Task
task1
Task
task2
General
-
Target
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
-
Sample
190523-hp7nmd9zdj
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 13 IoCs
description pid PID 2140 wrote to memory of 2152 2152 PID 2140 wrote to memory of 2172 2172 PID 2140 wrote to memory of 2228 2228 PID 2140 wrote to memory of 2256 2256 PID 2140 wrote to memory of 2360 2360 PID 2140 wrote to memory of 2376 2376 PID 2140 wrote to memory of 2660 2660 PID 2140 wrote to memory of 2680 2680 PID 2140 wrote to memory of 2696 2696 PID 2140 wrote to memory of 2720 2720 PID 2140 wrote to memory of 2908 2908 PID 2140 wrote to memory of 2928 2928 PID 2140 wrote to memory of 2948 2948 -
Modifies file permissions
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2256 wrote to memory of 2276 2276 -
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5B05.tmp -
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2376 wrote to memory of 2400 2400 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2360 wrote to memory of 2464 2464 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_EnumeratesProcesses
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2400 wrote to memory of 2564 2564 -
Interacts with shadow copies 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 2 IoCs
description pid PID 2564 wrote to memory of 2584 2584 PID 2564 wrote to memory of 2644 2644 -
suspicious_AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
Deletes shadow copies 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 20 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2720 wrote to memory of 2760 2760 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
suspicious_SetWindowsHookEx 1 TTPs
-
wannacry family