ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Sharing

Copy URL

Twitter E-mail

General

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Sample

190508-5j8zdm6kzj
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Score

N/A

Malware Config

Signatures

Sets file to hidden 1 TTPs

suspicious_WriteProcessMemory 1 TTPs 13 IoCs

Process Injection

T1055

description	pid
PID 2272 wrote to memory of 4064	4064
PID 2272 wrote to memory of 928	928
PID 2272 wrote to memory of 3288	3288
PID 2272 wrote to memory of 3444	3444
PID 2272 wrote to memory of 3120	3120
PID 2272 wrote to memory of 1872	1872
PID 2272 wrote to memory of 3296	3296
PID 2272 wrote to memory of 3976	3976
PID 2272 wrote to memory of 3116	3116
PID 2272 wrote to memory of 3968	3968
PID 2272 wrote to memory of 3972	3972
PID 2272 wrote to memory of 3672	3672
PID 2272 wrote to memory of 932	932

Modifies file permissions
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 3444 wrote to memory of 3764	3764

Drops startup file 1 IoCs

description
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDED62.tmp

Modifies control panel 1 IoCs

description
\REGISTRY\USER\S-1-5-21-2258850686-2386187288-1281961708-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 1872 wrote to memory of 3952	3952

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_SetWindowsHookEx 1 TTPs
suspicious_SetWindowsHookEx 1 TTPs

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 3120 wrote to memory of 592	592

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_LoadsDroppedDLL 1 TTPs

Shared Modules
T1129
suspicious_EnumeratesProcesses

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 3952 wrote to memory of 3204	3204

Interacts with shadow copies 1 TTPs

suspicious_WriteProcessMemory 1 TTPs 2 IoCs

Process Injection

T1055

description	pid
PID 3204 wrote to memory of 3176	3176
PID 3204 wrote to memory of 3784	3784

suspicious_AdjustPrivilegeToken 1 TTPs 3 IoCs

Access Token Manipulation

T1134

description
Token: SeBackupPrivilege
Token: SeRestorePrivilege
Token: SeAuditPrivilege

Modifies service 1 TTPs 4 IoCs

Modify Registry

T1112

description
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer

Deletes shadow copies 1 TTPs

suspicious_AdjustPrivilegeToken 1 TTPs 21 IoCs

Access Token Manipulation

T1134

description
Token: SeIncreaseQuotaPrivilege
Token: SeSecurityPrivilege
Token: SeTakeOwnershipPrivilege
Token: SeLoadDriverPrivilege
Token: SeSystemProfilePrivilege
Token: SeSystemtimePrivilege
Token: SeProfSingleProcessPrivilege
Token: SeIncBasePriorityPrivilege
Token: SeCreatePagefilePrivilege
Token: SeBackupPrivilege
Token: SeRestorePrivilege
Token: SeShutdownPrivilege
Token: SeDebugPrivilege
Token: SeSystemEnvironmentPrivilege
Token: SeRemoteShutdownPrivilege
Token: SeUndockPrivilege
Token: SeManageVolumePrivilege
Token: 33
Token: 34
Token: 35
Token: 36

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106

suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeTcbPrivilege

suspicious_SetWindowsHookEx 1 TTPs

Modifies control panel 1 IoCs

description
\REGISTRY\USER\S-1-5-21-2258850686-2386187288-1281961708-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 3968 wrote to memory of 2896	2896

Adds Run entry to start application 2 IoCs

description
\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wxsrckoarcbwb464 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106

suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeTcbPrivilege

suspicious_SetWindowsHookEx 1 TTPs

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 1232 wrote to memory of 1244	1244

Drops file in system dir 1 IoCs

description
C:\Windows\TEMP\Switches.xml

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 1244 wrote to memory of 4108	4108

wannacry family
family

Sharing

General

Malware Config

Signatures

Processes