wannacry | 1920772052aa9d0c768af3e71df062c9a96f795eed7e29eba20859113defbf1d

Analysis

max time kernel
141s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe
Size

3.7MB
MD5

5b1e8f04135b5362ca85dfbe792c05b1
SHA1

d9df6321c85555045d0d27bf1c32c0165cff508e
SHA256

1920772052aa9d0c768af3e71df062c9a96f795eed7e29eba20859113defbf1d
SHA512

f66be42f9b502e6189853518cd9a8c63c62449bbebd2ce5cbf4949c3d9bed291f5c71f2b2f5941a350f2e6f6744c49829f7da8aba5b56dd3ddd11e782ceda726
SSDEEP

98304:ZnGsCQ2ETK3oTToQ6pBjLmZOHmsiHW3vGEAdWiay:Q/LUK3KTqppLXG/+vGEAdWit

Score

10^/10

wannacry defense_evasion discovery persistence ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD936C.tmp	K.abc
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9380.tmp	K.abc
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs.WNCRYT	K.abc
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs.WNCRY	K.abc
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	K.abc

Executes dropped EXE 64 IoCs

pid	Process
2536	K.abc
2980	K.abc
2240	K.abc
2220	K.abc
2044	K.abc
2824	K.abc
1976	K.abc
3008	K.abc
3068	K.abc
2728	K.abc
2844	K.abc
2796	K.abc
2996	K.abc
2700	K.abc
776	K.abc
2772	K.abc
1636	K.abc
2568	K.abc
1604	K.abc
1352	K.abc
3060	K.abc
2528	K.abc
1200	K.abc
2460	K.abc
404	K.abc
1180	K.abc
2276	K.abc
2244	K.abc
1696	K.abc
1988	K.abc
2068	K.abc
2164	K.abc
2340	K.abc
1936	K.abc
2804	K.abc
2256	K.abc
2280	K.abc
2916	K.abc
2932	K.abc
2128	K.abc
2904	K.abc
2948	K.abc
2940	K.abc
2524	K.abc
1292	K.abc
1256	K.abc
2260	K.abc
2520	K.abc
2564	K.abc
1860	K.abc
1288	K.abc
1760	K.abc
2884	K.abc
1848	K.abc
2888	K.abc
2012	K.abc
2232	K.abc
1660	K.abc
760	K.abc
1652	K.abc
844	K.abc
1728	K.abc
2184	K.abc
2408	K.abc

Loads dropped DLL 64 IoCs

pid	Process
528	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe
528	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc
2536	K.abc

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2936	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xzylnmtyo879 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2536 set thread context of 976	2536	K.abc	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	K.abc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	K.abc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2288	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2536	K.abc

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2536	K.abc
2536	K.abc

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 2536	528	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe	31
PID 528 wrote to memory of 2536	528	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe	31
PID 528 wrote to memory of 2536	528	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe	31
PID 528 wrote to memory of 2536	528	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe	31
PID 528 wrote to memory of 2536	528	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe	31
PID 528 wrote to memory of 2536	528	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe	31
PID 528 wrote to memory of 2536	528	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2952	2536	K.abc	32
PID 2536 wrote to memory of 2952	2536	K.abc	32
PID 2536 wrote to memory of 2952	2536	K.abc	32
PID 2536 wrote to memory of 2952	2536	K.abc	32
PID 2536 wrote to memory of 2952	2536	K.abc	32
PID 2536 wrote to memory of 2952	2536	K.abc	32
PID 2536 wrote to memory of 2952	2536	K.abc	32
PID 2536 wrote to memory of 2980	2536	K.abc	34
PID 2536 wrote to memory of 2980	2536	K.abc	34
PID 2536 wrote to memory of 2980	2536	K.abc	34
PID 2536 wrote to memory of 2980	2536	K.abc	34
PID 2536 wrote to memory of 2980	2536	K.abc	34
PID 2536 wrote to memory of 2980	2536	K.abc	34
PID 2536 wrote to memory of 2980	2536	K.abc	34
PID 2536 wrote to memory of 2240	2536	K.abc	35
PID 2536 wrote to memory of 2240	2536	K.abc	35
PID 2536 wrote to memory of 2240	2536	K.abc	35
PID 2536 wrote to memory of 2240	2536	K.abc	35
PID 2536 wrote to memory of 2240	2536	K.abc	35
PID 2536 wrote to memory of 2240	2536	K.abc	35
PID 2536 wrote to memory of 2240	2536	K.abc	35
PID 2536 wrote to memory of 2220	2536	K.abc	36
PID 2536 wrote to memory of 2220	2536	K.abc	36
PID 2536 wrote to memory of 2220	2536	K.abc	36
PID 2536 wrote to memory of 2220	2536	K.abc	36
PID 2536 wrote to memory of 2220	2536	K.abc	36
PID 2536 wrote to memory of 2220	2536	K.abc	36
PID 2536 wrote to memory of 2220	2536	K.abc	36
PID 2536 wrote to memory of 2044	2536	K.abc	37
PID 2536 wrote to memory of 2044	2536	K.abc	37
PID 2536 wrote to memory of 2044	2536	K.abc	37
PID 2536 wrote to memory of 2044	2536	K.abc	37
PID 2536 wrote to memory of 2044	2536	K.abc	37
PID 2536 wrote to memory of 2044	2536	K.abc	37
PID 2536 wrote to memory of 2044	2536	K.abc	37
PID 2536 wrote to memory of 2824	2536	K.abc	38
PID 2536 wrote to memory of 2824	2536	K.abc	38
PID 2536 wrote to memory of 2824	2536	K.abc	38
PID 2536 wrote to memory of 2824	2536	K.abc	38
PID 2536 wrote to memory of 2824	2536	K.abc	38
PID 2536 wrote to memory of 2824	2536	K.abc	38
PID 2536 wrote to memory of 2824	2536	K.abc	38
PID 2536 wrote to memory of 1976	2536	K.abc	39
PID 2536 wrote to memory of 1976	2536	K.abc	39
PID 2536 wrote to memory of 1976	2536	K.abc	39
PID 2536 wrote to memory of 1976	2536	K.abc	39
PID 2536 wrote to memory of 1976	2536	K.abc	39
PID 2536 wrote to memory of 1976	2536	K.abc	39
PID 2536 wrote to memory of 1976	2536	K.abc	39
PID 2536 wrote to memory of 3008	2536	K.abc	40
PID 2536 wrote to memory of 3008	2536	K.abc	40
PID 2536 wrote to memory of 3008	2536	K.abc	40
PID 2536 wrote to memory of 3008	2536	K.abc	40
PID 2536 wrote to memory of 3008	2536	K.abc	40
PID 2536 wrote to memory of 3008	2536	K.abc	40
PID 2536 wrote to memory of 3008	2536	K.abc	40
PID 2536 wrote to memory of 3068	2536	K.abc	41

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1676	attrib.exe
2220	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2980
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2044
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2824
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:3008
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:3068
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2728
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2844
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2796
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2996
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2700
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:776
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2772
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1636
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2568
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1352
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:3060
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2528
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2460
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:404
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1180
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2276
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2244
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1988
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2068
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2164
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2340
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2804
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2256
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2280
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2916
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2932
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2128
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2904
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2940
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2524
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1292
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2260
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2520
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2564
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1860
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1288
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1760
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2884
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1848
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2888
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2232
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1660
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1652
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:844
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1728
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2184
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2408
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2396
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2168
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2556
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2300
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2140
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2328
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2364
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2148
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2428
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2324
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2208
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2200
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2532
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2416
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    PID:976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1676
  - - C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c 157261729316765.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1104
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe //nologo m.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:676
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s F:\$RECYCLE
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2220
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b @[email protected] vs
      4⤵
      System Location Discovery: System Language Discovery
      PID:444
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xzylnmtyo879" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tasksche.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:404
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xzylnmtyo879" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tasksche.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2288

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\@[email protected]

Filesize
960B

MD5
a6e0af852d42edab743b96e3c3c93dff

SHA1
a9eabf3e223ffe2073882d45dc511063971ef32c

SHA256
b0522ceac68d85ff4035d0af91b22f7d2a1be2fd3ecc95273e0d523592192ffd

SHA512
d90042bd32c581b56084eb1d06d1ebf5d26096474013c1c1683d35bb3540a8d481401d21ccd6d574e0bd85f24b5ab3b014125e6fd7fcbd8e4c56f19683be71b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\157261729316765.bat

Filesize
362B

MD5
9b7685baf81c5b0ccdf543021adfc77a

SHA1
281c0688c98149af606851b918f5684fcfd1d087

SHA256
b3cf9e395fcb9fc7c55565d389e1c2d2e023d8772248b540ae07e0e96717dc86

SHA512
a52c5b191ae22e4b79d0b8cb2d3b210d84febb550e8e486101eff1b01f90fc0e78e9f63d5dd8802841c526df2decb60280c3652e6c0be951fe5f1b5c679e5481

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.ab_

Filesize
3.4MB

MD5
0dbff1adfe2c4b39b889e9bcbd9970f0

SHA1
e23f9ced678755c846a55f1d160d5a613b97899e

SHA256
9bc7c57dfb19c11f5c7bdc727684a67c172347b092c3cab3f90969011d8d8527

SHA512
7c08d52d3d19c4e0354b1d6fce92b4be3cca71f90b782b3392e77608a922dd6f803e0fa11d7b6d2e73ecaf6863f7098b3d96d9cb3502e31820d8234101b6609b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc

Filesize
408KB

MD5
e8701e7b0547b2cbd818e3323636deb0

SHA1
a61eaddb6b6131e4eda1c2a04994501b1e2b2109

SHA256
313cb04166d84b21ef581dd6e3969629842b86a1e548a0125c03b218f387d820

SHA512
53d6e40fa9b5ad63573fb0d2d033f525d06a29ec712c2d7829c7da586a9792d66ccf72a8a05816131ef3a2d0b8352be4f128445e285ead13b3a73a473fcba80b

Download Submit
memory/976-145-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/976-95-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/976-102-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/976-103-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/976-98-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/976-83-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/976-105-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/976-150-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/976-99-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/976-101-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/976-93-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/976-91-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/976-90-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/976-87-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/976-86-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/976-81-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2536-19-0x0000000000580000-0x0000000000585000-memory.dmp

Filesize
20KB

Download
memory/2536-12-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download