ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Resubmissions

18-10-2019 15:52

191018-8typv9j9fn 0

09-08-2019 12:22

190809-4hmrwf3nzs 0

Analysis

max time kernel
60s

Sharing

Copy URL

Twitter E-mail

General

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Sample

190809-4hmrwf3nzs
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Score

N/A

Malware Config

Signatures

Sets file to hidden 1 TTPs

Suspicious use of WriteProcessMemory 1 TTPs 10 IoCs

Process Injection

T1055

description	pid	Process
PID 1216 wrote to memory of 1996	1996	Process not Found
PID 1216 wrote to memory of 1736	1736	Process not Found
PID 1216 wrote to memory of 792	792	Process not Found
PID 1216 wrote to memory of 1748	1748	Process not Found
PID 1216 wrote to memory of 300	300	Process not Found
PID 1216 wrote to memory of 1640	1640	Process not Found
PID 1216 wrote to memory of 592	592	Process not Found
PID 1216 wrote to memory of 304	304	Process not Found
PID 1216 wrote to memory of 1352	1352	Process not Found
PID 1216 wrote to memory of 112	112	Process not Found

Modifies file permissions 1 TTPs

File and Directory Permissions Modification
T1222
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Executes dropped EXE 1 TTPs

Native API
T1106

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d4-0\Microsoft.PowerShell.Commands.Diagnostics.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\fe08d859e3b23be8a1ccd288bc691925\Microsoft.PowerShell.Commands.Diagnostics.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid	Process
PID 1748 wrote to memory of 1848	1848	Process not Found

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops startup file 1 IoCs

description
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD49E7.tmp

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\314-0\Microsoft.PowerShell.Commands.Management.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\e7dfdc741cadfdfed5b21e4b32006615\Microsoft.PowerShell.Commands.Management.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\3f8-0\Microsoft.PowerShell.Commands.Utility.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\6830998406929e1e293582edd9a8e1f5\Microsoft.PowerShell.Commands.Utility.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\668-0\Microsoft.PowerShell.ConsoleHost.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b6ea02de2d9511e27ab8fa7434fe5440\Microsoft.PowerShell.ConsoleHost.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7a0-0\Microsoft.PowerShell.Core.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\680d4080ee5e60f2ed2e9d56b54be8d6\Microsoft.PowerShell.Core.Activities.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Modifies control panel 1 IoCs

description
\REGISTRY\USER\S-1-5-21-2035595487-2729879620-3668659499-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"

Executes dropped EXE 1 TTPs

Native API
T1106

Suspicious registry modification 1 IoCs

description
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\PendingFileRenameOperations = 5c003f003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c00540065006d0070005c006800690062007300790073002e0057004e004300520059005400000000000000

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1ec-0\Microsoft.PowerShell.Diagnostics.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\4dd796da5cd3a7855c4bd754efed0d48\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux.tmp

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid	Process
PID 1640 wrote to memory of 332	332	Process not Found

Executes dropped EXE 1 TTPs

Native API
T1106
Suspicious use of SetWindowsHookEx 1 TTPs
Suspicious use of SetWindowsHookEx 1 TTPs
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid	Process
PID 300 wrote to memory of 1312	1312	Process not Found

Executes dropped EXE 1 TTPs

Native API
T1106
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Suspicious behavior: EnumeratesProcesses
Executes dropped EXE 1 TTPs

Native API
T1106
Executes dropped EXE 1 TTPs

Native API
T1106
Suspicious use of SetWindowsHookEx 1 TTPs
Executes dropped EXE 1 TTPs

Native API
T1106

Modifies control panel 1 IoCs

description
\REGISTRY\USER\S-1-5-21-2035595487-2729879620-3668659499-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeTcbPrivilege

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid	Process
PID 1352 wrote to memory of 1016	1016	Process not Found

Adds Run entry to start application 2 TTPs 2 IoCs

Modify Registry

T1112

description
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ejzqpilt226 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid	Process
PID 332 wrote to memory of 1332	1332	Process not Found

Interacts with shadow copies 2 TTPs

Inhibit System Recovery
T1490

Suspicious use of WriteProcessMemory 1 TTPs 2 IoCs

Process Injection

T1055

description	pid	Process
PID 1332 wrote to memory of 1628	1628	Process not Found
PID 1332 wrote to memory of 1028	1028	Process not Found

Suspicious use of AdjustPrivilegeToken 1 TTPs 3 IoCs

Access Token Manipulation

T1134

description
Token: SeBackupPrivilege
Token: SeRestorePrivilege
Token: SeAuditPrivilege

Modifies service 2 TTPs 4 IoCs

Modify Registry

T1112

description
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer (CreateKeyEx)
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer (CreateKeyEx)
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer (CreateKeyEx)
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer (CreateKeyEx)

Deletes shadow copies 2 TTPs

Inhibit System Recovery
T1490

Suspicious use of AdjustPrivilegeToken 1 TTPs 20 IoCs

Access Token Manipulation

T1134

description
Token: SeIncreaseQuotaPrivilege
Token: SeSecurityPrivilege
Token: SeTakeOwnershipPrivilege
Token: SeLoadDriverPrivilege
Token: SeSystemProfilePrivilege
Token: SeSystemtimePrivilege
Token: SeProfSingleProcessPrivilege
Token: SeIncBasePriorityPrivilege
Token: SeCreatePagefilePrivilege
Token: SeBackupPrivilege
Token: SeRestorePrivilege
Token: SeShutdownPrivilege
Token: SeDebugPrivilege
Token: SeSystemEnvironmentPrivilege
Token: SeRemoteShutdownPrivilege
Token: SeUndockPrivilege
Token: SeManageVolumePrivilege
Token: 33
Token: 34
Token: 35

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\510-0\Microsoft.PowerShell.Editor.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\3037a8e88408d67115e75b819628bff6\Microsoft.PowerShell.Editor.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\4e4-0\Microsoft.PowerShell.GPowerShell.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\bd15d0889b1627fe9c0fb70bd62db369\Microsoft.PowerShell.GPowerShell.ni.dll.aux.tmp

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\25c-0\Microsoft.PowerShell.GraphicalHost.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\e26d2700d474c30c13e234acb7fc3067\Microsoft.PowerShell.GraphicalHost.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\598-0\Microsoft.PowerShell.ISECommon.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\d507795c38d9f9fb343d60b9d65171fa\Microsoft.PowerShell.ISECommon.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
wannacry family
family

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes