Task
task1
Task
task2
Task
task3
Task
task4
Task
task5
Task
task6
Task
task7
Task
task8
Task
task9
Task
task10
General
-
Target
test.zip
-
Sample
190809-b9e7y9szpa
-
SHA256
72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 10 IoCs
description pid Process PID 1840 wrote to memory of 1688 1688 Process not Found PID 1840 wrote to memory of 1968 1968 Process not Found PID 1840 wrote to memory of 776 776 Process not Found PID 1840 wrote to memory of 876 876 Process not Found PID 1840 wrote to memory of 540 540 Process not Found PID 1840 wrote to memory of 2008 2008 Process not Found PID 1840 wrote to memory of 332 332 Process not Found PID 1840 wrote to memory of 876 876 Process not Found PID 1840 wrote to memory of 1648 1648 Process not Found PID 1840 wrote to memory of 700 700 Process not Found -
Modifies file permissions 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\32c-0\Microsoft.PowerShell.Commands.Management.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\e7dfdc741cadfdfed5b21e4b32006615\Microsoft.PowerShell.Commands.Management.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 876 wrote to memory of 1648 1648 Process not Found -
Loads dropped DLL 1 TTPs
-
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4FB1.tmp -
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\44c-0\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\6830998406929e1e293582edd9a8e1f5\Microsoft.PowerShell.Commands.Utility.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7b0-0\Microsoft.PowerShell.ConsoleHost.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b6ea02de2d9511e27ab8fa7434fe5440\Microsoft.PowerShell.ConsoleHost.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Modifies control panel 1 IoCs
description \REGISTRY\USER\S-1-5-21-1977670210-1209397319-124334088-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
Suspicious registry modification 1 IoCs
description \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\PendingFileRenameOperations = 5c003f003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c00540065006d0070005c006800690062007300790073002e0057004e004300520059005400000000000000 -
Executes dropped EXE 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 2008 wrote to memory of 1412 1412 Process not Found -
Executes dropped EXE 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\138-0\Microsoft.PowerShell.Core.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\680d4080ee5e60f2ed2e9d56b54be8d6\Microsoft.PowerShell.Core.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 540 wrote to memory of 596 596 Process not Found -
Executes dropped EXE 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\6d8-0\Microsoft.PowerShell.Diagnostics.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\4dd796da5cd3a7855c4bd754efed0d48\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious behavior: EnumeratesProcesses
-
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
Modifies control panel 1 IoCs
description \REGISTRY\USER\S-1-5-21-1977670210-1209397319-124334088-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 700 wrote to memory of 1752 1752 Process not Found -
Adds Run entry to start application 2 TTPs 2 IoCs
description \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (CreateKeyEx) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ixqwibbzwhh084 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" -
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 1412 wrote to memory of 1260 1260 Process not Found -
Interacts with shadow copies 2 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 2 IoCs
description pid Process PID 1260 wrote to memory of 1276 1276 Process not Found PID 1260 wrote to memory of 1712 1712 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
Modifies service 2 TTPs 4 IoCs
description \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer (CreateKeyEx) -
Deletes shadow copies 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 20 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 -
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\6cc-0\Microsoft.PowerShell.Editor.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\3037a8e88408d67115e75b819628bff6\Microsoft.PowerShell.Editor.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\770-0\Microsoft.PowerShell.GPowerShell.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\bd15d0889b1627fe9c0fb70bd62db369\Microsoft.PowerShell.GPowerShell.ni.dll.aux.tmp -
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\2bc-0\Microsoft.PowerShell.GraphicalHost.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\e26d2700d474c30c13e234acb7fc3067\Microsoft.PowerShell.GraphicalHost.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
wannacry family