Malware Analysis Report

2025-03-15 08:19

Sample ID 241020-xhpfhathna
Target WannaCry.exe
SHA256 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
Tags
wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Threat Level: Known bad

The file WannaCry.exe was found to be: Known bad.

Malicious Activity Summary

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Wannacry

Deletes shadow copies

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Sets desktop wallpaper using registry

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 18:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 18:51

Reported

2024-10-20 18:54

Platform

win7-20240708-en

Max time kernel

148s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

Signatures

Wannacry

ransomware worm wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9EBC.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9EB8.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2024 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2024 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2024 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2536 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2536 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2536 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2536 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2536 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2536 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2536 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2536 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2536 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2536 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1596 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1596 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1596 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2536 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2536 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2536 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2536 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2456 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1572 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1572 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1572 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1572 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1572 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1572 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1572 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c 52991729450291.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

Network

Country Destination Domain Proto
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp

Files

memory/2536-6-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\52991729450291.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 fda1926db3f14ebe0c31cccfa9fd56c4
SHA1 ae68060b82655d851f2a683b592befd08d5ee977
SHA256 632ea21939f74e64319b989727e6d0076e7257f8b6750b844519d6edc10b682f
SHA512 4ba141b5c35317c7a777c95196d1a4b4b6ba263f4eacb008d6297af7c9490f241b8fb0880ce12d3e0067ecf5d0622cf7d690ef6dbe6c02cbc87ffc570e703776

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 78813e5d87f300668a58d1f827631e0c
SHA1 561d78058a14671248ac90491cdf3e8849cfd802
SHA256 2360ed055893c6653275e4023982203dbf3c332c359f8161f079af7c4698bde0
SHA512 3db146e0d6c6f1301cc6a4615a0072cd612d23f4a8385a3820df9fec150933ba8286b7130b8640ade70a6287a07cf2ee4928bbd808a0e555be73141c70134e82

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 5ebce350eebc27b7f66df58cff9022be
SHA1 f6e966b3bf8336a37711d928c5adc12f6947d1ad
SHA256 30fe1a4c76e35e4372de64d5c80e91260344a3e346af5be4052043e39eb2b9a0
SHA512 4a0e8d82f1621e6c42535eafc775424f9261835be0203d30cdd1ee2b512872a26293ce1b2405e97ef8cfe17881838268b8131d8ed93caa2a0628ef0eebee05e0

C:\Users\Admin\Documents\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 545804cad1f07b78d021f5b74b00bdf7
SHA1 2ae3b983fd99239aeaf5a4ca105943c00d4313a3
SHA256 8ddefe0c8862a450c0e5d460592cba9b050e68c63bb3626162a120acfdc5cf98
SHA512 dbbfa5a755a4e34b355e7d79ac0c9d9110ff0598e9ea5c5817cf299fddda5a115d0ed9f43c8781e98871daeeadb4c61aa203c962aa59efe4fc38add109cc9fe5

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 65d2dcc4c682f61d64dafa0fbb76a51e
SHA1 1567a1cb7c224c6bf7877bdc168531871d59bcca
SHA256 207163788265c1845b24f25c3b4ea5b6d45844286f74cf145a9c80021134c560
SHA512 1fcd624140534afc567b595f08f8362cab7d2c5d5c4c0af721d73ddef62952b41639aec3ec3d9fa040ec245760ee403e6a71a8fdb443563578e1372d98902ed3

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 18:51

Reported

2024-10-20 18:54

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

Signatures

Wannacry

ransomware worm wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD930E.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9324.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4504 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3404 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3404 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4504 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4504 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4504 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4504 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4504 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4504 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4504 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4504 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4504 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4504 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4504 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4504 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4504 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4504 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4504 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 4504 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4504 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4504 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4504 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 4248 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4248 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4248 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4504 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4504 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4504 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4760 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1740 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1740 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 38151729450292.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:9050 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4504-6-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u.wry

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\38151729450292.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 fce8a3492aa984eeda99e0bafefed2a6
SHA1 0052030c92e436ff525e153ff536ccae94e08366
SHA256 4282552060a7a639b2e86937ae45471d87bbc86f437f231cd2beaaba110a6bbf
SHA512 3d64030467a7c7eb1233c2ddbfb96b6115cacdeb4e5707e8b4b023399a59671de06337ce0f4b01a691474cecfd638866fb3d4ff12b8c18faaad39ab2fa2ac91b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 113e67934347785bb44a6a11bbb86316
SHA1 6c6664379fd88611f450c3faf85c9faeeee3d9be
SHA256 d7150cac6c9a9352750517e0cba400b4b8dd62aeb430a40c6ab8b1d027cb9fb3
SHA512 064635dc841f7a68a492c2fc58516c606a7fb3e6f6ce43f01a22df8ecce1f595da7306dd07fadc7ca0012c4c04855aabb3dfed659547ddba6a67a1ee2e0a51fd

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 f23105c249da3c26204323e57a480cc1
SHA1 589fb350e5de7bcd4ee8d6911c8c8ee6d7fb906d
SHA256 abd1da62619d656b7a7d0f470692f173b0716d941801b26c5d63123e3c0d08c1
SHA512 2383a1edd0064cd1eb146d1d10cbd4fd212ef0efc6c68abed76ad7e0b701bef64a52ac505ead2b7b61b3780c322080b9b742764b6190636c7666587d086e67d7

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 bfbc496de4c2351715cc49be685d0811
SHA1 035abd38012423e5c092af6ec38ec94bda72dfd0
SHA256 394e72a56256bad395f35f8fc2a85c9edc6755a0137e67935895a050f88af9fe
SHA512 b834511ff79f4d498d09081ac31176095ae1f183f3f3636e43da92278280f8d61d189b10c89393f53e7706a2c96b9d0d989b21cc8d9daf95fe9118160d9fd7da

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 8c5abea2bbd5c1c5a42685d3e2fb024c
SHA1 836e548196dfc0cd3cf3e930a9d17b0fa18fcd16
SHA256 00e1126ba0dc77ed769365aad17a8808d3fcfbab5d2b816a7c052d88c1794b5d
SHA512 6c98ecce8396aa91ec90dac8579bf7b1a1495341fc5ad38a8170df392c135c36fc706f89e6a238608c358f5146a7cd369cbb1a0370753e89b5435e7131995608