Task
task1
Task
task2
General
-
Target
wannacry.exe
-
Sample
190529-1lvgqgk772
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 13 IoCs
description pid PID 4200 wrote to memory of 4288 4288 PID 4200 wrote to memory of 4296 4296 PID 4200 wrote to memory of 4552 4552 PID 4200 wrote to memory of 4580 4580 PID 4200 wrote to memory of 2424 2424 PID 4200 wrote to memory of 4308 4308 PID 4200 wrote to memory of 1692 1692 PID 4200 wrote to memory of 840 840 PID 4200 wrote to memory of 1660 1660 PID 4200 wrote to memory of 1580 1580 PID 4200 wrote to memory of 5908 5908 PID 4200 wrote to memory of 5928 5928 PID 4200 wrote to memory of 5936 5936 -
Modifies file permissions
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 4580 wrote to memory of 4616 4616 -
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC0.tmp -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 4308 wrote to memory of 4296 4296 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2424 wrote to memory of 1444 1444 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_EnumeratesProcesses
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 4296 wrote to memory of 2384 2384 -
Interacts with shadow copies 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 2 IoCs
description pid PID 2384 wrote to memory of 1516 1516 PID 2384 wrote to memory of 4584 4584 -
suspicious_AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
Deletes shadow copies 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 21 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 Token: 36 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 1580 wrote to memory of 4224 4224 -
suspicious_NtCreateUserProcessOtherParentProcess 1 TTPs 1 IoCs
description pid PID 5428 created 4008 4008 -
program_crash 1 IoCs
pid 4008 -
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 5428 wrote to memory of 5464 5464 -
suspicious_NtCreateProcessExOtherParentProcess 1 TTPs 1 IoCs
description pid PID 5464 created 4008 4008 -
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeDebugPrivilege -
suspicious_EnumeratesProcesses
-
suspicious_EnumeratesProcesses
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
suspicious_SetWindowsHookEx 1 TTPs
-
wannacry family