wannacry | 13702eff58f50601c6d71543c97a8231766b8ea59158a877bfb80e4d818846fe

Resubmissions

21/12/2024, 13:31

241221-qsc2wszqfs 10

21/12/2024, 13:23

241221-qmx5wazphw 10

Analysis

max time kernel
123s
max time network
126s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21/12/2024, 13:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
Size

5.0MB
MD5

3b1e6c1d2b8f29ef890672be8f013706
SHA1

1b3f55bba64074ae268857623844dc281ba9a7eb
SHA256

13702eff58f50601c6d71543c97a8231766b8ea59158a877bfb80e4d818846fe
SHA512

5bd53261b6eabe177189111c6b7607597d5936561ce502a31a539c28166f8cdd3ddb4d930f092928681547a6ddb8c148fa7f6fab31545031d8635e21e313c81b
SSDEEP

12288:eQbLgmluyQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DzUgZLHJ98kI:VbLguVQhfdmMSirYbcMNgef0yD8kI

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (2526) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2040	1752	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2808	vlc.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2920	OpenWith.exe
2808	vlc.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4700	taskmgr.exe
Token: SeSystemProfilePrivilege	4700	taskmgr.exe
Token: SeCreateGlobalPrivilege	4700	taskmgr.exe
Token: 33	4700	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4700	taskmgr.exe
Token: SeShutdownPrivilege	4788	unregmp2.exe
Token: SeCreatePagefilePrivilege	4788	unregmp2.exe
Token: SeShutdownPrivilege	1752	wmplayer.exe
Token: SeCreatePagefilePrivilege	1752	wmplayer.exe
Token: SeShutdownPrivilege	1800	wmplayer.exe
Token: SeCreatePagefilePrivilege	1800	wmplayer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2920	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2340	OpenWith.exe
2808	vlc.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 1752	2920	OpenWith.exe	96
PID 2920 wrote to memory of 1752	2920	OpenWith.exe	96
PID 2920 wrote to memory of 1752	2920	OpenWith.exe	96
PID 1752 wrote to memory of 3308	1752	wmplayer.exe	98
PID 1752 wrote to memory of 3308	1752	wmplayer.exe	98
PID 1752 wrote to memory of 3308	1752	wmplayer.exe	98
PID 3308 wrote to memory of 4788	3308	unregmp2.exe	99
PID 3308 wrote to memory of 4788	3308	unregmp2.exe	99
PID 2340 wrote to memory of 2808	2340	OpenWith.exe	106
PID 2340 wrote to memory of 2808	2340	OpenWith.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4600

C:\Users\Admin\AppData\Local\Temp\2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-21_3b1e6c1d2b8f29ef890672be8f013706_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2576

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\Desktop\ReceiveRedo.7z"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\unregmp2.exe
    "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\system32\unregmp2.exe
      "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
      4⤵
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      PID:4788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 2304
    3⤵
    - Program crash
    PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1752 -ip 1752
1⤵
PID:1288

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RegisterStart.cr2"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2808

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
c374c25875887db7d072033f817b6ce1

SHA1
3a6d10268f30e42f973dadf044dba7497e05cdaf

SHA256
05d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6

SHA512
6a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
90ffaf244ffb223698377fb7e492a5d4

SHA1
34ac4e0a5c6523461e2eac2975e661f7e203ea99

SHA256
8aa8f754dc217161df3683fb8f9d2bbb8c44528b567e9b042566280e3a7f49f6

SHA512
3afec2e9f4c3bdd19267c7157db0a49cc08fcdf1deb2eb86e7bfcd92ea8c384e0516967482f320ad202e3c95126f27cadb7be15f4c16c1f748e5c9eeb744b87a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
26fcc4ad075985fcd1ba382b40e4bbd1

SHA1
8170f6a7e2e98136874232adeecaf5590b701e36

SHA256
16fb097c9b0ac1d1a806b513a340d746b2a913b58dc053f84bb8ee9a4c776765

SHA512
a72d0b4ea62be5850670fd05ab9d2bda13ad9e0533f49c26bb5c733de939f92217c632d4021be9512573b18454e67e126b835bb1cf56f473b0087bcfc5f4948e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
f7e0eb08d01deda586e3075085e5c46a

SHA1
086eae6304a6ce6f4164869f541e7872f645a809

SHA256
abf14fe1231145d7c81fcab5c5e2e22ca62c3b200b75eeb988c62b90fd34f78a

SHA512
3cecb93e9e349e1609712946f22ee602642fb2f67e3c7b0426fc829796108e10a7183ea1afdc62282a5ffbcdb214f8fe6a712683221336f7fdcb21ef000c256a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\lastplayed.wpl

Filesize
359B

MD5
079fedef89125bf151dafaf0be3d7f29

SHA1
8187f19628e674cb0231a7aa9033b7026c6447b5

SHA256
28bc3ffe66d64919ad3b05c8d918c0bb53f1faf894f357f08b8ce0aa3e69e55b

SHA512
ec51760f1bfb7dd323fe02d750e294d9712f463d5863a32dfe1a7eac8c8ef8e8a59ee9f5d784dd7a09124910d39fe35d53ff673cd47bdaaa2a0a3b6103a84d83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
3207be9b9e123c1c1fe3fb8fa974f99c

SHA1
e9ea5909c941874df5e74a09c8f40fdf39843e5b

SHA256
426f3848f2c0d20e4663f90acb0a55f3c9ed446f123fe122d61296fe12b66747

SHA512
17936f1f73639b086bb1ff04076e3aed890a7bc75a924ef1de18211c34140a55a0452e6d0aa77053953fe102a93dd57dc9cfcc121de66e1b4769a4db1903267a

Download Submit
memory/1800-91-0x00000000046B0000-0x00000000046C0000-memory.dmp

Filesize
64KB

Download
memory/1800-81-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-99-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-102-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-68-0x0000000007470000-0x0000000007480000-memory.dmp

Filesize
64KB

Download
memory/1800-69-0x0000000007470000-0x0000000007480000-memory.dmp

Filesize
64KB

Download
memory/1800-70-0x00000000046B0000-0x00000000046C0000-memory.dmp

Filesize
64KB

Download
memory/1800-71-0x00000000046B0000-0x00000000046C0000-memory.dmp

Filesize
64KB

Download
memory/1800-72-0x00000000046B0000-0x00000000046C0000-memory.dmp

Filesize
64KB

Download
memory/1800-74-0x00000000046B0000-0x00000000046C0000-memory.dmp

Filesize
64KB

Download
memory/1800-73-0x00000000046B0000-0x00000000046C0000-memory.dmp

Filesize
64KB

Download
memory/1800-75-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-76-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-77-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-79-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-80-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-78-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-98-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-82-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-85-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-86-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-83-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-84-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-87-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-88-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-90-0x00000000046B0000-0x00000000046C0000-memory.dmp

Filesize
64KB

Download
memory/1800-89-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-92-0x00000000046B0000-0x00000000046C0000-memory.dmp

Filesize
64KB

Download
memory/1800-101-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-93-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-96-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-100-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-94-0x0000000007470000-0x0000000007480000-memory.dmp

Filesize
64KB

Download
memory/1800-95-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/1800-97-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/2808-103-0x00007FF776AA0000-0x00007FF776B98000-memory.dmp

Filesize
992KB

Download
memory/2808-106-0x00007FFB72D20000-0x00007FFB72D38000-memory.dmp

Filesize
96KB

Download
memory/2808-116-0x00007FFB68BA0000-0x00007FFB68BC1000-memory.dmp

Filesize
132KB

Download
memory/2808-117-0x00007FFB68B80000-0x00007FFB68B98000-memory.dmp

Filesize
96KB

Download
memory/2808-104-0x00007FFB6A320000-0x00007FFB6A354000-memory.dmp

Filesize
208KB

Download
memory/2808-119-0x00007FFB68690000-0x00007FFB686A1000-memory.dmp

Filesize
68KB

Download
memory/2808-110-0x00007FFB69460000-0x00007FFB69471000-memory.dmp

Filesize
68KB

Download
memory/2808-112-0x00007FFB69370000-0x00007FFB69381000-memory.dmp

Filesize
68KB

Download
memory/2808-105-0x00007FFB599D0000-0x00007FFB59C86000-memory.dmp

Filesize
2.7MB

Download
memory/2808-109-0x00007FFB695D0000-0x00007FFB695E7000-memory.dmp

Filesize
92KB

Download
memory/2808-111-0x00007FFB69440000-0x00007FFB6945D000-memory.dmp

Filesize
116KB

Download
memory/2808-114-0x00007FFB692D0000-0x00007FFB69311000-memory.dmp

Filesize
260KB

Download
memory/2808-113-0x00007FFB595D0000-0x00007FFB597DB000-memory.dmp

Filesize
2.0MB

Download
memory/2808-108-0x00007FFB697B0000-0x00007FFB697C1000-memory.dmp

Filesize
68KB

Download
memory/2808-107-0x00007FFB70B40000-0x00007FFB70B57000-memory.dmp

Filesize
92KB

Download
memory/2808-120-0x00007FFB68670000-0x00007FFB68681000-memory.dmp

Filesize
68KB

Download
memory/2808-118-0x00007FFB68B60000-0x00007FFB68B71000-memory.dmp

Filesize
68KB

Download
memory/2808-121-0x00007FFB5FF10000-0x00007FFB5FF22000-memory.dmp

Filesize
72KB

Download
memory/2808-122-0x00000162D6DF0000-0x00000162D6F70000-memory.dmp

Filesize
1.5MB

Download
memory/4700-12-0x0000015E82DE0000-0x0000015E82DE1000-memory.dmp

Filesize
4KB

Download
memory/4700-6-0x0000015E82DE0000-0x0000015E82DE1000-memory.dmp

Filesize
4KB

Download
memory/4700-1-0x0000015E82DE0000-0x0000015E82DE1000-memory.dmp

Filesize
4KB

Download
memory/4700-2-0x0000015E82DE0000-0x0000015E82DE1000-memory.dmp

Filesize
4KB

Download
memory/4700-0-0x0000015E82DE0000-0x0000015E82DE1000-memory.dmp

Filesize
4KB

Download
memory/4700-11-0x0000015E82DE0000-0x0000015E82DE1000-memory.dmp

Filesize
4KB

Download
memory/4700-10-0x0000015E82DE0000-0x0000015E82DE1000-memory.dmp

Filesize
4KB

Download
memory/4700-9-0x0000015E82DE0000-0x0000015E82DE1000-memory.dmp

Filesize
4KB

Download
memory/4700-8-0x0000015E82DE0000-0x0000015E82DE1000-memory.dmp

Filesize
4KB

Download
memory/4700-7-0x0000015E82DE0000-0x0000015E82DE1000-memory.dmp

Filesize
4KB

Download