Task
task1
Task
task2
Task
task3
Task
task4
Task
task5
Task
task6
Task
task7
Task
task8
Task
task9
Task
task10
General
-
Target
test.zip
-
Sample
190821-b2h8n5wv9n
-
SHA256
72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 10 IoCs
description pid Process PID 1628 wrote to memory of 1688 1688 Process not Found PID 1628 wrote to memory of 820 820 Process not Found PID 1628 wrote to memory of 1104 1104 Process not Found PID 1628 wrote to memory of 1840 1840 Process not Found PID 1628 wrote to memory of 1772 1772 Process not Found PID 1628 wrote to memory of 804 804 Process not Found PID 1628 wrote to memory of 2992 2992 Process not Found PID 1628 wrote to memory of 3012 3012 Process not Found PID 1628 wrote to memory of 3032 3032 Process not Found PID 1628 wrote to memory of 3048 3048 Process not Found -
Modifies file permissions 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 1840 wrote to memory of 1740 1740 Process not Found -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDF10E.tmp -
Sets desktop wallpaper registry value 2 TTPs 1 IoCs
description \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
Executes dropped EXE 1 TTPs
-
Suspicious registry modification 1 IoCs
description \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\PendingFileRenameOperations = 5c003f003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c00540065006d0070005c006800690062007300790073002e0057004e004300520059005400000000000000 -
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 804 wrote to memory of 2024 2024 Process not Found -
Executes dropped EXE 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 1772 wrote to memory of 636 636 Process not Found -
Executes dropped EXE 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious behavior: EnumeratesProcesses
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 2024 wrote to memory of 2460 2460 Process not Found -
Interacts with shadow copies 2 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 2 IoCs
description pid Process PID 2460 wrote to memory of 2480 2480 Process not Found PID 2460 wrote to memory of 2648 2648 Process not Found -
Loads dropped DLL 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
Modifies service 2 TTPs 4 IoCs
description \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer (CreateKeyEx) -
Loads dropped DLL 1 TTPs
-
Deletes shadow copies 2 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 20 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 -
Loads dropped DLL 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Sets desktop wallpaper registry value 2 TTPs 1 IoCs
description \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 3048 wrote to memory of 2004 2004 Process not Found -
Adds Run entry to start application 2 TTPs 2 IoCs
description \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (CreateKeyEx) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\acbqjdbjbsevuk817 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
wannacry family