OVERVIEW
GENERAL
General Details
Reputation Details
ENTRY POINT
Summary
Complete
REMEDIATION
BUSINESS IMPACT
SUSPICIOUS ACTIVITY
Mitre ATT&CK™ Matrix
Suspicious Events
Network Events
INCIDENT DETAILS
Tree
Tree Timeline
DORMANT
status
Wannacry
malware family
CRITICAL
severity
Endpoint Behavioral Guard
triggered by
c:\users\dave\downloads\wcry.exe
trigger
ransomware.win.honey
protection name
dave
user
ATTACK STATS
What sort of connections and processes were involved?
Remote Logon
Internal
Malicious
Connections
Suspicious
Connections
Unclassified
Connections
3
Malicious
Processes
Suspicious
Processes
Unclassified
Processes
Malicious
Files
Suspicious
Files
Unsigned
Processes
1
Script
Processes
ATTACK TYPES
What were the attacks types seen or prevented?
bot
infostealer
ransomware
trojan
ENTRY POINT
How did it enter the system?
dave was logged in. Incident started with network access in chrome.exe
BUSINESS IMPACT
What was the potential damage done?
241
Data
Changes
1
Data
Loss
1
Privacy
Violation
REMEDIATION
Were all incident created elements removed?
No remediation needed
100%
26/26
terminated processes
0%
0/15
quarantined/deleted files
restored files
INCIDENT DETAILS (26 processes)
How do I analyze further?
wcry.exe
attrib.exe
icacls.exe
taskdl.exe
cmd.exe
cscript.exe
attrib.exe
@wanadecryptor@.exe
taskhsvc.exe
cmd.exe
@wanadecryptor@.exe
cmd.exe
vssadmin.exe
wmic.exe
taskdl.exe
@wanadecryptor@.exe
cmd.exe
reg.exe
taskdl.exe
@wanadecryptor@.exe
taskdl.exe
@wanadecryptor@.exe
@wanadecryptor@.exe
taskdl.exe
@wanadecryptor@.exe
taskdl.exe
MITRE ATT&CK™
Tactics and techniques seen as defined by the MITRE ATT&CK™ framework
Initial Access
Execution
Command-Line Interface
Execution through API
Execution through Module Load
Scripting
Third-party Software
Unsigned Process
User Execution
Windows Management Instrumentation
Persistence
Hidden Files and Directories
Registry Run Keys / Startup Folder
Shortcut Modification
Privilege Escalation
Defense Evasion
File Deletion
File Permissions Modification
Hidden Files and Directories
Modify Registry
Scripting
Credential Access
Discovery
Browser Bookmark Discovery
Lateral Movement
Third-party Software
Collection
Data from Local System
Email Collection
Command and Control
Commonly Used Port
Multi-hop Proxy
Multilayer Encryption
Uncommonly Used Port
Exfiltration
Impact
Data Encrypted for Impact
Defacement
Inhibit System Recovery
NETWORK MAP
Where were the untrusted connections being made?
Country
Netherlands (1 malicious)
Germany (4 unknown)
INCIDENT DETAILS (26 processes)
How do I analyze further?
wcry.exe
attrib.exe
icacls.exe
taskdl.exe
cmd.exe
cscript.exe
attrib.exe
@wanadecryptor@.exe
taskhsvc.exe
cmd.exe
@wanadecryptor@.exe
cmd.exe
vssadmin.exe
wmic.exe
taskdl.exe
@wanadecryptor@.exe
cmd.exe
reg.exe
taskdl.exe
@wanadecryptor@.exe
taskdl.exe
@wanadecryptor@.exe
@wanadecryptor@.exe
taskdl.exe
@wanadecryptor@.exe
taskdl.exe
MITRE ATT&CK™
Tactics and techniques seen as defined by the MITRE ATT&CK™ framework
Initial Access
Execution
Command-Line Interface
Execution through API
Execution through Module Load
Scripting
Third-party Software
Unsigned Process
User Execution
Windows Management Instrumentation
Persistence
Hidden Files and Directories
Registry Run Keys / Startup Folder
Shortcut Modification
Privilege Escalation
Defense Evasion
File Deletion
File Permissions Modification
Hidden Files and Directories
Modify Registry
Scripting
Credential Access
Discovery
Browser Bookmark Discovery
Lateral Movement
Third-party Software
Collection
Data from Local System
Email Collection
Command and Control
Commonly Used Port
Multi-hop Proxy
Multilayer Encryption
Uncommonly Used Port
Exfiltration
Impact
Data Encrypted for Impact
Defacement
Inhibit System Recovery
NETWORK MAP
Where were the untrusted connections being made?
Country
Netherlands (1 malicious)
Germany (4 unknown)
INCIDENT DETAILS (26 processes)
How do I analyze further?
wcry.exe
attrib.exe
icacls.exe
taskdl.exe
cmd.exe
cscript.exe
attrib.exe
@wanadecryptor@.exe
taskhsvc.exe
cmd.exe
@wanadecryptor@.exe
cmd.exe
vssadmin.exe
wmic.exe
taskdl.exe
@wanadecryptor@.exe
cmd.exe
reg.exe
taskdl.exe
@wanadecryptor@.exe
taskdl.exe
@wanadecryptor@.exe
@wanadecryptor@.exe
taskdl.exe
@wanadecryptor@.exe
taskdl.exe