bb658ce20d3fb413b575ee09b1b0322abf67c1da418bff82ee7b
SHA51264f2a9eec1d6492ef81119e1c4d1777b5ca3ad6a1961c5f3d715ac6f5e40f134055a78eec5081da8b9cf1baea6b0166dbeb13c1dae75fe0b2b3ed7eb4500e185
-
Filesize
2KB
MD58a537b5a68e954a7bfbea8f1573c238f
SHA13ab20cb63934176e3940981c16a74abd3d3ba436
SHA256e280a3434fab8693bc395debfba90f51d1dfce393bc237c830a7977be522f5b5
SHA51216345681d91a768ae573c028b384f278bad0a69108c7c32246fe2264f4dc396f1d270bd6ba77e24f3dabbf21551283fb6dcf4d35a40623e1e45a7b8b094f8e4c
-
Filesize
2KB
MD5ed6088fb0cedc90a1032a4835039bc03
SHA19a0d28d6e55bae876d09f0ee9b2b2ddb379573ad
SHA256504105d0b0fb77bd3922df0a1276fa40913fb1afef928e63031e27fecef9ea4e
SHA512003c1d50cb6682b4e2d9f705502354da3f3a74a08562163d33ea7cdcc1873ca0e0e1505828e1b01e3da08aef77926c4146afcd8e13e30d919c095a8611cde8b7
-
Filesize
5KB
MD566809ca2cf5f1eae420c2adc93981060
SHA1a6f148bc4bf6e1029794f93d317b3e499b212b22
SHA256218d6cddeef4cb8a29853e3c965af423b2eb7e9b23eb65d3acf1487772a12d48
SHA512c7ccf757b64ba8f2ed6a8906da11f468a8e168e8cd440dc644040c7bbe311261af4833a09cc3f2a8b985e718927890c7c64f187766b6f0c685007c37509693c0
-
Filesize
7KB
MD52b5158c22c6659ec80537169ffe80216
SHA13800a7e750f6e66ee2c5201fd9640d6d8d439a0a
SHA25632ee2263f9b11a81c57e791302f59ff8ac1fb4958cf6771fb9cd8817f94c14eb
SHA5120c4377d0677b65770cbac338f5f08c5172c79cc77b98b77a6f0aaaab43980f2e5f847269a39b7a9e5123124813885902ab3431c67c163908f352c72cdaf57788
-
Filesize
6KB
MD58b62be87737c5fa9b690e14477d17f20
SHA1adb5cf46bcbfa224e695e2d6c1500187a807f709
SHA256c4fab072dfcbb5070d65bfa70239fa672f57d03e4292f700fdcc01a5f45c8c35
SHA5129a46a3ea5830e57da5d35b9b4c5174610d473b948d916eefeb61bed9ace98c107069a53eb5f76e3b6996f194ee0a23bc0d95ba2927b60e37bba77acde021966e
-
Filesize
6KB
MD5f705d7274ea41f812127c0b3a546401b
SHA167044e5a750c3947e8a19d53ade5478984f8137f
SHA256f9fcc9bbcef2c9f4b19945e569223054871ae7d6f4be32ca314c34addcd09595
SHA512f5db163d41a2938d29b0fa0d0c19acb7f271178e9e4f6d9463eaca7621ee075e4ae66ec1777246643be22d01bd4fc15a87848b1b86d2defc5027b6967885d054
-
Filesize
6KB
MD508e2e9c6f95aa5dcf6761588b5ad96ac
SHA1d5e925cea1dc5d505bbcf42d6a2e4fbf20d47d16
SHA256040202dac7add039119a3cdb1d524d7ea8731df6d74af5c5c9346a9c88b5f4ec
SHA5122e1f54dfaaabb54daa2f256a18d22a97870354b2078a4ab1f085158bf5fb31d3bac4c39b5bbd009d2fbe3e72e61ba005814476e030da3c2d83d917f2abdea0e4
-
Filesize
1KB
MD5e73079ecf0af08d15906e7dc2e77aacf
SHA1987928d14cce6d963625ed84d42c3fa25fce9c98
SHA256ae15e0917348145df12dee8980d0f768f92d34d650c18ce1e4e301d1e9d4a992
SHA5122e9edc24be68b80c990d6cd9602c280a3750ba39d670950633a1f09a0a73636ff0bffe04b1657550097ee02028a4debeb0cfa53561fd6bd4efd1f2eceeaa19b2
-
Filesize
1KB
MD53a05695015a648ce7d49b092c9665e79
SHA17a2b6160a71480a324082f9813c5363558c85505
SHA25608251e2a17c68562a6f41adbc69dc3334b6ca8ad29f5a1d7a01da15536ccbe3c
SHA51200682c008d38e3deba97f4511684abd63948a3f97ab79491023db8ca7d70d0c7a95cd81f0e34225895dd3380982ffc96c4923ecea5fa93e258692312ca97a75e
-
Filesize
1KB
MD5199ff977b76663bef016d2f78fb3c64a
SHA15c7fe5a83fae750d3920ec171754e580ba05d9d3
SHA256eb12767d3469ce6884ee218db1946a137bc890b6adbd5b0f5a4e56684bf0d560
SHA512920ff1c820e19e6f8dbcbc270a6e7375201054d1362733df258d8bd0fa0acd8cc9ab08abbca75dd690d5aa45b44aeff898d99fdd93145dbf448019297aa70b9e
-
Filesize
1KB
MD5f040e711a0ddc6fcff70841cb7218d57
SHA120d88a9d5864e4668b0d49e7cf23a8d9b23b1904
SHA256a9aff16fd6df64940b3d7dd8eb48d7243e58afa1d4010743fce8f928a8b1b323
SHA5126dde55b6319123cac8baa09b5b1f2eaccdd3cbfc37b2760b2314c00d287f144fd40ffd60b6fb51a3227d1f9aa9ff625684b0fad7d561bca4e1f2d779082e132f
-
Filesize
1KB
MD58c1deb764adfcddd87754a961f99f440
SHA1ae843d407e126edaf07a13c2d95ddd2cf19219b3
SHA256fda1018888f9433770929543bd3cea26156f77afa2611ba87a150212f53b7cbb
SHA5121198b01e98d6c73554f2f5c2311fa45954d9d7962edc9ea658aea2961047bc04184900dd450b7c7b746e38b6608fa7e9964b0cb55f62f51b9e16a3bfbd9699fb
-
Filesize
1KB
MD5cef639cd3e9c0f4c5d20101325ba500c
SHA17f893dcd5a08baf06760d869c63e844fa83b2ab0
SHA25685c10735a3967cfaebfd4fa2fb520ee3d5d1be39eea3705545e1d1998ca5a682
SHA5123432c92ed11a3840847c70edcd3a6db225d17acb7aa9f1d3c33ac8ca2358f422218b420eafcbce2c67c1d9f02dbf0eec3edf5c12dcdf0cac345c1d9ba6e2203a
-
Filesize
1KB
MD55589990131e928fb308be06f9456060a
SHA18f04124f1c73f133458ae3a5cf7ac6e2ab0ae74b
SHA2566652dccd07a7de9aa5c161bb208e44be08f1d14a5f5d743ef9e7a8418ce7e4f3
SHA512f9bc2bd8338848c12fc0262ced9c615ee7d94061dc97b8803b3284d1164bbac7cd1b065aed877a072e5924cc893b60ad77a9d9a91f5e19279607c3106da2cf99
-
Filesize
1KB
MD5c0b19436e1190a99d204163e81197935
SHA1d8b2fa263f8047ff5be6ac35ddae85c3f573f7c7
SHA256fb2ebaffcd0e83c4af540b5ede22948f3ea184f6648ca4cebb0a8a5de0ffed74
SHA512b072cb9571121c08c6e49a7532478a7634ce8cd3e3846e749e36b99da9afec9d69ce15acc59298c14cf391be5ba0cd6c80b66ad306043f3b8ffddd0fb40dfbd4
-
Filesize
1KB
MD5b8d60946ac4d1bab9ae2f2b09d19bf4c
SHA1e880a0f814e55b9672b76beddba1a37f3cea6e17
SHA256d02801dafb31c3c94423a0e3305b0414fda1e8a0bd799c137a9112e13a8cc177
SHA51273457d7b32ace8041e2a0f02c0af009633c5d4f9f7ff8d5b5e763cc63200681dbd2b5da790a6915273f5b7b3c137d5374dbf23e74511675359be0918a69072ad
-
Filesize
1KB
MD5db5b2a70d5933ced2a6052845800e00a
SHA17fa10504624228d532e4e5850f65d0a08ec0fb08
SHA2565ddebf34f4e96adc2d6901d83244b487f25dead166aba6481004793f52846323
SHA51201ab6efaafbd51d1b88370caa0a6911454dfc8559727aba6e3a72ecc6fcd248b0a6fa43aab10eca6d141d0eab3a98a523c63cd02305f9994923fc5db266b50a3
-
Filesize
538B
MD500848410a7191c7d5dddde062b5dab19
SHA140c7f8c9dbd1de60a1ab51832e2cbdffdc2bfc97
SHA25671247009baf45e9d33a1c9eafffd48eaab8f55083ca33d7f7f19ec2d0330ef58
SHA5126922bab04df59372c66d2e6c49da03c571d1ec75ea82c6a1adf3130a6d8c3f41fc07ba01a7202b6a5ff9eb1b2cc104c3c7d6aa36f5364b55a3c30712150334f6
-
Filesize
1KB
MD5cb4de22545301d1569d7cdff63a11631
SHA1b391e7525a00fbf94cb79aab32ad313efba6878a
SHA256e0e93928df66363cf4ac31b77cc9ddc09e387bdcf1b83be270ee168593a09ce8
SHA5127c66fb6b0af21cfacdb7a422fce1eca4f11560f12a7a99221c858f10e9b127e054076034a049584b1457548a92aff903e6466ea8e566c3cd3d5362486a4b9f64
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16KB
MD59a8e0fb6cf4941534771c38bb54a76be
SHA192d45ac2cc921f6733e68b454dc171426ec43c1c
SHA2569ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be
SHA51212ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae
-
Filesize
16KB
MD5d926f072b41774f50da6b28384e0fed1
SHA1237dfa5fa72af61f8c38a1e46618a4de59bd6f10
SHA2564f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249
SHA512a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f
-
Filesize
10KB
MD550b2dae6a3666aa032d92424049e5ff0
SHA1d9ee59e6fce9d494739a48e0a566653783b8aab2
SHA256fe0265cdd2d1f58f89fdd95dfb80cd10f658b365e98e4687d15afc8902e63cd9
SHA5125e360f57d94bc5a04cf3e922e15c6a4a9f51a3edd8b9678386a8d5a3b6562efc99309580dd30554a4a38f52b2151d2fab294a1048fb7cf60d280b0b2947d38f3
-
Filesize
11KB
MD575a1b5cf0f84a50a7e6eb3000f3103e3
SHA1c17be9b58a3366f49d3cb20553eced66f51bc5f6
SHA256f80460f8b92440896d029b9d75024fdd18f6cd80d234ad2820c0f6c83aabdc7d
SHA512f81f1710d529b6088624dfd289ec3ed9092a2fac74e02bdaddc03f7327f810511560f23ebdbb3b6b1f2a8d954f70a73b9b73c36581a4a6a8f964fe32c8a5952a
-
Filesize
11KB
MD551462bb96d078013fa574bcde69fe5b9
SHA12a258ad9d15ed4df43bb1f6993d7283f64ccc0aa
SHA256ad1413ad3aa313c4da6fc107ee40fb0751ed692c06185a4de6ea4d0089d4b751
SHA512f3d1eba928314b12a82af5f8057dd8f5c2d31941eaa858ab3023bc724d13b2d339a05897339180a6a4edddc49a8412c15d24cc6d324571ab87e259180b7a0ec2
-
Filesize
11KB
MD5aa7c84d245f2f4ccdde502453d3b60b8
SHA149a2c5623f96c9610a23ac2a4066e651280f53eb
SHA2568f3862489f38eac712d8e98b2432680ddcb8fd4eda85b155275cf3283ec63d34
SHA5128aa4f501890f5069e7d609f6ca4fc72219c5319ec10cdfb36cf18c9efbb67cf6db239fb94cdbe83a70f357603a0cd47456cd5897a0909b43e1c2c750af1cc96b
-
Filesize
11KB
MD5af181e3bddaa5b81357a539c6b60e71a
SHA17f8e0fab80daa7e0d7c145fb994d68939bceb0a6
SHA256d3148bfc69eb0655aa6da8c6c03b47a9b6b72272bb3aca4bc95122aedff01da9
SHA5124308de467dfcc5502c8da8c846d1e35a95b09d113de2af1a548a1b0538d91fe10299824ca94bd246670add9c246897fe71f7a50d9dd6fdd272faa46de24089f3
-
Filesize
11KB
MD5d5c7c90655d7c2f4db412b2c58f2e33c
SHA16c38c10f50c1f0e1866375d045e81b983c8e6c84
SHA2567be23ddb36d8c6c553ef092ce362b5ad3cf15b0b442a6e6c6b20611d0dc81364
SHA512ea1afdac8ef1c4a3eaadf3aebe7475daa9c5bd63601273c37a4e584d975bf42653991b77b61de9c759ef47693e722275c3c45bc5035aa3359e793d368176c6c1
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
Filesize
424KB
MD5e263c5b306480143855655233f76dc5a
SHA1e7dcd6c23c72209ee5aa0890372de1ce52045815
SHA2561f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69
SHA512e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
5.6MB
-
Filesize
456KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
72KB