Task
task1
Task
task2
General
-
Target
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
-
Sample
190523-yeal7sgp3e
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 13 IoCs
description pid PID 2104 wrote to memory of 2128 2128 PID 2104 wrote to memory of 2148 2148 PID 2104 wrote to memory of 2192 2192 PID 2104 wrote to memory of 2220 2220 PID 2104 wrote to memory of 2296 2296 PID 2104 wrote to memory of 2312 2312 PID 2104 wrote to memory of 2676 2676 PID 2104 wrote to memory of 2696 2696 PID 2104 wrote to memory of 2712 2712 PID 2104 wrote to memory of 2728 2728 PID 2104 wrote to memory of 2852 2852 PID 2104 wrote to memory of 2872 2872 PID 2104 wrote to memory of 2888 2888 -
Modifies file permissions
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2220 wrote to memory of 2240 2240 -
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD56B1.tmp -
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2312 wrote to memory of 2336 2336 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2296 wrote to memory of 2408 2408 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_EnumeratesProcesses
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2336 wrote to memory of 2504 2504 -
Interacts with shadow copies 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 2 IoCs
description pid PID 2504 wrote to memory of 2524 2524 PID 2504 wrote to memory of 2596 2596 -
suspicious_AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
Deletes shadow copies 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 20 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2728 wrote to memory of 2764 2764 -
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
suspicious_SetWindowsHookEx 1 TTPs
-
wannacry family