wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

25/02/2025, 00:10

250225-agcnzswq19 10

24/02/2025, 22:06

24/02/2025, 21:59

24/02/2025, 21:19

24/02/2025, 21:13

24/02/2025, 16:47

Analysis

max time kernel
66s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2025, 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Downloads MZ/PE file 1 IoCs

flow	pid	Process
127	3632	firefox.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD889D.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD88A4.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

pid	Process
1980	WannaCry.exe
3748	!WannaDecryptor!.exe
5048	!WannaDecryptor!.exe
740	!WannaDecryptor!.exe
5008	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
128	raw.githubusercontent.com
129	raw.githubusercontent.com
126	raw.githubusercontent.com
127	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
4996	taskkill.exe
3336	taskkill.exe
4616	taskkill.exe
4020	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	3632	firefox.exe
Token: SeDebugPrivilege	3632	firefox.exe
Token: SeDebugPrivilege	3336	taskkill.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeDebugPrivilege	4616	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3636	WMIC.exe
Token: SeSecurityPrivilege	3636	WMIC.exe
Token: SeTakeOwnershipPrivilege	3636	WMIC.exe
Token: SeLoadDriverPrivilege	3636	WMIC.exe
Token: SeSystemProfilePrivilege	3636	WMIC.exe
Token: SeSystemtimePrivilege	3636	WMIC.exe
Token: SeProfSingleProcessPrivilege	3636	WMIC.exe
Token: SeIncBasePriorityPrivilege	3636	WMIC.exe
Token: SeCreatePagefilePrivilege	3636	WMIC.exe
Token: SeBackupPrivilege	3636	WMIC.exe
Token: SeRestorePrivilege	3636	WMIC.exe
Token: SeShutdownPrivilege	3636	WMIC.exe
Token: SeDebugPrivilege	3636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3636	WMIC.exe
Token: SeRemoteShutdownPrivilege	3636	WMIC.exe
Token: SeUndockPrivilege	3636	WMIC.exe
Token: SeManageVolumePrivilege	3636	WMIC.exe
Token: 33	3636	WMIC.exe
Token: 34	3636	WMIC.exe
Token: 35	3636	WMIC.exe
Token: 36	3636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3636	WMIC.exe
Token: SeSecurityPrivilege	3636	WMIC.exe
Token: SeTakeOwnershipPrivilege	3636	WMIC.exe
Token: SeLoadDriverPrivilege	3636	WMIC.exe
Token: SeSystemProfilePrivilege	3636	WMIC.exe
Token: SeSystemtimePrivilege	3636	WMIC.exe
Token: SeProfSingleProcessPrivilege	3636	WMIC.exe
Token: SeIncBasePriorityPrivilege	3636	WMIC.exe
Token: SeCreatePagefilePrivilege	3636	WMIC.exe
Token: SeBackupPrivilege	3636	WMIC.exe
Token: SeRestorePrivilege	3636	WMIC.exe
Token: SeShutdownPrivilege	3636	WMIC.exe
Token: SeDebugPrivilege	3636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3636	WMIC.exe
Token: SeRemoteShutdownPrivilege	3636	WMIC.exe
Token: SeUndockPrivilege	3636	WMIC.exe
Token: SeManageVolumePrivilege	3636	WMIC.exe
Token: 33	3636	WMIC.exe
Token: 34	3636	WMIC.exe
Token: 35	3636	WMIC.exe
Token: 36	3636	WMIC.exe
Token: SeBackupPrivilege	1048	vssvc.exe
Token: SeRestorePrivilege	1048	vssvc.exe
Token: SeAuditPrivilege	1048	vssvc.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3632	firefox.exe
3748	!WannaDecryptor!.exe
3748	!WannaDecryptor!.exe
5048	!WannaDecryptor!.exe
5048	!WannaDecryptor!.exe
740	!WannaDecryptor!.exe
740	!WannaDecryptor!.exe
5008	!WannaDecryptor!.exe
5008	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 3632	1684	firefox.exe	84
PID 1684 wrote to memory of 3632	1684	firefox.exe	84
PID 1684 wrote to memory of 3632	1684	firefox.exe	84
PID 1684 wrote to memory of 3632	1684	firefox.exe	84
PID 1684 wrote to memory of 3632	1684	firefox.exe	84
PID 1684 wrote to memory of 3632	1684	firefox.exe	84
PID 1684 wrote to memory of 3632	1684	firefox.exe	84
PID 1684 wrote to memory of 3632	1684	firefox.exe	84
PID 1684 wrote to memory of 3632	1684	firefox.exe	84
PID 1684 wrote to memory of 3632	1684	firefox.exe	84
PID 1684 wrote to memory of 3632	1684	firefox.exe	84
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4112	3632	firefox.exe	85
PID 3632 wrote to memory of 4256	3632	firefox.exe	86
PID 3632 wrote to memory of 4256	3632	firefox.exe	86
PID 3632 wrote to memory of 4256	3632	firefox.exe	86
PID 3632 wrote to memory of 4256	3632	firefox.exe	86
PID 3632 wrote to memory of 4256	3632	firefox.exe	86
PID 3632 wrote to memory of 4256	3632	firefox.exe	86
PID 3632 wrote to memory of 4256	3632	firefox.exe	86
PID 3632 wrote to memory of 4256	3632	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1648 -prefsLen 27430 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3508b914-3267-4620-afbb-04020156db03} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" gpu
    3⤵
    PID:4112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 28350 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1b30c25-ba69-4084-ab76-8d4d692ed880} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" socket
    3⤵
    - Checks processor information in registry
    PID:4256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2964 -childID 1 -isForBrowser -prefsHandle 3384 -prefMapHandle 3380 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f3305ab-e774-4a63-81bb-c9417a52e3df} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:4868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 2784 -prefsLen 32840 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc045a2e-2c51-4f4f-859a-83bb4c18147c} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4796 -prefMapHandle 4792 -prefsLen 32840 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {871918d0-137c-45f1-bf51-a5075d4d06d3} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" utility
    3⤵
    - Checks processor information in registry
    PID:3600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 3 -isForBrowser -prefsHandle 5444 -prefMapHandle 5376 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b86234c1-7e08-4c7e-8983-ebf0ca714c09} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:3040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 4 -isForBrowser -prefsHandle 5592 -prefMapHandle 5596 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f66d6dd-bbe0-44ce-bd54-26a010bb1b4a} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:2816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 5 -isForBrowser -prefsHandle 5776 -prefMapHandle 5780 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3954b318-8e1c-4ac2-9115-fe716a918197} 3632 "\\.\pipe\gecko-crash-server-pipe.3632" tab
    3⤵
    PID:1804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1488

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 113051740442333.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5056
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1396
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3748
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3336
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4616
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3872
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:2396
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\58tontji.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
a1d088afa3e7023a553536836d85466e

SHA1
9e8406e128a3fb9a1d1aafb63269197d42c389b4

SHA256
92f7accf022918a089422550c2b82127006071b176bc18a8cc7575dd3222529c

SHA512
00f62aae15cfb6201f843c4750c98848cf0ea447d17e4bdae6f86aa640f3f5def91378f844157e0931202068f68c8af637ec7da5f2d1131f7c730a9e3cfda27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\AlternateServices.bin

Filesize
8KB

MD5
97c3523461c81f1ac42f59718ce25bf2

SHA1
e34da14d7ed71dc4e1912cd24a13ecb0c438eaf1

SHA256
5bdf010e2ca93a799917bb7aacd53e5d40c243da000f261dcc082aea3a0b6b15

SHA512
7f75846775f104afda836a67c347eb0512af14efad1c58177dd0a22dbad6c80bf7415f1c95a70e658e43e8ba205d5892abf603456d50ac2f823c974c021a8108

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\cert9.db

Filesize
224KB

MD5
3b75bddbeb4f7c712afad4814fe2af0b

SHA1
85568683ae348435d253d1e41a1deb0233885546

SHA256
767032a73570434a7cfb45faeb00fceffb302bdd022a2627e7e1bb0a6d667e46

SHA512
c86897de18a9bb5e439617bf17fd3a1082e2a6f94518e9ba29cecde9f0660d129ea8e3bc6b0f4690ac431566658a55a4207f11ecd14d43fca080383f39f8bcf1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
66acf6874c745d4ef5dc9154f92f8e45

SHA1
ecdbdb75587b1deb03af1978d6574b79a5f469b2

SHA256
c8cf0bd6699abe4bc0af6aaf87ffa14a73e03f305d61575a5606ed548f25c80f

SHA512
c9964794877bc5656bba6e9b77f6f70924392d88dc30a2d05ceaab3bede38835ab8e212987c17951f80bb491cbb0fe506d52a524187e7f416ac026a64f54b4c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
eedd2408530096735be973ec6a71bf4f

SHA1
975ae067fc090e7ac125863363b6944a84822539

SHA256
46184a25329f47464cba359f743bea4145427b547c980c6f8e58369f128cab4a

SHA512
2722ec41dc1c9cf3e7dc833efc0005b8797e51698ee478a87d1c614aae8a7ee166daaf4a1832f5fc254cb7a7a0395adafec773a8a778f5d59e7e6d0babc6b04e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
472827b52c5c674c852f3961e10cd734

SHA1
61dc1dea72c22267ee256cbe83093b42ada50bf8

SHA256
d8c9c18152ac075c2d237618703e796eb5764def8a56fc4bb9ab9337d0cba75d

SHA512
0eb16fff206b3236075e4be6355a1849587e89532b1f114b6f27fa0f4a2b6c3be98e4ca63119e34c5514e7f7b14c9d98a54ead2ed5c04862dd174dd31d59f802

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
e0f3ea3e1963f3982ca8c2c553712889

SHA1
6abedd51cc9dc8e3210c295ace58cd531eb58e8b

SHA256
933e4657908381c3f86755e1760f7f787b1054ba9260c12abb17c29b18b1e257

SHA512
e98a476c6cf3d42b5ebdc5134547fbfade717f5d2fc5bb5bbfdc431989c23f9ede88785ffdb25d0f98b06f7ed1722a9ca4029c8b05780d168c5aa83bb6d6c6d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
b44e4ad46f8908ab564c917f9ee89b1a

SHA1
8a692419c28a12dc72886159fa70fe47123a5ca3

SHA256
8fabc3a6f12a401deb8ee368725519a116df91b50b2cfc21030c2c037e4fe7a7

SHA512
f747088483d6179310baca2aae636445d7adea9597bcc650d1fc524d0090ee03630c766f4acf4615f2ff4a772debd19999d6acc747547b73d16faed8303228f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\pending_pings\b94e58aa-ae79-4e24-96c2-18ecb6952964

Filesize
659B

MD5
9f5af75b1f1d55daa2873a466ba2ad85

SHA1
28a2a9594621ab67404ac54dc0cee95f34e920a0

SHA256
782fbec5bc1c037792a776372d70eabed8a7d79d3f0921d554f0ff24a5f74262

SHA512
f9df51131daeb228b705749087362309eb3f56f123c8cf4bbe59758d18b3a9006a3dc451e53cba8cdb4aff782b576833c0ad6a729fafcf4ce063a0dcb48bc31e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\pending_pings\dea30a25-6b58-48ea-b174-51fa473c4cc2

Filesize
982B

MD5
485686eca24dd162126df2638d984bbd

SHA1
170649b74693f2d219f83a4107c629e10f9abaf9

SHA256
947f7499baf4a475bcd30021aaea9e432217a46743da46788938d8860f2b0b69

SHA512
7bc528b2e277126bc6fc63987aec912f209f7687edf02853d2899801b3da7c25e7cecbaaa58ca807dd89f2991f6b2b05e0f25703fe3817221521eef4a9e41566

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\prefs-1.js

Filesize
11KB

MD5
8ef79f4bf910ac5419c1a3e3daae6059

SHA1
cdee5d17b2c55d56b8a9082bde26e7dbd332e912

SHA256
50ef4ec29991a77ef0d3a9a913f08f7afb5da5a0f5485f9167c821dbd6588ebe

SHA512
222dcc597bb6bfbcab7e2078219c918eec7f6dbb41d60dc3ff730d2c5cdb2f41d9fe52a8a540e40e5a1fbcad2cf77bde0c3a5982ce9e436b361aab17b8e88234

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\prefs.js

Filesize
11KB

MD5
8c22b29a15b8e07334867e8fccb813f2

SHA1
12660461d4f5b39615bb94f94edd63f67b4db79e

SHA256
25ae08b10b923680e3cb03a8359c1e1c95ec88d6ccb8c7f70b61be42c9ee2d33

SHA512
b433234f2ac0981fca6c0f6041e999782d580b61985f196e9671d8001ecb56377bf6111e782643689bee160a9461394cee8cd44769e2e2c05fe24f6e66394b90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
9448b978568c9c9e41c3732761332ab6

SHA1
bc2866100500b5b1a8e022f5602ce64f50137fbe

SHA256
d6101fb1aa888d8dff3d769faeaa70990a597cbbffeb950cb478e9249fe81c86

SHA512
b97abffeb3bfc1ac99282b8f585d1df35306cec9e6f19facd6b23b388b64b6dc1d5a463b767db81b2296d7aaa6b01db67cbe08bf22c48263ff236479d91cd6c5

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
42a0af4429b73508a25376ef1b1643e1

SHA1
6437b223dcf541b55d3d2725dca19ed87d007a57

SHA256
6caffeebe4a668a6e321d526a3941ab45398a2af4c29087d7356e900dd89349d

SHA512
b92ce5abc9f449f58897b3e852aabef33c8ecc23859222457cd76e8b5bf633bcc34023a19ff8050b66f60b5cb1e6ed5a7af0b28cc57881dc80e35196f72fd3f7

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
e1b08a92f7e3c394e64f564c63dd3891

SHA1
ad085418889ab28a721898a7d1bdbd3f58fff9d2

SHA256
6bffac3f857908bb7ba16b3565a16bee4a5b0f7fc4ecab6b594d9354a8163d33

SHA512
e3900623a3f6813eba16a739a4934763f7b8ccccaa612dd511023f59b659d52a6e2a2839db150064be6be558cb7bd68cbeb88039c18455d721edf92b27ff08b0

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
79ad1cdf2ea2d51e0a76310c1bcb3eb3

SHA1
b0e2fca810f441af7bde209b62b10362b3201137

SHA256
b0b131989533d04f6ffeee8f3a102606c45478d37374193093ccca7cd6c13994

SHA512
307b136192bbf28297463f1df492e65341d6bd0d1379cdf202ac58e837efa9bb187d8ad17a87ea1e9ede1628c6ceac80596596c45c19e16c2ce70d3ff415889f

Download Submit
C:\Users\Admin\Downloads\113051740442333.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
f60f123c7396ea493bb31afb7a871ed4

SHA1
b325bb005bd2b828e2bc0cfebd568d6446b4d00d

SHA256
7d8aa0db7227a20efc6f4ddbf4e75b7d56fb3a2939109a1adfb904be2bf210da

SHA512
72dfd04815ba3d88c2a754dc1e84cdb093d4617c30a8e555237306cff0e94e303a4212f43ade9ac34c74b2a740f660c4b0837e4e634111ca554da94254f82c41

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/1980-651-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads