ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Sharing

Copy URL

Twitter E-mail

General

Target

wannacry.exe
Sample

190618-d2rp92kzkx
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Score

N/A

Malware Config

Signatures

Sets file to hidden 1 TTPs

Suspicious use of WriteProcessMemory 1 TTPs 11 IoCs

Process Injection

T1055

description	pid
PID 488 wrote to memory of 1060	1060
PID 488 wrote to memory of 3600	3600
PID 488 wrote to memory of 2004	2004
PID 488 wrote to memory of 3316	3316
PID 488 wrote to memory of 2524	2524
PID 488 wrote to memory of 3912	3912
PID 488 wrote to memory of 3892	3892
PID 488 wrote to memory of 1824	1824
PID 488 wrote to memory of 644	644
PID 488 wrote to memory of 3436	3436
PID 488 wrote to memory of 3480	3480

Modifies file permissions 1 TTPs

File and Directory Permissions Modification
T1222
Executes dropped EXE 1 TTPs

Native API
T1106

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 3316 wrote to memory of 3320	3320

Drops startup file 1 IoCs

description
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD97D.tmp

Executes dropped EXE 1 TTPs

Native API
T1106

Modifies control panel 1 IoCs

description
\REGISTRY\USER\S-1-5-21-1680029378-2711335550-577619594-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"

Executes dropped EXE 1 TTPs

Native API
T1106

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 3892 wrote to memory of 4064	4064

Executes dropped EXE 1 TTPs

Native API
T1106
Suspicious use of SetWindowsHookEx 1 TTPs
Suspicious use of SetWindowsHookEx 1 TTPs

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 3912 wrote to memory of 912	912

Executes dropped EXE 1 TTPs

Native API
T1106
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 4064 wrote to memory of 2868	2868

Interacts with shadow copies 2 TTPs

Inhibit System Recovery
T1490

Suspicious use of WriteProcessMemory 1 TTPs 2 IoCs

Process Injection

T1055

description	pid
PID 2868 wrote to memory of 2340	2340
PID 2868 wrote to memory of 2556	2556

Suspicious use of AdjustPrivilegeToken 1 TTPs 3 IoCs

Access Token Manipulation

T1134

description
Token: SeBackupPrivilege
Token: SeRestorePrivilege
Token: SeAuditPrivilege

Modifies service 2 TTPs 4 IoCs

Modify Registry

T1112

description
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer

Deletes shadow copies 2 TTPs

Inhibit System Recovery
T1490

Suspicious use of AdjustPrivilegeToken 1 TTPs 21 IoCs

Access Token Manipulation

T1134

description
Token: SeIncreaseQuotaPrivilege
Token: SeSecurityPrivilege
Token: SeTakeOwnershipPrivilege
Token: SeLoadDriverPrivilege
Token: SeSystemProfilePrivilege
Token: SeSystemtimePrivilege
Token: SeProfSingleProcessPrivilege
Token: SeIncBasePriorityPrivilege
Token: SeCreatePagefilePrivilege
Token: SeBackupPrivilege
Token: SeRestorePrivilege
Token: SeShutdownPrivilege
Token: SeDebugPrivilege
Token: SeSystemEnvironmentPrivilege
Token: SeRemoteShutdownPrivilege
Token: SeUndockPrivilege
Token: SeManageVolumePrivilege
Token: 33
Token: 34
Token: 35
Token: 36

Executes dropped EXE 1 TTPs

Native API
T1106
Executes dropped EXE 1 TTPs

Native API
T1106
Suspicious use of SetWindowsHookEx 1 TTPs
Executes dropped EXE 1 TTPs

Native API
T1106

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 3436 wrote to memory of 3752	3752

Adds Run entry to start application 2 TTPs 2 IoCs

Modify Registry

T1112

description
\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndfzljdtpxbh592 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeTcbPrivilege

Modifies control panel 1 IoCs

description
\REGISTRY\USER\S-1-5-21-1680029378-2711335550-577619594-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"

Suspicious use of SetWindowsHookEx 1 TTPs

Modifies control panel 1 IoCs

description
\REGISTRY\USER\S-1-5-21-1680029378-2711335550-577619594-1000\Control Panel\Colors

Suspicious use of FindShellTrayWindow 1 TTPs

Process Injection
T1055

Modifies registry class 1 TTPs 2 IoCs

Modify Registry

T1112

description
\REGISTRY\USER\S-1-5-21-1680029378-2711335550-577619594-1000_Classes\Local Settings
\REGISTRY\USER\S-1-5-21-1680029378-2711335550-577619594-1000_Classes\Local Settings\MrtCache

wannacry family
family

Sharing

General

Malware Config

Signatures

Processes