Task
task1
Task
task2
Task
task3
Task
task4
Task
task5
Task
task6
Task
task7
Task
task8
Task
task9
Task
task10
General
-
Target
test.zip
-
Sample
190813-bzccs8gxyn
-
SHA256
72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 7 IoCs
description pid Process PID 1752 wrote to memory of 968 968 Process not Found PID 1752 wrote to memory of 2464 2464 Process not Found PID 1752 wrote to memory of 3532 3532 Process not Found PID 1752 wrote to memory of 3608 3608 Process not Found PID 1752 wrote to memory of 4076 4076 Process not Found PID 1752 wrote to memory of 4044 4044 Process not Found PID 1752 wrote to memory of 4012 4012 Process not Found -
Modifies file permissions 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 3608 wrote to memory of 3644 3644 Process not Found -
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD41BB.tmp -
Executes dropped EXE 1 TTPs
-
Sets desktop wallpaper registry value 2 TTPs 1 IoCs
description \REGISTRY\USER\S-1-5-21-4159699222-2363879890-816855548-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
Executes dropped EXE 1 TTPs
-
Suspicious registry modification 1 IoCs
description \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations = 5c003f003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c00540065006d0070005c006800690062007300790073002e0057004e004300520059005400000000000000 -
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 4012 wrote to memory of 3952 3952 Process not Found -
Executes dropped EXE 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 4044 wrote to memory of 3192 3192 Process not Found -
Executes dropped EXE 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious behavior: EnumeratesProcesses
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 3952 wrote to memory of 2704 2704 Process not Found -
Interacts with shadow copies 2 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 2 IoCs
description pid Process PID 2704 wrote to memory of 3928 3928 Process not Found PID 2704 wrote to memory of 2352 2352 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
Modifies service 2 TTPs 4 IoCs
description \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer (CreateKeyEx) -
Deletes shadow copies 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 21 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 Token: 36 -
wannacry family