wannacry | 43fafc6b49e4c26e512c2c268108cbed57360337c76711781083d81cc66e7d0e

Analysis

max time kernel
148s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe
Size

3.7MB
MD5

18aebed1b042a614a191f67c82847dc3
SHA1

4c547aff8c924460349359e28f5a55d8e4c64fe0
SHA256

43fafc6b49e4c26e512c2c268108cbed57360337c76711781083d81cc66e7d0e
SHA512

6667d0b47c261dd0bf8432c7bffc1c6420b1601170ba095eb40eebdd3ab5d552c26c0dfe6841ac40fcad59af56fada034dbf7a65d3dc89e56b6cb786baeffe9d
SSDEEP

98304:qevW/gJu8PlXLRQ51wSDqUK8ASwJTUcIZ+P48bekAjRr3L3YR9iCHGH:5O6pUKT8oPbbekA9U9iIGH

Score

10^/10

wannacry defense_evasion discovery persistence ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Drops startup file 6 IoCs

Processes:

cmd.exeK.abc

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7A21.tmp	K.abc
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7A38.tmp	K.abc
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs.WNCRYT	K.abc
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs.WNCRY	K.abc
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	K.abc

Executes dropped EXE 64 IoCs

Processes:

K.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abcK.abc

pid	process
3320	K.abc
2748	K.abc
5112	K.abc
4884	K.abc
1256	K.abc
4432	K.abc
2128	K.abc
2824	K.abc
2108	K.abc
400	K.abc
900	K.abc
5008	K.abc
4048	K.abc
3420	K.abc
1608	K.abc
3800	K.abc
640	K.abc
1808	K.abc
3164	K.abc
1596	K.abc
4468	K.abc
4196	K.abc
4564	K.abc
3324	K.abc
1444	K.abc
4896	K.abc
3952	K.abc
2616	K.abc
5092	K.abc
4988	K.abc
3760	K.abc
1524	K.abc
3780	K.abc
5028	K.abc
3972	K.abc
624	K.abc
2364	K.abc
3576	K.abc
3980	K.abc
1660	K.abc
4280	K.abc
2984	K.abc
2348	K.abc
1240	K.abc
4016	K.abc
736	K.abc
3568	K.abc
5096	K.abc
1936	K.abc
1720	K.abc
852	K.abc
756	K.abc
4304	K.abc
4248	K.abc
1248	K.abc
4324	K.abc
1952	K.abc
1840	K.abc
1676	K.abc
2384	K.abc
2320	K.abc
684	K.abc
3928	K.abc
4836	K.abc

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4932 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4932	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bbnbuexzwbcz676 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

K.abc

description pid process target process

PID 3320 set thread context of 2852 3320 K.abc K.abc
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2708 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

K.abc

pid process

3320 K.abc
3320 K.abc
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

K.abc

pid process

3320 K.abc
3320 K.abc

description	pid	process	target process
PID 3320 set thread context of 2852	3320	K.abc	K.abc

pid	process
2708	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exeK.abc

description	pid	process	target process
PID 1400 wrote to memory of 3320	1400	18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe	K.abc
PID 1400 wrote to memory of 3320	1400	18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe	K.abc
PID 1400 wrote to memory of 3320	1400	18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe	K.abc
PID 3320 wrote to memory of 2008	3320	K.abc	cmd.exe
PID 3320 wrote to memory of 2008	3320	K.abc	cmd.exe
PID 3320 wrote to memory of 2008	3320	K.abc	cmd.exe
PID 3320 wrote to memory of 2748	3320	K.abc	K.abc
PID 3320 wrote to memory of 2748	3320	K.abc	K.abc
PID 3320 wrote to memory of 2748	3320	K.abc	K.abc
PID 3320 wrote to memory of 5112	3320	K.abc	K.abc
PID 3320 wrote to memory of 5112	3320	K.abc	K.abc
PID 3320 wrote to memory of 5112	3320	K.abc	K.abc
PID 3320 wrote to memory of 4884	3320	K.abc	K.abc
PID 3320 wrote to memory of 4884	3320	K.abc	K.abc
PID 3320 wrote to memory of 4884	3320	K.abc	K.abc
PID 3320 wrote to memory of 1256	3320	K.abc	K.abc
PID 3320 wrote to memory of 1256	3320	K.abc	K.abc
PID 3320 wrote to memory of 1256	3320	K.abc	K.abc
PID 3320 wrote to memory of 4432	3320	K.abc	K.abc
PID 3320 wrote to memory of 4432	3320	K.abc	K.abc
PID 3320 wrote to memory of 4432	3320	K.abc	K.abc
PID 3320 wrote to memory of 2128	3320	K.abc	K.abc
PID 3320 wrote to memory of 2128	3320	K.abc	K.abc
PID 3320 wrote to memory of 2128	3320	K.abc	K.abc
PID 3320 wrote to memory of 400	3320	K.abc	K.abc
PID 3320 wrote to memory of 400	3320	K.abc	K.abc
PID 3320 wrote to memory of 400	3320	K.abc	K.abc
PID 3320 wrote to memory of 2824	3320	K.abc	K.abc
PID 3320 wrote to memory of 2824	3320	K.abc	K.abc
PID 3320 wrote to memory of 2824	3320	K.abc	K.abc
PID 3320 wrote to memory of 2108	3320	K.abc	K.abc
PID 3320 wrote to memory of 2108	3320	K.abc	K.abc
PID 3320 wrote to memory of 2108	3320	K.abc	K.abc
PID 3320 wrote to memory of 900	3320	K.abc	K.abc
PID 3320 wrote to memory of 900	3320	K.abc	K.abc
PID 3320 wrote to memory of 900	3320	K.abc	K.abc
PID 3320 wrote to memory of 5008	3320	K.abc	K.abc
PID 3320 wrote to memory of 5008	3320	K.abc	K.abc
PID 3320 wrote to memory of 5008	3320	K.abc	K.abc
PID 3320 wrote to memory of 4048	3320	K.abc	K.abc
PID 3320 wrote to memory of 4048	3320	K.abc	K.abc
PID 3320 wrote to memory of 4048	3320	K.abc	K.abc
PID 3320 wrote to memory of 3420	3320	K.abc	K.abc
PID 3320 wrote to memory of 3420	3320	K.abc	K.abc
PID 3320 wrote to memory of 3420	3320	K.abc	K.abc
PID 3320 wrote to memory of 1608	3320	K.abc	K.abc
PID 3320 wrote to memory of 1608	3320	K.abc	K.abc
PID 3320 wrote to memory of 1608	3320	K.abc	K.abc
PID 3320 wrote to memory of 3800	3320	K.abc	K.abc
PID 3320 wrote to memory of 3800	3320	K.abc	K.abc
PID 3320 wrote to memory of 3800	3320	K.abc	K.abc
PID 3320 wrote to memory of 640	3320	K.abc	K.abc
PID 3320 wrote to memory of 640	3320	K.abc	K.abc
PID 3320 wrote to memory of 640	3320	K.abc	K.abc
PID 3320 wrote to memory of 1808	3320	K.abc	K.abc
PID 3320 wrote to memory of 1808	3320	K.abc	K.abc
PID 3320 wrote to memory of 1808	3320	K.abc	K.abc
PID 3320 wrote to memory of 3164	3320	K.abc	K.abc
PID 3320 wrote to memory of 3164	3320	K.abc	K.abc
PID 3320 wrote to memory of 3164	3320	K.abc	K.abc
PID 3320 wrote to memory of 1596	3320	K.abc	K.abc
PID 3320 wrote to memory of 1596	3320	K.abc	K.abc
PID 3320 wrote to memory of 1596	3320	K.abc	K.abc
PID 3320 wrote to memory of 4468	3320	K.abc	K.abc

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4636 attrib.exe
4856 attrib.exe

pid	process
4636	attrib.exe
4856	attrib.exe

C:\Users\Admin\AppData\Local\Temp\18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18aebed1b042a614a191f67c82847dc3_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
3⤵
- Drops startup file
PID:2008

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2748

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:5112

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:4884

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1256

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:4432

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:400

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2824

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2108

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:900

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:5008

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:4048

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3420

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1608

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3800

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:640

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1808

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3164

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1596

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:4468

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:4196

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:4564

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3324

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1444

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:4896

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3952

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2616

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:5092

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:4988

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3760

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1524

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3780

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:5028

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3972

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:624

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2364

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3576

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1660

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:4280

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2984

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2348

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1240

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:4016

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:736

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3568

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:5096

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1936

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1720

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:852

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:756

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:4304

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:4248

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1248

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:4324

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1952

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1840

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:1676

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2384

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:2320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:684

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:3928

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Executes dropped EXE
PID:4836

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
3⤵
- Drops startup file
PID:2852

C:\Windows\SysWOW64\attrib.exe
attrib +h .
4⤵
- Views/modifies file attributes
PID:4636

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
4⤵
- Modifies file permissions
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 210711719546751.bat
4⤵
PID:1900

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
5⤵
PID:404

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
4⤵
- Views/modifies file attributes
PID:4856

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
4⤵
PID:3892

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bbnbuexzwbcz676" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tasksche.exe\"" /f
4⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bbnbuexzwbcz676" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tasksche.exe\"" /f
5⤵
- Adds Run key to start application
- Modifies registry key
PID:2708

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
Filesize
992B

MD5
3b071de6a93a8199a8d0fc94b8fd1023

SHA1
87117a94d3f354614f7c3851a9004dd5ddfad7a4

SHA256
d389914d85eea587635d40a61bfe0e6906502afcfbed8e61b877e8ebcf9277e5

SHA512
07e2f7a20fcb98aaa1ae1a404e5c45d42a72633a2bd0d5ab42aa2f052b0548cc6425449a242e206bc84432bd3abeb09672dbe73948b93110f7d4237a29dcf963

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.ab_
Filesize
3.4MB

MD5
036d27847b6f3d4945fff8807681d2dc

SHA1
16f93070455c9f41114c8c55468c5e5fc93bc52f

SHA256
7a5ab94042610429b0e50bca61ac79fe7c8642f1581302e17939d46b45c88485

SHA512
acb4e0855675001096c9399879b02db3a87bacb4ec6c373ce32b43e9dab1e41765dfa73cd9f0724790cc6e9b6b22a94ee73efa2c52fe109b58637c75155ef67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.abc
Filesize
408KB

MD5
e8701e7b0547b2cbd818e3323636deb0

SHA1
a61eaddb6b6131e4eda1c2a04994501b1e2b2109

SHA256
313cb04166d84b21ef581dd6e3969629842b86a1e548a0125c03b218f387d820

SHA512
53d6e40fa9b5ad63573fb0d2d033f525d06a29ec712c2d7829c7da586a9792d66ccf72a8a05816131ef3a2d0b8352be4f128445e285ead13b3a73a473fcba80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
memory/2852-78-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/2852-120-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2852-81-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/2852-79-0x0000000000400000-0x0000000001168000-memory.dmp

Filesize
13.4MB

Download
memory/3320-14-0x0000000001FE0000-0x0000000001FE5000-memory.dmp

Filesize
20KB

Download
memory/3320-13-0x0000000001FC0000-0x0000000001FC2000-memory.dmp

Filesize
8KB

Download