wannacry | 7587e15416957883b390afba98fedc4b4ff4ba7d111d9f03365b6a09b86d5d5c

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
Size

3.6MB
MD5

d724d8cc6420f06e8a48752f0da11c66
SHA1

3b669778698972c402f7c149fc844d0ddb3a00e8
SHA256

07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
SHA512

d771d74894e72402bbd016787fb102053678424205644bceec17ee3e7598e3f4aeb59b0f3272b5dbe1d26289f659024520653f57fc1bfe18054ffae4f188aef9
SSDEEP

98304:Z8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HI:Z8qPe1Cxcxk3ZAEUadzR8yc4HI

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3337) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
1884	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "162"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
4100	WINWORD.EXE
4100	WINWORD.EXE
3884	vlc.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3340	mspaint.exe
3340	mspaint.exe
3516	mspaint.exe
3516	mspaint.exe
3464	mspaint.exe
3464	mspaint.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
116	msedge.exe
116	msedge.exe
1928	msedge.exe
1928	msedge.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
544	identity_helper.exe
544	identity_helper.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3884	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3536	LogonUI.exe
Token: SeCreatePagefilePrivilege	3536	LogonUI.exe
Token: SeDebugPrivilege	212	Taskmgr.exe
Token: SeSystemProfilePrivilege	212	Taskmgr.exe
Token: SeCreateGlobalPrivilege	212	Taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
3884	vlc.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
212	Taskmgr.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
3340	mspaint.exe
5032	OpenWith.exe
3516	mspaint.exe
4076	OpenWith.exe
3464	mspaint.exe
3464	mspaint.exe
3464	mspaint.exe
3464	mspaint.exe
4100	WINWORD.EXE
4100	WINWORD.EXE
4100	WINWORD.EXE
4100	WINWORD.EXE
4100	WINWORD.EXE
4100	WINWORD.EXE
4100	WINWORD.EXE
4100	WINWORD.EXE
4100	WINWORD.EXE
4100	WINWORD.EXE
4100	WINWORD.EXE
4100	WINWORD.EXE
4100	WINWORD.EXE
3884	vlc.exe
3536	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 212	4808	launchtm.exe	127
PID 4808 wrote to memory of 212	4808	launchtm.exe	127
PID 1928 wrote to memory of 380	1928	msedge.exe	129
PID 1928 wrote to memory of 380	1928	msedge.exe	129
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 3048	1928	msedge.exe	130
PID 1928 wrote to memory of 116	1928	msedge.exe	131
PID 1928 wrote to memory of 116	1928	msedge.exe	131
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132
PID 1928 wrote to memory of 1984	1928	msedge.exe	132

C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
"C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1452
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:1884

C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe -m security
1⤵
- System Location Discovery: System Language Discovery
PID:244

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\MoveNew.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:4144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\SubmitOpen.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3516

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\CompleteShow.bmp"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:716

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ConfirmRead.odt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4100

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnprotectCompare.M2T"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3880055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3536

C:\Windows\system32\launchtm.exe
launchtm.exe /3
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\System32\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe" /3
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=mssecsvc2.0 Microsoft Security Center (2.0) Service"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd4d9746f8,0x7ffd4d974708,0x7ffd4d974718
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4177208898110301479,13929739665958586321,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,4177208898110301479,13929739665958586321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,4177208898110301479,13929739665958586321,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4177208898110301479,13929739665958586321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4177208898110301479,13929739665958586321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4177208898110301479,13929739665958586321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4177208898110301479,13929739665958586321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,4177208898110301479,13929739665958586321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,4177208898110301479,13929739665958586321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8e453b0eae2ff14cad6aef0fc506dfa3

SHA1
ce98e92a5f0a02cdfadaf382badb1772313393fd

SHA256
743a8abf07f50acc44e11658e57d8a31de10ee39cd4a7522b3bd30f0bfd9c1e5

SHA512
4ecb6115c5d5684b8f74f55b8df56aef0961593b2c0a82b2fbf5b209fc1dba906fe9dc382b152a1d25d3abfc987effa2b188c81b4da54199e93e4d4008d4f934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
d066da94d7871795a79e0dcf6a577738

SHA1
5ed8a6b25a862ada9f87ef473ebbc17db5506526

SHA256
4eaac2a2c5551b86266e3fcdec4ee135b3b58e1f29c8a00e6c3702c5bd059686

SHA512
07572673b90c2df424256f5363d3fa4b6984fea1e23c111ab2d6a2e1fb2bdbfbea3a2dca6750f67e49c304a8db212ee854f9e43efd7fcb368a492957fadd0a01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
441512c6eb540710b309d6334878a1c9

SHA1
b186d9481df28980f800fccb915c21b1ee20ebcf

SHA256
ceb7957778c831466b1dcb9e3194250ae3fece50721daa3aa030f02188702386

SHA512
259bcc3746ecc00f5c9e6353db727aa8da84021493d96441be675174ec0a2ec95fffb6aebccbe9f4c5365d1fce13eeaab1f0bcbfffd0e9963b1c32edf581e2eb

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/212-82-0x00000164705F0000-0x00000164705F1000-memory.dmp

Filesize
4KB

Download
memory/212-86-0x00000164705F0000-0x00000164705F1000-memory.dmp

Filesize
4KB

Download
memory/212-80-0x00000164705F0000-0x00000164705F1000-memory.dmp

Filesize
4KB

Download
memory/212-89-0x00000164705F0000-0x00000164705F1000-memory.dmp

Filesize
4KB

Download
memory/212-90-0x00000164705F0000-0x00000164705F1000-memory.dmp

Filesize
4KB

Download
memory/212-91-0x00000164705F0000-0x00000164705F1000-memory.dmp

Filesize
4KB

Download
memory/212-92-0x00000164705F0000-0x00000164705F1000-memory.dmp

Filesize
4KB

Download
memory/212-88-0x00000164705F0000-0x00000164705F1000-memory.dmp

Filesize
4KB

Download
memory/212-87-0x00000164705F0000-0x00000164705F1000-memory.dmp

Filesize
4KB

Download
memory/212-81-0x00000164705F0000-0x00000164705F1000-memory.dmp

Filesize
4KB

Download
memory/3884-76-0x00007FF7CCAA0000-0x00007FF7CCB98000-memory.dmp

Filesize
992KB

Download
memory/3884-79-0x00007FFD32F40000-0x00007FFD33FF0000-memory.dmp

Filesize
16.7MB

Download
memory/3884-78-0x00007FFD34200000-0x00007FFD344B6000-memory.dmp

Filesize
2.7MB

Download
memory/3884-77-0x00007FFD459B0000-0x00007FFD459E4000-memory.dmp

Filesize
208KB

Download
memory/4100-27-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

Filesize
64KB

Download
memory/4100-62-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

Filesize
64KB

Download
memory/4100-63-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

Filesize
64KB

Download
memory/4100-61-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

Filesize
64KB

Download
memory/4100-60-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

Filesize
64KB

Download
memory/4100-31-0x00007FFD11E30000-0x00007FFD11E40000-memory.dmp

Filesize
64KB

Download
memory/4100-30-0x00007FFD11E30000-0x00007FFD11E40000-memory.dmp

Filesize
64KB

Download
memory/4100-29-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

Filesize
64KB

Download
memory/4100-25-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

Filesize
64KB

Download
memory/4100-28-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

Filesize
64KB

Download
memory/4100-26-0x00007FFD14790000-0x00007FFD147A0000-memory.dmp

Filesize
64KB

Download
memory/4144-22-0x000002EF6C8E0000-0x000002EF6C8E1000-memory.dmp

Filesize
4KB

Download
memory/4144-21-0x000002EF6C8E0000-0x000002EF6C8E1000-memory.dmp

Filesize
4KB

Download
memory/4144-20-0x000002EF6C8D0000-0x000002EF6C8D1000-memory.dmp

Filesize
4KB

Download
memory/4144-19-0x000002EF6C8D0000-0x000002EF6C8D1000-memory.dmp

Filesize
4KB

Download
memory/4144-18-0x000002EF6C840000-0x000002EF6C841000-memory.dmp

Filesize
4KB

Download
memory/4144-16-0x000002EF6C840000-0x000002EF6C841000-memory.dmp

Filesize
4KB

Download
memory/4144-14-0x000002EF6C7C0000-0x000002EF6C7C1000-memory.dmp

Filesize
4KB

Download
memory/4144-4-0x000002EF63B40000-0x000002EF63B50000-memory.dmp

Filesize
64KB

Download
memory/4144-7-0x000002EF63B80000-0x000002EF63B90000-memory.dmp

Filesize
64KB

Download