Task
task1
Task
task2
General
-
Target
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
-
Sample
190606-f18wcp5xsj
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 11 IoCs
description pid PID 676 wrote to memory of 960 960 PID 676 wrote to memory of 304 304 PID 676 wrote to memory of 1208 1208 PID 676 wrote to memory of 3568 3568 PID 676 wrote to memory of 3512 3512 PID 676 wrote to memory of 612 612 PID 676 wrote to memory of 3404 3404 PID 676 wrote to memory of 2216 2216 PID 676 wrote to memory of 3520 3520 PID 676 wrote to memory of 3480 3480 PID 676 wrote to memory of 1064 1064 -
Modifies file permissions 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 3568 wrote to memory of 1416 1416 -
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD6AD.tmp -
Executes dropped EXE 1 TTPs
-
Modifies control panel 1 IoCs
description \REGISTRY\USER\S-1-5-21-1680029378-2711335550-577619594-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
Executes dropped EXE 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 3404 wrote to memory of 3656 3656 -
Executes dropped EXE 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 612 wrote to memory of 388 388 -
Executes dropped EXE 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious behavior: EnumeratesProcesses
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 3656 wrote to memory of 3272 3272 -
Interacts with shadow copies 2 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 2 IoCs
description pid PID 3272 wrote to memory of 2524 2524 PID 3272 wrote to memory of 608 608 -
Suspicious use of AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
Modifies service 2 TTPs 4 IoCs
description \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer -
Deletes shadow copies 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 21 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 Token: 36 -
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 3480 wrote to memory of 4000 4000 -
Adds Run entry to start application 2 TTPs 2 IoCs
description \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndfzljdtpxbh592 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" -
Modifies control panel 1 IoCs
description \REGISTRY\USER\S-1-5-21-1680029378-2711335550-577619594-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 3308 wrote to memory of 4060 4060 -
wannacry family