ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Sharing

Copy URL

Twitter E-mail

General

Target

wanacryptor‮gpj.exe
Sample

190508-czxqf7q7kx
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Score

N/A

Malware Config

Signatures

Sets file to hidden 1 TTPs

suspicious_WriteProcessMemory 1 TTPs 13 IoCs

Process Injection

T1055

description	pid
PID 3452 wrote to memory of 2300	2300
PID 3452 wrote to memory of 3484	3484
PID 3452 wrote to memory of 3260	3260
PID 3452 wrote to memory of 2780	2780
PID 3452 wrote to memory of 4284	4284
PID 3452 wrote to memory of 4292	4292
PID 3452 wrote to memory of 4676	4676
PID 3452 wrote to memory of 4696	4696
PID 3452 wrote to memory of 4704	4704
PID 3452 wrote to memory of 4712	4712
PID 3452 wrote to memory of 5032	5032
PID 3452 wrote to memory of 5048	5048
PID 3452 wrote to memory of 5056	5056

Modifies file permissions
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 2780 wrote to memory of 3244	3244

Drops startup file 1 IoCs

description
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDF8CC.tmp

Modifies control panel 1 IoCs

description
\REGISTRY\USER\S-1-5-21-2258850686-2386187288-1281961708-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 4292 wrote to memory of 4336	4336

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_SetWindowsHookEx 1 TTPs
suspicious_SetWindowsHookEx 1 TTPs

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 4284 wrote to memory of 4408	4408

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_LoadsDroppedDLL 1 TTPs

Shared Modules
T1129
suspicious_EnumeratesProcesses
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106

suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeTcbPrivilege

suspicious_SetWindowsHookEx 1 TTPs

Modifies control panel 1 IoCs

description
\REGISTRY\USER\S-1-5-21-2258850686-2386187288-1281961708-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 4712 wrote to memory of 4772	4772

Adds Run entry to start application 2 IoCs

description
\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wxsrckoarcbwb464 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 4336 wrote to memory of 4824	4824

Interacts with shadow copies 1 TTPs

suspicious_WriteProcessMemory 1 TTPs 2 IoCs

Process Injection

T1055

description	pid
PID 4824 wrote to memory of 4852	4852
PID 4824 wrote to memory of 4916	4916

suspicious_AdjustPrivilegeToken 1 TTPs 3 IoCs

Access Token Manipulation

T1134

description
Token: SeBackupPrivilege
Token: SeRestorePrivilege
Token: SeAuditPrivilege

Modifies service 1 TTPs 4 IoCs

Modify Registry

T1112

description
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer

Deletes shadow copies 1 TTPs

suspicious_AdjustPrivilegeToken 1 TTPs 21 IoCs

Access Token Manipulation

T1134

description
Token: SeIncreaseQuotaPrivilege
Token: SeSecurityPrivilege
Token: SeTakeOwnershipPrivilege
Token: SeLoadDriverPrivilege
Token: SeSystemProfilePrivilege
Token: SeSystemtimePrivilege
Token: SeProfSingleProcessPrivilege
Token: SeIncBasePriorityPrivilege
Token: SeCreatePagefilePrivilege
Token: SeBackupPrivilege
Token: SeRestorePrivilege
Token: SeShutdownPrivilege
Token: SeDebugPrivilege
Token: SeSystemEnvironmentPrivilege
Token: SeRemoteShutdownPrivilege
Token: SeUndockPrivilege
Token: SeManageVolumePrivilege
Token: 33
Token: 34
Token: 35
Token: 36

suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106
suspicious_ExecutesDroppedEXE 1 TTPs

Native API
T1106

suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeTcbPrivilege

suspicious_SetWindowsHookEx 1 TTPs

suspicious_WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 4152 wrote to memory of 4300	4300

Drops file in system dir 1 IoCs

description
C:\Windows\TEMP\Switches.xml

wannacry family
family

Sharing

General

Malware Config

Signatures

Processes