ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Sharing

Copy URL

Twitter E-mail

General

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Sample

190504-xhzs5mxjbx
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Score

N/A

Malware Config

Signatures

Sets file to hidden 1 TTPs

suspicious_WriteProcessMemory 1 TTPs 11 IoCs

Process Injection

T1055

description	pid
PID 1984 wrote to memory of 1052	1052
PID 1984 wrote to memory of 1064	1064
PID 1984 wrote to memory of 1924	1924
PID 1984 wrote to memory of 1524	1524
PID 1984 wrote to memory of 828	828
PID 1984 wrote to memory of 808	808
PID 1984 wrote to memory of 1056	1056
PID 1984 wrote to memory of 1172	1172
PID 1984 wrote to memory of 1240	1240
PID 1984 wrote to memory of 1384	1384
PID 1984 wrote to memory of 1380	1380

Modifies file permissions
suspicious_LoadsDroppedDLL 1 TTPs

Shared Modules
T1129
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 1524 wrote to memory of 1460	1460

Drops startup file 1 IoCs

description
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC69E.tmp

suspicious_LoadsDroppedDLL 1 TTPs

Shared Modules
T1129

Modifies control panel 1 IoCs

description
\REGISTRY\USER\S-1-5-21-1721753822-2229440230-385166935-500\Control Panel\Desktop\Wallpaper = "C:\\Users\\Administrator\\Desktop\\@[email protected]"

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_SetWindowsHookEx 1 TTPs
suspicious_LoadsDroppedDLL 1 TTPs

Shared Modules
T1129

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 808 wrote to memory of 816	816

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_SetWindowsHookEx 1 TTPs
suspicious_LoadsDroppedDLL 1 TTPs

Shared Modules
T1129

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 828 wrote to memory of 1064	1064

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_LoadsDroppedDLL 1 TTPs

Shared Modules
T1129
suspicious_EnumeratesProcesses

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 816 wrote to memory of 1548	1548

Interacts with shadow copies 1 TTPs

suspicious_WriteProcessMemory 1 TTPs 2 IoCs

Process Injection

T1055

description	pid
PID 1548 wrote to memory of 1356	1356
PID 1548 wrote to memory of 1928	1928

suspicious_AdjustPrivilegeToken 1 TTPs 3 IoCs

Access Token Manipulation

T1134

description
Token: SeBackupPrivilege
Token: SeRestorePrivilege
Token: SeAuditPrivilege

Modifies service 1 TTPs 4 IoCs

Modify Registry

T1112

description
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer

Deletes shadow copies 1 TTPs

suspicious_AdjustPrivilegeToken 1 TTPs 20 IoCs

Access Token Manipulation

T1134

description
Token: SeIncreaseQuotaPrivilege
Token: SeSecurityPrivilege
Token: SeTakeOwnershipPrivilege
Token: SeLoadDriverPrivilege
Token: SeSystemProfilePrivilege
Token: SeSystemtimePrivilege
Token: SeProfSingleProcessPrivilege
Token: SeIncBasePriorityPrivilege
Token: SeCreatePagefilePrivilege
Token: SeBackupPrivilege
Token: SeRestorePrivilege
Token: SeShutdownPrivilege
Token: SeDebugPrivilege
Token: SeSystemEnvironmentPrivilege
Token: SeRemoteShutdownPrivilege
Token: SeUndockPrivilege
Token: SeManageVolumePrivilege
Token: 33
Token: 34
Token: 35

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106

suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeTcbPrivilege

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 1240 wrote to memory of 1228	1228

suspicious_SetWindowsHookEx 1 TTPs

Adds Run entry to start application 2 IoCs

description
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gdamzagah543 = "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\tasksche.exe\""

Modifies control panel 1 IoCs

description
\REGISTRY\USER\S-1-5-21-1721753822-2229440230-385166935-500\Control Panel\Desktop\Wallpaper = "C:\\Users\\Administrator\\Desktop\\@[email protected]"

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_SetWindowsHookEx 1 TTPs

suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeTcbPrivilege

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_FindShellTrayWindow 1 TTPs

Process Injection
T1055
wannacry family
family

Sharing

General

Malware Config

Signatures

Processes