Task
task1
Task
task2
General
-
Target
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
-
Sample
190504-xhzs5mxjbx
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 13 IoCs
description pid PID 5064 wrote to memory of 2576 2576 PID 5064 wrote to memory of 1864 1864 PID 5064 wrote to memory of 4464 4464 PID 5064 wrote to memory of 4200 4200 PID 5064 wrote to memory of 4768 4768 PID 5064 wrote to memory of 4800 4800 PID 5064 wrote to memory of 2608 2608 PID 5064 wrote to memory of 2084 2084 PID 5064 wrote to memory of 2400 2400 PID 5064 wrote to memory of 4860 4860 PID 5064 wrote to memory of 3328 3328 PID 5064 wrote to memory of 2456 2456 PID 5064 wrote to memory of 4272 4272 -
Modifies file permissions
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD104A.tmp -
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 4200 wrote to memory of 3200 3200 -
Modifies control panel 1 IoCs
description \REGISTRY\USER\S-1-5-21-2258850686-2386187288-1281961708-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 4800 wrote to memory of 2272 2272 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 4768 wrote to memory of 1516 1516 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_EnumeratesProcesses
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 1688 wrote to memory of 2972 2972 -
Uses Task Scheduler COM API
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2272 wrote to memory of 4472 4472 -
Interacts with shadow copies 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 2 IoCs
description pid PID 4472 wrote to memory of 2020 2020 PID 4472 wrote to memory of 4460 4460 -
suspicious_AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
Modifies service 1 TTPs 4 IoCs
description \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer -
Deletes shadow copies 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 21 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 Token: 36 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
suspicious_SetWindowsHookEx 1 TTPs
-
Modifies control panel 1 IoCs
description \REGISTRY\USER\S-1-5-21-2258850686-2386187288-1281961708-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 4860 wrote to memory of 4540 4540 -
Adds Run entry to start application 2 IoCs
description \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wxsrckoarcbwb464 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 4948 wrote to memory of 3252 3252 -
Drops file in system dir 1 IoCs
description C:\Windows\TEMP\Switches.xml -
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 3252 wrote to memory of 2056 2056 -
wannacry family