Task
task1
Task
task2
Task
task3
Task
task4
Task
task5
Task
task6
Task
task7
Task
task8
Task
task9
Task
task10
General
-
Target
test.zip
-
Sample
190809-b9e7y9szpa
-
SHA256
72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 10 IoCs
description pid Process PID 1064 wrote to memory of 1456 1456 Process not Found PID 1064 wrote to memory of 1588 1588 Process not Found PID 1064 wrote to memory of 2968 2968 Process not Found PID 1064 wrote to memory of 3452 3452 Process not Found PID 1064 wrote to memory of 3868 3868 Process not Found PID 1064 wrote to memory of 3860 3860 Process not Found PID 1064 wrote to memory of 796 796 Process not Found PID 1064 wrote to memory of 840 840 Process not Found PID 1064 wrote to memory of 2488 2488 Process not Found PID 1064 wrote to memory of 2800 2800 Process not Found -
Modifies file permissions 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 3452 wrote to memory of 2276 2276 Process not Found -
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD12B9.tmp -
Modifies control panel 1 IoCs
description \REGISTRY\USER\S-1-5-21-3036946624-713005404-4182576195-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
Executes dropped EXE 1 TTPs
-
Suspicious registry modification 1 IoCs
description \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations = 5c003f003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c00540065006d0070005c006800690062007300790073002e0057004e004300520059005400000000000000 -
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 3860 wrote to memory of 3816 3816 Process not Found -
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 2488 wrote to memory of 3092 3092 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
Adds Run entry to start application 2 TTPs 2 IoCs
description \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run (CreateKeyEx) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wnmnzrxwqxfuser467 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" -
Modifies control panel 1 IoCs
description \REGISTRY\USER\S-1-5-21-3036946624-713005404-4182576195-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 3868 wrote to memory of 3256 3256 Process not Found -
Executes dropped EXE 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious behavior: EnumeratesProcesses
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 3816 wrote to memory of 1052 1052 Process not Found -
Interacts with shadow copies 2 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 2 IoCs
description pid Process PID 1052 wrote to memory of 3744 3744 Process not Found PID 1052 wrote to memory of 2828 2828 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
Modifies service 2 TTPs 4 IoCs
description \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer (CreateKeyEx) -
Deletes shadow copies 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 21 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 Token: 36 -
wannacry family