neshta | 52e6033b88774fb82f111442886751a107a636d9e0c8b392aee4e19340dc656c

Resubmissions

08/02/2025, 11:45

250208-nw1k9atpfr 10

07/02/2025, 17:25

250207-vzm8nazmdz 10

Analysis

max time kernel
899s
max time network
899s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
08/02/2025, 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
Size

264KB
MD5

a17fe664009d09499b6931cf2e0f8435
SHA1

0dada95eb81bb92961093e1871124b5ee3d924f3
SHA256

52e6033b88774fb82f111442886751a107a636d9e0c8b392aee4e19340dc656c
SHA512

268f4f841e18b90b107a64c263b71a6cad4234c4f36258efee638f1d61005d7d75c1c1d9b752e19e2a6a456a6ad003419633f9b1fc1538323d975ba4e1877e22
SSDEEP

3072:sr85CcTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/Efcx59femWRJ:k9cTs/dSXj84mRXPemxdBlPvLzLek5RJ

Score

10^/10

neshta wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3582-490\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Detect Neshta payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0006000000027b85-42.dat	family_neshta
behavioral1/memory/4852-1441-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/4852-1460-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/4852-1462-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4E82.tmp	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4E99.tmp	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe

Executes dropped EXE 5 IoCs

pid	Process
2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
2760	!WannaDecryptor!.exe
1504	!WannaDecryptor!.exe
1028	!WannaDecryptor!.exe
3448	!WannaDecryptor!.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe\" /r"	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2264884063-4143212895-593737147-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.51\elevation_service.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.51\msedgewebview2.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\PWAHEL~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\ELEVAT~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\IDENTI~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\MSEDGE~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.51\msedge_proxy.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.51\msedge_pwa_launcher.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\BHO\IE_TO_~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\INSTAL~1\setup.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\PWAHEL~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.43\MICROS~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.43\MI9C33~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MICROS~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.43\MI391D~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.51\elevated_tracing_service.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.51\identity_helper.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\MSEDGE~3.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.43\MICROS~3.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.43\MICROS~2.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\msedge.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.51\pwahelper.exe	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\COOKIE~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\MSEDGE~1.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\MSEDGE~2.EXE	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5036	MicrosoftEdgeUpdate.exe
4168	MicrosoftEdgeUpdate.exe
2488	MicrosoftEdgeUpdate.exe
2560	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
4372	taskkill.exe
968	taskkill.exe
3968	taskkill.exe
3448	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1108	MicrosoftEdgeUpdate.exe
1108	MicrosoftEdgeUpdate.exe
1108	MicrosoftEdgeUpdate.exe
1108	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	4372	taskkill.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeIncreaseQuotaPrivilege	680	WMIC.exe
Token: SeSecurityPrivilege	680	WMIC.exe
Token: SeTakeOwnershipPrivilege	680	WMIC.exe
Token: SeLoadDriverPrivilege	680	WMIC.exe
Token: SeSystemProfilePrivilege	680	WMIC.exe
Token: SeSystemtimePrivilege	680	WMIC.exe
Token: SeProfSingleProcessPrivilege	680	WMIC.exe
Token: SeIncBasePriorityPrivilege	680	WMIC.exe
Token: SeCreatePagefilePrivilege	680	WMIC.exe
Token: SeBackupPrivilege	680	WMIC.exe
Token: SeRestorePrivilege	680	WMIC.exe
Token: SeShutdownPrivilege	680	WMIC.exe
Token: SeDebugPrivilege	680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	680	WMIC.exe
Token: SeRemoteShutdownPrivilege	680	WMIC.exe
Token: SeUndockPrivilege	680	WMIC.exe
Token: SeManageVolumePrivilege	680	WMIC.exe
Token: 33	680	WMIC.exe
Token: 34	680	WMIC.exe
Token: 35	680	WMIC.exe
Token: 36	680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	680	WMIC.exe
Token: SeSecurityPrivilege	680	WMIC.exe
Token: SeTakeOwnershipPrivilege	680	WMIC.exe
Token: SeLoadDriverPrivilege	680	WMIC.exe
Token: SeSystemProfilePrivilege	680	WMIC.exe
Token: SeSystemtimePrivilege	680	WMIC.exe
Token: SeProfSingleProcessPrivilege	680	WMIC.exe
Token: SeIncBasePriorityPrivilege	680	WMIC.exe
Token: SeCreatePagefilePrivilege	680	WMIC.exe
Token: SeBackupPrivilege	680	WMIC.exe
Token: SeRestorePrivilege	680	WMIC.exe
Token: SeShutdownPrivilege	680	WMIC.exe
Token: SeDebugPrivilege	680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	680	WMIC.exe
Token: SeRemoteShutdownPrivilege	680	WMIC.exe
Token: SeUndockPrivilege	680	WMIC.exe
Token: SeManageVolumePrivilege	680	WMIC.exe
Token: 33	680	WMIC.exe
Token: 34	680	WMIC.exe
Token: 35	680	WMIC.exe
Token: 36	680	WMIC.exe
Token: SeBackupPrivilege	4160	vssvc.exe
Token: SeRestorePrivilege	4160	vssvc.exe
Token: SeAuditPrivilege	4160	vssvc.exe
Token: SeDebugPrivilege	1108	MicrosoftEdgeUpdate.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2760	!WannaDecryptor!.exe
2760	!WannaDecryptor!.exe
1504	!WannaDecryptor!.exe
1504	!WannaDecryptor!.exe
1028	!WannaDecryptor!.exe
1028	!WannaDecryptor!.exe
3448	!WannaDecryptor!.exe
3448	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 2076	4852	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	89
PID 4852 wrote to memory of 2076	4852	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	89
PID 4852 wrote to memory of 2076	4852	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	89
PID 2076 wrote to memory of 4252	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	90
PID 2076 wrote to memory of 4252	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	90
PID 2076 wrote to memory of 4252	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	90
PID 4252 wrote to memory of 3024	4252	cmd.exe	92
PID 4252 wrote to memory of 3024	4252	cmd.exe	92
PID 4252 wrote to memory of 3024	4252	cmd.exe	92
PID 2076 wrote to memory of 2760	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	93
PID 2076 wrote to memory of 2760	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	93
PID 2076 wrote to memory of 2760	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	93
PID 2076 wrote to memory of 968	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	94
PID 2076 wrote to memory of 968	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	94
PID 2076 wrote to memory of 968	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	94
PID 2076 wrote to memory of 3968	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	95
PID 2076 wrote to memory of 3968	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	95
PID 2076 wrote to memory of 3968	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	95
PID 2076 wrote to memory of 3448	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	96
PID 2076 wrote to memory of 3448	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	96
PID 2076 wrote to memory of 3448	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	96
PID 2076 wrote to memory of 4372	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	97
PID 2076 wrote to memory of 4372	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	97
PID 2076 wrote to memory of 4372	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	97
PID 2076 wrote to memory of 1504	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	105
PID 2076 wrote to memory of 1504	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	105
PID 2076 wrote to memory of 1504	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	105
PID 2076 wrote to memory of 4444	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	106
PID 2076 wrote to memory of 4444	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	106
PID 2076 wrote to memory of 4444	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	106
PID 4444 wrote to memory of 1028	4444	cmd.exe	108
PID 4444 wrote to memory of 1028	4444	cmd.exe	108
PID 4444 wrote to memory of 1028	4444	cmd.exe	108
PID 2076 wrote to memory of 3448	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	110
PID 2076 wrote to memory of 3448	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	110
PID 2076 wrote to memory of 3448	2076	2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe	110
PID 1028 wrote to memory of 1884	1028	!WannaDecryptor!.exe	113
PID 1028 wrote to memory of 1884	1028	!WannaDecryptor!.exe	113
PID 1028 wrote to memory of 1884	1028	!WannaDecryptor!.exe	113
PID 1884 wrote to memory of 680	1884	cmd.exe	115
PID 1884 wrote to memory of 680	1884	cmd.exe	115
PID 1884 wrote to memory of 680	1884	cmd.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\3582-490\2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 230121739015219.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:3024
- - C:\Users\Admin\AppData\Local\Temp\3582-490\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4372
- - C:\Users\Admin\AppData\Local\Temp\3582-490\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
- - C:\Users\Admin\AppData\Local\Temp\3582-490\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4604,i,7464307188933850489,15236699521480268900,262144 --variations-seed-version --mojo-platform-channel-handle=1908 /prefetch:14
1⤵
PID:1016

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTBBMjNBREYtOTIzQS00RTRDLUFBRkQtQ0E5QkM3QUE3QTY1fSIgdXNlcmlkPSJ7QjBFQzQxMjktODYyRS00QzExLTkyQjQtRDU1QjY1RUEzNTQ1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Qjk1MDA5NjMtMDUzQy00RjgzLUE5NTktOUQzMjQ2Qzk2RDBGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1NjQ2OSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI5MTM1MzQ4MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUyODYyODc0MTIiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3852" "1260" "1156" "1272" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:3284

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTBBMjNBREYtOTIzQS00RTRDLUFBRkQtQ0E5QkM3QUE3QTY1fSIgdXNlcmlkPSJ7QjBFQzQxMjktODYyRS00QzExLTkyQjQtRDU1QjY1RUEzNTQ1fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins0M0Y1NjQ5RC1GN0Y5LTREMjktQTJGMy00QzY4MkU0NUMwODh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtFK3hiQXo2WTZzVTEyODliUzZxbDRWUkxia2pmQlVHVE1Kc2pySHI0NGlJPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMzMuMC4zMDY1LjUxIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTU1OTg2Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iNCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQ5MDM0OTcwNCIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5036

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTBBMjNBREYtOTIzQS00RTRDLUFBRkQtQ0E5QkM3QUE3QTY1fSIgdXNlcmlkPSJ7QjBFQzQxMjktODYyRS00QzExLTkyQjQtRDU1QjY1RUEzNTQ1fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsyODFEMThGRi1ENDk4LTQxQzUtODE1Ri1DMkQ0NEU5MjBGMEV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtFK3hiQXo2WTZzVTEyODliUzZxbDRWUkxia2pmQlVHVE1Kc2pySHI0NGlJPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC42MCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9IntFRTgzQjkzNS0yMTBGLTRFNzktOTg3OS02MTAzNjcwMTFGRTV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMy4wLjMwNjUuNTEiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgb29iZV9pbnN0YWxsX3RpbWU9IjE4NDQ2NzQ0MDczNzA5NTUxNjA2IiB1cGRhdGVfY291bnQ9IjEiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQzMTkyNDk4Nzc5NTAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSIxIiByPSIxIiBhZD0iNjYxMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MUJEQjBFOUUtOUMzQy00MDMwLTlEMjEtNkNDREQxMTlEMkFBfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuNDMiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9InswNzM0NEQxMi1BNEY0LTQ4OTQtQkM3My00QkZEQzBFNkJDQzF9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5508,i,7464307188933850489,15236699521480268900,262144 --variations-seed-version --mojo-platform-channel-handle=3092 /prefetch:14
1⤵
PID:856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=2708,i,7464307188933850489,15236699521480268900,262144 --variations-seed-version --mojo-platform-channel-handle=5232 /prefetch:14
1⤵
PID:3164

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0QxMDcwMjYtNjBGQi00MkQyLUJGNTctQjczMkY1RDhCQTIyfSIgdXNlcmlkPSJ7QjBFQzQxMjktODYyRS00QzExLTkyQjQtRDU1QjY1RUEzNTQ1fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InszQ0U3N0NGNy00RTgwLTQ2MTEtOTIwQy1CREM4QzQxRjNCMzl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtFK3hiQXo2WTZzVTEyODliUzZxbDRWUkxia2pmQlVHVE1Kc2pySHI0NGlJPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC42MCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9IntFRTgzQjkzNS0yMTBGLTRFNzktOTg3OS02MTAzNjcwMTFGRTV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMy4wLjMwNjUuNTEiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgb29iZV9pbnN0YWxsX3RpbWU9IjE4NDQ2NzQ0MDczNzA5NTUxNjA2IiB1cGRhdGVfY291bnQ9IjEiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQzMTkyNDk4Nzc5NTAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSIxIiByPSIxIiBhZD0iNjYxMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MUJEQjBFOUUtOUMzQy00MDMwLTlEMjEtNkNDREQxMTlEMkFBfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuNDMiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9InswNzM0NEQxMi1BNEY0LTQ4OTQtQkM3My00QkZEQzBFNkJDQzF9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
353KB

MD5
30b79a802b14afe0a8219b8855f5c334

SHA1
c28ae9af40748bd04cf5019aba90373458985cba

SHA256
81dd4cfbfa3b86be9878981579862ce2e75f8c2aa76ae0cabae9aefa536095ea

SHA512
b5ce86f90185d2d97524cd01b6b0680df15ac189ca2e6b9ab4af4453609f73f56ea0db4c9f2ba5caf85f033ea22adb8b9e9c790c0ac130517311a8d7d93d07c9

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
392KB

MD5
ba0b157592ed7838477df6ee87890bf2

SHA1
957e235a77a8933db65e7a15931d435aff977180

SHA256
67036d88ebb74eaeeade328871b3068aa446c3083b87abf5e37673c356190668

SHA512
e5a380ab6902e48cb8c5df690c2fd25471b0834a20ae4cee082133cbc297d37e20eb53131e2016678e6ee71e879788daec8a9b29cee14c7b3ed512c45499bc00

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
409KB

MD5
c5fc95b12cdcb55652a2fbe9ea756d0c

SHA1
6db149bf237a30b4145e7bf1a90c96b32ab4a675

SHA256
01334595ab2e5aa0439d905f3eaadb7a7d2ab2785a32e1c702b0714da7492156

SHA512
3974afe8d5e7515ee33007d00cb76069433f560cba88ff400d7743e37d9325e639ac2b33cdb36e249f0e6aeb37f5b49092ebd207ead76feb5afd40578157b3cb

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
443KB

MD5
c22b57cd01053312aa401ded50dbe18e

SHA1
e7fd6cc9fcbf4055624f7f5faf90f0adbaedee98

SHA256
7ac6e1042f7a092738e40c099db65364c77849f7a95f051b637b3262017e0afe

SHA512
af1ba6d7ef97564b8116133e2a52d37cef967f8b10e9f91a6bba9b559bcc18208ea87ea18b695a43454315fce93f74ada8b1874df30aae45b13031e1da30c37e

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
449KB

MD5
e31bca29b4e3c85ef18fc98e5a98a7f9

SHA1
62b081adc97197d8c39bd1938cf96cdb7e65155d

SHA256
d87718695328889f09efbb8fcd9020586bff9af2aec69ca4e824e7e7bb25a303

SHA512
1ff44cb550bd519027249db54860e86b684f8f73b7523b920052f0137e00db8b1ba00b714a9a4b2c4f1b0e267cdc40ffc9589005118e622cceb018e94c3c749d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
063679fbda3bc1fe697bc08d55e80f5e

SHA1
8cb481bc678abcac2f4ad93057dea7ffff736683

SHA256
565221d0c9742639c3cffa64d65a90e03b402a8a0bfa123de0d0855844b47b7a

SHA512
0de899c8d1f638f849bb474ad4132b403a673a38e5a43eed5f1a2fc5f5b7e6bddd4c5b312807e211b25d1ba8dfeb3c648defea8275482936baf40e5f0256c078

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\00000000.res

Filesize
136B

MD5
6ceb19a0a1e946f8e9f5773d7f42a286

SHA1
0f2dd3a0808ec9ea660832a975fdea0067c713eb

SHA256
ef1cf39f65c61f9af31083d0f94ebebaf8677fc7b59e808183f350d5a72df572

SHA512
c904d1e3e2f80367c637144de6425f78e00225f1499116d1713d20ca39990194bbf5e1894d50f4c05c7b299d8824cca4bd12df0e2a4e6c9e250f8b3d95e35b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\00000000.res

Filesize
136B

MD5
b119aba78394249350fe210d60c46d5a

SHA1
9e29072b29483a66d8af0c152f1f5145dc5442f8

SHA256
957de9a3ada7ab699c9477149ac4ed050c5e7c49375aaa9aece02cf12b518e0d

SHA512
5f4b8a68b6985e411aa2bfe805381e3ae88b6f24160489aaa69348e099071b5c0bd4c308fdfd063de3d02d0cfa74a0f264ca0a2c145a58c42b484f47012a20db

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\00000000.res

Filesize
136B

MD5
ea7b3f841c8178c9c9f1016ce825d0bf

SHA1
7f6bf47cd5efa59e05e27f745f7b8e78060e8984

SHA256
841bf766057934afc33ae6cdf94b08ffce3e4278ff26f25dd41800bbc57cfbfe

SHA512
c98c5a8594314a70a25cf868999d308bf036990e7f2dc38cd39102c46c1052f6cd77dbd450b00ff56f1752d034fc5a050b1bb661d423f7b9070751aad3dbfed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2025-02-07_a17fe664009d09499b6931cf2e0f8435_neshta_wannacry.exe

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\230121739015219.bat

Filesize
354B

MD5
6d4f091dae839509e203fe732c9aac38

SHA1
8235dbb5ef56f9f8fa3666b9aeb7856590788e0d

SHA256
d5c61eaf3f234de113090bf36ea5a858add36c251ee9556133d83024d2c0e8b9

SHA512
65212bcb989a91b0247580623a7ba23ffa5f2de814db41bf513d364650bfda1fb604ec98b84e4ec7c93389946e7b7e693e184a028c696d8af2ae38f1561ce60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c.vbs

Filesize
237B

MD5
93364e70cef148372c3e67eeeb3f8d79

SHA1
6944b2bcde0c29886ec6d4f441a6f556e7232801

SHA256
311019f2b79e286b9fa39f48820d0fc22efabec7e132fd8274fb388d7c72c621

SHA512
f857783cffd2796b4a84971871824272f54ef03ad5cf41111dc86efcfeeb4d0b32951c1fd8a1244786de77986d8d251f49e57e535d4ed955f2c64108ab5b8911

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c.wry

Filesize
628B

MD5
34b222cad93a01cc9d4b72b79c27f604

SHA1
f016df3406c25f3cdb7d47f02bb802d732bcb3dd

SHA256
f998ec44bd316ff4505e7c6cf7d8471d26107f41f6cafb4fb0b5aafe1cc79cac

SHA512
dd82a6e74838695d925f2ab12f08eb193b77ce17be1dda8857e8f55e64c16df27c8d7875aa43c31da0e1b29b683d1a52c32be817402fab1005f0c6f6b9266b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/2076-17-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4852-1441-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4852-1460-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4852-1462-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download