Task
task1
Task
task2
General
-
Target
wannacry.exe
-
Sample
190531-qlzl2wmc8e
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 13 IoCs
description pid PID 2116 wrote to memory of 2124 2124 PID 2116 wrote to memory of 2144 2144 PID 2116 wrote to memory of 2204 2204 PID 2116 wrote to memory of 2232 2232 PID 2116 wrote to memory of 2320 2320 PID 2116 wrote to memory of 2340 2340 PID 2116 wrote to memory of 2592 2592 PID 2116 wrote to memory of 2616 2616 PID 2116 wrote to memory of 2636 2636 PID 2116 wrote to memory of 2656 2656 PID 2116 wrote to memory of 2864 2864 PID 2116 wrote to memory of 2884 2884 PID 2116 wrote to memory of 2904 2904 -
Modifies file permissions
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2232 wrote to memory of 2252 2252 -
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5A88.tmp -
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2340 wrote to memory of 2360 2360 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2320 wrote to memory of 2432 2432 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_LoadsDroppedDLL 1 TTPs
-
suspicious_EnumeratesProcesses
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2360 wrote to memory of 2524 2524 -
Interacts with shadow copies 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 2 IoCs
description pid PID 2524 wrote to memory of 2544 2544 PID 2524 wrote to memory of 2700 2700 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
suspicious_SetWindowsHookEx 1 TTPs
-
suspicious_WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2656 wrote to memory of 2688 2688 -
Deletes shadow copies 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 20 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 -
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_ExecutesDroppedEXE 1 TTPs
-
suspicious_AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
suspicious_SetWindowsHookEx 1 TTPs
-
wannacry family