wannacry | 9e193fc6db98c706b8bf2f93ec6b73cb1170e2d785f9a2502a158874625d2c32

Resubmissions

27-10-2024 06:24

241027-g6basawarl 10

Analysis

max time kernel
207s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe
Size

224KB
MD5

75031983cb851f3475c460a40797fe62
SHA1

4ee0238f082123aeb7642ea2e427f57cf4ee954a
SHA256

01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4
SHA512

635b72c7fb8d8b3818364a8a239941d4b4ec608f3d87ee966ce6abd599b847f2aee1e895d996391a1802a57afb41127fbc5e87020b5b280aca2066039e94ca36
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/Efc:+5RwTs/dSXj84mRXPemxdBlPvLzLe

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD71C8.tmp	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD71CF.tmp	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe

Executes dropped EXE 4 IoCs

pid	Process
1348	!WannaDecryptor!.exe
3668	!WannaDecryptor!.exe
3968	!WannaDecryptor!.exe
3316	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe\" /r"	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
3276	taskkill.exe
3688	taskkill.exe
1860	taskkill.exe
732	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4596	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
436	mspaint.exe
436	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4596	vlc.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	732	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	3276	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4064	WMIC.exe
Token: SeSecurityPrivilege	4064	WMIC.exe
Token: SeTakeOwnershipPrivilege	4064	WMIC.exe
Token: SeLoadDriverPrivilege	4064	WMIC.exe
Token: SeSystemProfilePrivilege	4064	WMIC.exe
Token: SeSystemtimePrivilege	4064	WMIC.exe
Token: SeProfSingleProcessPrivilege	4064	WMIC.exe
Token: SeIncBasePriorityPrivilege	4064	WMIC.exe
Token: SeCreatePagefilePrivilege	4064	WMIC.exe
Token: SeBackupPrivilege	4064	WMIC.exe
Token: SeRestorePrivilege	4064	WMIC.exe
Token: SeShutdownPrivilege	4064	WMIC.exe
Token: SeDebugPrivilege	4064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4064	WMIC.exe
Token: SeRemoteShutdownPrivilege	4064	WMIC.exe
Token: SeUndockPrivilege	4064	WMIC.exe
Token: SeManageVolumePrivilege	4064	WMIC.exe
Token: 33	4064	WMIC.exe
Token: 34	4064	WMIC.exe
Token: 35	4064	WMIC.exe
Token: 36	4064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4064	WMIC.exe
Token: SeSecurityPrivilege	4064	WMIC.exe
Token: SeTakeOwnershipPrivilege	4064	WMIC.exe
Token: SeLoadDriverPrivilege	4064	WMIC.exe
Token: SeSystemProfilePrivilege	4064	WMIC.exe
Token: SeSystemtimePrivilege	4064	WMIC.exe
Token: SeProfSingleProcessPrivilege	4064	WMIC.exe
Token: SeIncBasePriorityPrivilege	4064	WMIC.exe
Token: SeCreatePagefilePrivilege	4064	WMIC.exe
Token: SeBackupPrivilege	4064	WMIC.exe
Token: SeRestorePrivilege	4064	WMIC.exe
Token: SeShutdownPrivilege	4064	WMIC.exe
Token: SeDebugPrivilege	4064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4064	WMIC.exe
Token: SeRemoteShutdownPrivilege	4064	WMIC.exe
Token: SeUndockPrivilege	4064	WMIC.exe
Token: SeManageVolumePrivilege	4064	WMIC.exe
Token: 33	4064	WMIC.exe
Token: 34	4064	WMIC.exe
Token: 35	4064	WMIC.exe
Token: 36	4064	WMIC.exe
Token: SeBackupPrivilege	5092	vssvc.exe
Token: SeRestorePrivilege	5092	vssvc.exe
Token: SeAuditPrivilege	5092	vssvc.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
3316	!WannaDecryptor!.exe
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe
4596	vlc.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1348	!WannaDecryptor!.exe
1348	!WannaDecryptor!.exe
3668	!WannaDecryptor!.exe
3668	!WannaDecryptor!.exe
3968	!WannaDecryptor!.exe
3968	!WannaDecryptor!.exe
3316	!WannaDecryptor!.exe
3316	!WannaDecryptor!.exe
436	mspaint.exe
2220	OpenWith.exe
4596	vlc.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 3680	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	84
PID 4796 wrote to memory of 3680	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	84
PID 4796 wrote to memory of 3680	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	84
PID 3680 wrote to memory of 1932	3680	cmd.exe	86
PID 3680 wrote to memory of 1932	3680	cmd.exe	86
PID 3680 wrote to memory of 1932	3680	cmd.exe	86
PID 4796 wrote to memory of 1348	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	90
PID 4796 wrote to memory of 1348	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	90
PID 4796 wrote to memory of 1348	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	90
PID 4796 wrote to memory of 3688	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	91
PID 4796 wrote to memory of 3688	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	91
PID 4796 wrote to memory of 3688	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	91
PID 4796 wrote to memory of 1860	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	92
PID 4796 wrote to memory of 1860	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	92
PID 4796 wrote to memory of 1860	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	92
PID 4796 wrote to memory of 732	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	93
PID 4796 wrote to memory of 732	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	93
PID 4796 wrote to memory of 732	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	93
PID 4796 wrote to memory of 3276	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	94
PID 4796 wrote to memory of 3276	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	94
PID 4796 wrote to memory of 3276	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	94
PID 4796 wrote to memory of 3668	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	106
PID 4796 wrote to memory of 3668	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	106
PID 4796 wrote to memory of 3668	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	106
PID 4796 wrote to memory of 3756	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	107
PID 4796 wrote to memory of 3756	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	107
PID 4796 wrote to memory of 3756	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	107
PID 3756 wrote to memory of 3968	3756	cmd.exe	109
PID 3756 wrote to memory of 3968	3756	cmd.exe	109
PID 3756 wrote to memory of 3968	3756	cmd.exe	109
PID 4796 wrote to memory of 3316	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	111
PID 4796 wrote to memory of 3316	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	111
PID 4796 wrote to memory of 3316	4796	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	111
PID 3968 wrote to memory of 1932	3968	!WannaDecryptor!.exe	114
PID 3968 wrote to memory of 1932	3968	!WannaDecryptor!.exe	114
PID 3968 wrote to memory of 1932	3968	!WannaDecryptor!.exe	114
PID 1932 wrote to memory of 4064	1932	cmd.exe	116
PID 1932 wrote to memory of 4064	1932	cmd.exe	116
PID 1932 wrote to memory of 4064	1932	cmd.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe
"C:\Users\Admin\AppData\Local\Temp\01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 98961729938885.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1932
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1348
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3688
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:732
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3276
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4384

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\CompleteReset.jpe" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:4360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ClearBlock.mpa"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\DCJGJO2N\3\57PGj0svtg0ZIpoZH9o5Ed_b31E.gz[1].js.WCRY

Filesize
10KB

MD5
efd554d0ace2ba72c21199dc293f62b1

SHA1
42ad35feeea78127ac13b2a513e1426288c2e6b5

SHA256
c4849e54c988824563292151ecd14b4dc14fbff2258ead7a3011a20601f3aa28

SHA512
4a436ccdc6c7d6dbe6c0eaed1d10ca9ac8cf3c2d964fdf05264336e2ca1f5bf189736c9e63f0e9c9f2bff4a992c632f4911b39103491713080c1245610d12f18

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662742439442.txt.WCRY

Filesize
77KB

MD5
6dad35beb31885a011e12829acb18dc6

SHA1
fd89a915818f64ba880b20d8cf6a06a881e18ce0

SHA256
876416ecaf746ae2b46ca54da17453666bfae3cefcb4864c0d300b70ace9a3bd

SHA512
252c61ca24bb557d7d5c62e71760bb251649ec7abcd05cb2276d8658e249cc2df8916e2f77db04ff4650f780b076ce9b505d22cf48b52b0782a38a9ddf58109a

Download Submit
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
7e555760c590947bf0e51aa60d600004

SHA1
984ccb94f667750bf14424f5568614d5a2439db0

SHA256
016fc0a8e8a8f2511f008b426b29240ca19435c5beb75f0cd55a7017f3e0e640

SHA512
c9bf13c14c80ff794d1aa0a40240530939b37c7079a839e3c0430b5ad8ef3a1e8a0ad79761f3753ebc035e586fd63a3101cad71faac18df70d46065990e311c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.eky

Filesize
1KB

MD5
69fe28efaaae2053a472634696cd9243

SHA1
0d375e34818b5eb29580c23e511fea131a0897ea

SHA256
237e1e51ef2e8d1d53d738cb14c5b56d3993b0fc9acd96d69dc58c8a14e62dae

SHA512
1966127fa5ed2502c8dfa96483ff11f9fb91a82e42bff59f5f6de25af312ffbdad0761faf9bb5a949e28a561a3cdd701e8c5c0c630cd9abfba29b9fa4fb0469b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
e6e7aa04678c382c59e0b230e6608cb6

SHA1
cdd3b5fa8c170e1082b853aa3b4993a3f7c2d840

SHA256
70f5b4b0b21ddf5a13c7425d0590af6f3c5b4ff8d109dd132b9db24b7d7b6ec7

SHA512
2399db772135d495b761fe386734cf8544bb3677492d32224b66de6f7c0d1d7381473458dc7d1b0bb7aad303597d18955ac276289535ac8bc93283964bac6111

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
cadc6598c43573e71fc97fded850315e

SHA1
55693338ef5afd305acb16ab38b6fd110c9e56b2

SHA256
d4e1a33ed3d10100c169b0e16d9c13b082025b721c97d20a37a763d464cd324b

SHA512
676f81c9ab2f7b6cafe5d9918aed7f25e38436a200c0ef34e79e16ca12a59d642377ba8f449bd2b3b583558ea9173fc007185cdb3d23926c5c7c731880874c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
20f4b368260e5d1da64ad685a7dbc2ea

SHA1
fc8a803a81ac2971f4ccd283ea2bd51bc94fe9e1

SHA256
425e386e7a2c8ec60692e6bb4186ea3d178e38491cccce237947fe0c5e879cf8

SHA512
dc4fc17530bd5efae6bd1ac0858738529ee71d2585dcff396066149837fe06f7a36a555be57dea08de372c4609098eafbbc4ac1118517816f66bba0876c82881

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
0963858df24ec0ecbc9a2cb781cae040

SHA1
773ced958c28a5376688b0cf7e3a63c12c4049c0

SHA256
1ce3fe2984f182f5ecbeca6c8d9e2f3efd11701e35aac57500755f2ddb85eb5d

SHA512
7371eef9a76ab4eae4b704320c1dac477732bc60563b6138ee15618200a39f68bf43c7abd0205ccdffc457e67c39661b8ccde7938339ef7e357ce935713f979a

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
c19e265805234c8de9dd091e1901d331

SHA1
685850395e076663cefe92fbcc303d41276b6a04

SHA256
6ac38655c5582508afeb603e7ae3553ede10cc538161164eaee62bfca5895744

SHA512
4193985f18d61f0761ecff6d905b4f18714a03d5420dec20086cdc808116e23efccbbeedf277492adf51c7410069bef9023ca30a0aef81f281332fbd1b6ca32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\98961729938885.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
8e8ba6c3dcabcd14264620efa0e77097

SHA1
3adc8c7e84e0488723d28ce64f36b76f3e4ca8db

SHA256
96bb8ecb4f6d64fce56514a64259a536442ac65f9d7e78879e2732a6a6e955a8

SHA512
05e0e9aa7bb735a38fbbe8a4426c9effb51d8eec6e9fc0d83e72bda95e28b760947699a6341b3f416ae6c6c15227ae16adbf2eb0d7a8bead03d7fa9e4d7e9100

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.wry

Filesize
402B

MD5
571d6f2830fb320227756d9e44586568

SHA1
e9a10e8a61fa692cbb7c50a759cd646a71cba4ad

SHA256
df491a5ea284ade3ac6a3bf2c179ef0fe6365f318f66945b4615307b0d3c85f6

SHA512
8f5decfbf0924cb52a7fcd47b919254c6fe7582a8517d33056331af4eff5681523d352bd556311f6997188631cc73f80145c01ce742076101741696e6a1cfd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.WCRY

Filesize
289KB

MD5
f97ed3d3c84072a9e655ac24b6cdd86b

SHA1
b335b883c361eaf78e4c160172104519d592e782

SHA256
819925f1cf21ba73b6dbe089bb56d1b6f0a2ec23b474fa3c3b6961da09a376ea

SHA512
9714af5ce796819c0894e72e67ad20a6ed520ffb6a3397b647ed712fd3e097649222219d45c4728b32683112da3b1971703fdde0034f6d524e1a3734650dca20

Download Submit
memory/4360-1454-0x0000021998270000-0x0000021998271000-memory.dmp

Filesize
4KB

Download
memory/4360-1456-0x0000021998270000-0x0000021998271000-memory.dmp

Filesize
4KB

Download
memory/4360-1460-0x0000021998310000-0x0000021998311000-memory.dmp

Filesize
4KB

Download
memory/4360-1441-0x000002198F560000-0x000002198F570000-memory.dmp

Filesize
64KB

Download
memory/4360-1459-0x0000021998310000-0x0000021998311000-memory.dmp

Filesize
4KB

Download
memory/4360-1445-0x000002198F5A0000-0x000002198F5B0000-memory.dmp

Filesize
64KB

Download
memory/4360-1452-0x00000219981F0000-0x00000219981F1000-memory.dmp

Filesize
4KB

Download
memory/4360-1458-0x0000021998300000-0x0000021998301000-memory.dmp

Filesize
4KB

Download
memory/4360-1457-0x0000021998300000-0x0000021998301000-memory.dmp

Filesize
4KB

Download
memory/4596-1481-0x00007FFAFE5F0000-0x00007FFAFE624000-memory.dmp

Filesize
208KB

Download
memory/4596-1483-0x00007FFAEA8D0000-0x00007FFAEB980000-memory.dmp

Filesize
16.7MB

Download
memory/4596-1482-0x00007FFAEBB90000-0x00007FFAEBE46000-memory.dmp

Filesize
2.7MB

Download
memory/4596-1480-0x00007FF789280000-0x00007FF789378000-memory.dmp

Filesize
992KB

Download
memory/4796-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download