Task
task1
Task
task2
General
-
Target
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
-
Sample
190606-f18wcp5xsj
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 13 IoCs
description pid PID 1300 wrote to memory of 1296 1296 PID 1300 wrote to memory of 1032 1032 PID 1300 wrote to memory of 1328 1328 PID 1300 wrote to memory of 1532 1532 PID 1300 wrote to memory of 1924 1924 PID 1300 wrote to memory of 1880 1880 PID 1300 wrote to memory of 696 696 PID 1300 wrote to memory of 804 804 PID 1300 wrote to memory of 1872 1872 PID 1300 wrote to memory of 1856 1856 PID 1300 wrote to memory of 640 640 PID 1300 wrote to memory of 1948 1948 PID 1300 wrote to memory of 608 608 -
Modifies file permissions 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 1532 wrote to memory of 1940 1940 -
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5089.tmp -
Loads dropped DLL 1 TTPs
-
Modifies control panel 1 IoCs
description \REGISTRY\USER\S-1-5-21-1548117458-596549244-604853198-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
Executes dropped EXE 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 1880 wrote to memory of 1848 1848 -
Executes dropped EXE 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 1924 wrote to memory of 1196 1196 -
Executes dropped EXE 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious behavior: EnumeratesProcesses
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 1848 wrote to memory of 1016 1016 -
Interacts with shadow copies 2 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 2 IoCs
description pid PID 1016 wrote to memory of 156 156 PID 1016 wrote to memory of 296 296 -
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 1872 wrote to memory of 420 420 -
Adds Run entry to start application 2 TTPs 2 IoCs
description \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\unnfcwkalkwice160 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" -
Modifies control panel 1 IoCs
description \REGISTRY\USER\S-1-5-21-1548117458-596549244-604853198-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
Suspicious use of AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
Modifies service 2 TTPs 4 IoCs
description \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer -
Deletes shadow copies 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 20 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 -
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
Suspicious use of SetWindowsHookEx 1 TTPs
-
Drops file in system dir 2 IoCs
description C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat -
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeShutdownPrivilege -
Drops file in system dir 2 IoCs
description C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat -
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeShutdownPrivilege -
wannacry family