wannacry | 1920772052aa9d0c768af3e71df062c9a96f795eed7e29eba20859113defbf1d

Analysis

max time kernel
148s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe
Size

3.7MB
MD5

5b1e8f04135b5362ca85dfbe792c05b1
SHA1

d9df6321c85555045d0d27bf1c32c0165cff508e
SHA256

1920772052aa9d0c768af3e71df062c9a96f795eed7e29eba20859113defbf1d
SHA512

f66be42f9b502e6189853518cd9a8c63c62449bbebd2ce5cbf4949c3d9bed291f5c71f2b2f5941a350f2e6f6744c49829f7da8aba5b56dd3ddd11e782ceda726
SSDEEP

98304:ZnGsCQ2ETK3oTToQ6pBjLmZOHmsiHW3vGEAdWiay:Q/LUK3KTqppLXG/+vGEAdWit

Score

10^/10

wannacry defense_evasion discovery persistence ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Drops startup file 6 IoCs

Processes:

K.abccmd.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9C85.tmp	K.abc
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9C9C.tmp	K.abc
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs.WNCRYT	K.abc
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs.WNCRY	K.abc
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	K.abc
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

K.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abc

pid	Process
536	K.abc
972	K.abc
4192	K.abc
1424	K.abc
4156	K.abc
1036	K.abc
4976	K.abc
1736	K.abc
3668	K.abc
1568	K.abc
872	K.abc
4740	K.abc
2952	K.abc
3864	K.abc
4604	K.abc
1388	K.abc
1844	K.abc
4404	K.abc
1972	K.abc
1488	K.abc
1368	K.abc
1436	K.abc
2960	K.abc
1556	K.abc
1596	K.abc
1668	K.abc
4316	K.abc
2472	K.abc
2096	K.abc
4676	K.abc
4700	K.abc
1428	K.abc
3540	K.abc
3608	K.abc
3820	K.abc
4328	K.abc
3196	K.abc
532	K.abc
760	K.abc
4452	K.abc
4892	K.abc
1304	K.abc
2708	K.abc
2348	K.abc
888	K.abc
4868	K.abc
920	K.abc
624	K.abc
552	K.abc
2672	K.abc
1200	K.abc
1504	K.abc
612	K.abc
4224	K.abc
456	K.abc
3332	K.abc
3512	K.abc
2260	K.abc
3308	K.abc
2552	K.abc
4848	K.abc
3576	K.abc
3752	K.abc
4880	K.abc

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exe

pid	Process
4276	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exereg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tvhpejndbjx409 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Suspicious use of SetThreadContext 1 IoCs

Processes:

K.abc

description	pid	Process	procid_target
PID 536 set thread context of 3436	536	K.abc	169

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

K.abcattrib.execscript.exeattrib.execmd.execmd.exe5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.execmd.execmd.exereg.exeK.abcicacls.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	K.abc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	K.abc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
4848	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

K.abc

pid	Process
536	K.abc
536	K.abc

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

K.abc

pid	Process
536	K.abc
536	K.abc

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exeK.abc

description	pid	Process	procid_target
PID 2416 wrote to memory of 536	2416	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe	84
PID 2416 wrote to memory of 536	2416	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe	84
PID 2416 wrote to memory of 536	2416	5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe	84
PID 536 wrote to memory of 1356	536	K.abc	88
PID 536 wrote to memory of 1356	536	K.abc	88
PID 536 wrote to memory of 1356	536	K.abc	88
PID 536 wrote to memory of 972	536	K.abc	90
PID 536 wrote to memory of 972	536	K.abc	90
PID 536 wrote to memory of 972	536	K.abc	90
PID 536 wrote to memory of 4192	536	K.abc	91
PID 536 wrote to memory of 4192	536	K.abc	91
PID 536 wrote to memory of 4192	536	K.abc	91
PID 536 wrote to memory of 1424	536	K.abc	92
PID 536 wrote to memory of 1424	536	K.abc	92
PID 536 wrote to memory of 1424	536	K.abc	92
PID 536 wrote to memory of 4156	536	K.abc	93
PID 536 wrote to memory of 4156	536	K.abc	93
PID 536 wrote to memory of 4156	536	K.abc	93
PID 536 wrote to memory of 1036	536	K.abc	94
PID 536 wrote to memory of 1036	536	K.abc	94
PID 536 wrote to memory of 1036	536	K.abc	94
PID 536 wrote to memory of 4976	536	K.abc	95
PID 536 wrote to memory of 4976	536	K.abc	95
PID 536 wrote to memory of 4976	536	K.abc	95
PID 536 wrote to memory of 1736	536	K.abc	96
PID 536 wrote to memory of 1736	536	K.abc	96
PID 536 wrote to memory of 1736	536	K.abc	96
PID 536 wrote to memory of 3668	536	K.abc	97
PID 536 wrote to memory of 3668	536	K.abc	97
PID 536 wrote to memory of 3668	536	K.abc	97
PID 536 wrote to memory of 1568	536	K.abc	98
PID 536 wrote to memory of 1568	536	K.abc	98
PID 536 wrote to memory of 1568	536	K.abc	98
PID 536 wrote to memory of 872	536	K.abc	99
PID 536 wrote to memory of 872	536	K.abc	99
PID 536 wrote to memory of 872	536	K.abc	99
PID 536 wrote to memory of 4740	536	K.abc	100
PID 536 wrote to memory of 4740	536	K.abc	100
PID 536 wrote to memory of 4740	536	K.abc	100
PID 536 wrote to memory of 2952	536	K.abc	101
PID 536 wrote to memory of 2952	536	K.abc	101
PID 536 wrote to memory of 2952	536	K.abc	101
PID 536 wrote to memory of 3864	536	K.abc	102
PID 536 wrote to memory of 3864	536	K.abc	102
PID 536 wrote to memory of 3864	536	K.abc	102
PID 536 wrote to memory of 4604	536	K.abc	103
PID 536 wrote to memory of 4604	536	K.abc	103
PID 536 wrote to memory of 4604	536	K.abc	103
PID 536 wrote to memory of 1388	536	K.abc	104
PID 536 wrote to memory of 1388	536	K.abc	104
PID 536 wrote to memory of 1388	536	K.abc	104
PID 536 wrote to memory of 1844	536	K.abc	105
PID 536 wrote to memory of 1844	536	K.abc	105
PID 536 wrote to memory of 1844	536	K.abc	105
PID 536 wrote to memory of 4404	536	K.abc	106
PID 536 wrote to memory of 4404	536	K.abc	106
PID 536 wrote to memory of 4404	536	K.abc	106
PID 536 wrote to memory of 1972	536	K.abc	107
PID 536 wrote to memory of 1972	536	K.abc	107
PID 536 wrote to memory of 1972	536	K.abc	107
PID 536 wrote to memory of 1488	536	K.abc	108
PID 536 wrote to memory of 1488	536	K.abc	108
PID 536 wrote to memory of 1488	536	K.abc	108
PID 536 wrote to memory of 1368	536	K.abc	109

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
4288	attrib.exe
1568	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b1e8f04135b5362ca85dfbe792c05b1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    PID:1356
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4192
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1424
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4156
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1036
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4976
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:3668
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1568
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:872
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4740
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2952
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:3864
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4604
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1388
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1844
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4404
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1972
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1436
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2960
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1556
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1596
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1668
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4316
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2472
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2096
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4676
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4700
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1428
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:3540
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:3608
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:3820
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4328
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:3196
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:532
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4452
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4892
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1304
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2348
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:888
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4868
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:920
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:624
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:552
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2672
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:1504
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:612
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4224
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:456
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:3332
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:3512
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2260
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:3308
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4848
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:3576
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:3752
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Executes dropped EXE
    PID:4880
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:4772
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:3964
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:3816
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:1748
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:3860
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2024
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:3892
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:4372
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:3348
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:3928
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:2452
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:3288
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:4432
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    PID:3312
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    PID:3436
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4288
  - - C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 158061729316766.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:5036
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe //nologo m.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s F:\$RECYCLE
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b @[email protected] vs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4392
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "tvhpejndbjx409" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tasksche.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3244
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "tvhpejndbjx409" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tasksche.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
988B

MD5
e72ef87ac2aae43a07e577ca2e155c12

SHA1
6c9bd1ca3a62da1af1266ab876c5d8c609a1f0af

SHA256
36e7a4914144cea038dee6c92a5cc4311731c974bf7c03ba36347b78c0c30071

SHA512
dcda41262471cde2de388c19b58ff27f603a8de2648166f264636ef953d8f2f2cb5cd7a48d7ded911091d0698dce17ac3e6bb2ad198a32171904be3890a17923

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.ab_

Filesize
3.4MB

MD5
0dbff1adfe2c4b39b889e9bcbd9970f0

SHA1
e23f9ced678755c846a55f1d160d5a613b97899e

SHA256
9bc7c57dfb19c11f5c7bdc727684a67c172347b092c3cab3f90969011d8d8527

SHA512
7c08d52d3d19c4e0354b1d6fce92b4be3cca71f90b782b3392e77608a922dd6f803e0fa11d7b6d2e73ecaf6863f7098b3d96d9cb3502e31820d8234101b6609b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc

Filesize
408KB

MD5
e8701e7b0547b2cbd818e3323636deb0

SHA1
a61eaddb6b6131e4eda1c2a04994501b1e2b2109

SHA256
313cb04166d84b21ef581dd6e3969629842b86a1e548a0125c03b218f387d820

SHA512
53d6e40fa9b5ad63573fb0d2d033f525d06a29ec712c2d7829c7da586a9792d66ccf72a8a05816131ef3a2d0b8352be4f128445e285ead13b3a73a473fcba80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
memory/536-7-0x0000000000700000-0x0000000000702000-memory.dmp

Filesize
8KB

Download
memory/536-14-0x0000000001FE0000-0x0000000001FE5000-memory.dmp

Filesize
20KB

Download
memory/3436-79-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/3436-78-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/3436-121-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3436-81-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download