Task
task1
Task
task2
General
-
Target
wannacry.exe
-
Sample
190529-1lvgqgk772
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 13 IoCs
description pid PID 2112 wrote to memory of 2120 2120 PID 2112 wrote to memory of 2140 2140 PID 2112 wrote to memory of 2200 2200 PID 2112 wrote to memory of 2228 2228 PID 2112 wrote to memory of 2308 2308 PID 2112 wrote to memory of 2324 2324 PID 2112 wrote to memory of 2620 2620 PID 2112 wrote to memory of 2652 2652 PID 2112 wrote to memory of 2668 2668 PID 2112 wrote to memory of 2684 2684 PID 2112 wrote to memory of 2848 2848 PID 2112 wrote to memory of 2868 2868 PID 2112 wrote to memory of 2884 2884 -
Modifies file permissions
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2228 wrote to memory of 2248 2248 -
suspicious_LoadsDroppedDLL 1 TTPs
-
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4C55.tmp -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2324 wrote to memory of 2348 2348 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2308 wrote to memory of 2416 2416 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_EnumeratesProcesses
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2348 wrote to memory of 2508 2508 -
Interacts with shadow copies 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 2 IoCs
description pid PID 2508 wrote to memory of 2532 2532 PID 2508 wrote to memory of 2600 2600 -
suspicious_AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
Deletes shadow copies 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 20 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2684 wrote to memory of 2716 2716 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
wannacry family