Task
task1
Task
task2
General
-
Target
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
-
Sample
190523-6hwglev3pa
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 13 IoCs
description pid PID 4124 wrote to memory of 4144 4144 PID 4124 wrote to memory of 4152 4152 PID 4124 wrote to memory of 4280 4280 PID 4124 wrote to memory of 4308 4308 PID 4124 wrote to memory of 5072 5072 PID 4124 wrote to memory of 5080 5080 PID 4124 wrote to memory of 3556 3556 PID 4124 wrote to memory of 2360 2360 PID 4124 wrote to memory of 3560 3560 PID 4124 wrote to memory of 428 428 PID 4124 wrote to memory of 3160 3160 PID 4124 wrote to memory of 1300 1300 PID 4124 wrote to memory of 3836 3836 -
Modifies file permissions
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 4308 wrote to memory of 4344 4344 -
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD18D8.tmp -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 5080 wrote to memory of 3164 3164 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 3560 wrote to memory of 4144 4144 -
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 5072 wrote to memory of 4288 4288 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_EnumeratesProcesses
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 3164 wrote to memory of 1300 1300 -
Interacts with shadow copies 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 2 IoCs
description pid PID 1300 wrote to memory of 4620 4620 PID 1300 wrote to memory of 2344 2344 -
suspicious_AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
Deletes shadow copies 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 21 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 Token: 36 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
suspicious_SetWindowsHookEx 1 TTPs
-
wannacry family