Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 15:30
Static task
static1
Behavioral task
behavioral1
Sample
8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe
Resource
win7
Behavioral task
behavioral2
Sample
8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe
Resource
win10v200430
General
-
Target
8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe
-
Size
56KB
-
MD5
ecb00e9a61f99a7d4c90723294986bbc
-
SHA1
be59c867da75e2a66b8c2519e950254f817cd4ad
-
SHA256
8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80
-
SHA512
9dee79827d865de41a63962b419eed7e1f9610ff27f00f8b7b2b9f51e905d5db907d310da590d8f1a11ac88e549373edf39bffdb44d1b205728f1b5e0a43aa5e
Malware Config
Extracted
C:\Users\Admin\Desktop\MoveDeny.mpeg3.eswasted_info.txt
wastedlocker
48907@PROTONMAIL.COM
78470@TUTANOTA.COM
Signatures
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 256 attrib.exe 276 attrib.exe 1736 attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
Mode:binMode.exepid process 1740 Mode:bin 3860 Mode.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2392 vssvc.exe Token: SeRestorePrivilege 2392 vssvc.exe Token: SeAuditPrivilege 2392 vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1980 vssadmin.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 296 takeown.exe 2836 icacls.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 296 takeown.exe 2836 icacls.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exeMode:binMode.execmd.execmd.execmd.exedescription pid process target process PID 1628 wrote to memory of 1740 1628 8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe Mode:bin PID 1628 wrote to memory of 1740 1628 8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe Mode:bin PID 1628 wrote to memory of 1740 1628 8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe Mode:bin PID 1740 wrote to memory of 1980 1740 Mode:bin vssadmin.exe PID 1740 wrote to memory of 1980 1740 Mode:bin vssadmin.exe PID 1740 wrote to memory of 296 1740 Mode:bin takeown.exe PID 1740 wrote to memory of 296 1740 Mode:bin takeown.exe PID 1740 wrote to memory of 296 1740 Mode:bin takeown.exe PID 1740 wrote to memory of 2836 1740 Mode:bin icacls.exe PID 1740 wrote to memory of 2836 1740 Mode:bin icacls.exe PID 1740 wrote to memory of 2836 1740 Mode:bin icacls.exe PID 3860 wrote to memory of 3868 3860 Mode.exe cmd.exe PID 3860 wrote to memory of 3868 3860 Mode.exe cmd.exe PID 3860 wrote to memory of 3868 3860 Mode.exe cmd.exe PID 3868 wrote to memory of 4004 3868 cmd.exe choice.exe PID 3868 wrote to memory of 4004 3868 cmd.exe choice.exe PID 3868 wrote to memory of 4004 3868 cmd.exe choice.exe PID 1740 wrote to memory of 1772 1740 Mode:bin cmd.exe PID 1740 wrote to memory of 1772 1740 Mode:bin cmd.exe PID 1740 wrote to memory of 1772 1740 Mode:bin cmd.exe PID 1628 wrote to memory of 4024 1628 8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe cmd.exe PID 1628 wrote to memory of 4024 1628 8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe cmd.exe PID 1628 wrote to memory of 4024 1628 8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe cmd.exe PID 1772 wrote to memory of 1652 1772 cmd.exe choice.exe PID 1772 wrote to memory of 1652 1772 cmd.exe choice.exe PID 1772 wrote to memory of 1652 1772 cmd.exe choice.exe PID 4024 wrote to memory of 3544 4024 cmd.exe choice.exe PID 4024 wrote to memory of 3544 4024 cmd.exe choice.exe PID 4024 wrote to memory of 3544 4024 cmd.exe choice.exe PID 3868 wrote to memory of 256 3868 cmd.exe attrib.exe PID 3868 wrote to memory of 256 3868 cmd.exe attrib.exe PID 3868 wrote to memory of 256 3868 cmd.exe attrib.exe PID 1772 wrote to memory of 276 1772 cmd.exe attrib.exe PID 1772 wrote to memory of 276 1772 cmd.exe attrib.exe PID 1772 wrote to memory of 276 1772 cmd.exe attrib.exe PID 4024 wrote to memory of 1736 4024 cmd.exe attrib.exe PID 4024 wrote to memory of 1736 4024 cmd.exe attrib.exe PID 4024 wrote to memory of 1736 4024 cmd.exe attrib.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops file in System32 directory 2 IoCs
Processes:
Mode:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Mode.exe Mode:bin File opened for modification C:\Windows\SysWOW64\Mode.exe attrib.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1632 NOTEPAD.EXE -
NTFS ADS 1 IoCs
Processes:
8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Mode:bin 8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe"C:\Users\Admin\AppData\Local\Temp\8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe"1⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\Mode:binC:\Users\Admin\AppData\Roaming\Mode:bin -r2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Mode.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Mode.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Mode" & del "C:\Users\Admin\AppData\Roaming\Mode"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Mode"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe" & del "C:\Users\Admin\AppData\Local\Temp\8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\SysWOW64\Mode.exeC:\Windows\SysWOW64\Mode.exe -s1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Mode.exe" & del "C:\Windows\SysWOW64\Mode.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Mode.exe"3⤵
- Views/modifies file attributes
- Drops file in System32 directory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MoveDeny.mpeg3.eswasted_info.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mode:bin
-
C:\Users\Admin\AppData\Roaming\Mode:bin
-
C:\Users\Admin\Desktop\MoveDeny.mpeg3.eswasted_info.txt
-
C:\Windows\SysWOW64\Mode.exe
-
C:\Windows\SysWOW64\Mode.exe
-
memory/256-14-0x0000000000000000-mapping.dmp
-
memory/276-15-0x0000000000000000-mapping.dmp
-
memory/296-4-0x0000000000000000-mapping.dmp
-
memory/1652-12-0x0000000000000000-mapping.dmp
-
memory/1736-16-0x0000000000000000-mapping.dmp
-
memory/1740-0-0x0000000000000000-mapping.dmp
-
memory/1772-10-0x0000000000000000-mapping.dmp
-
memory/1980-3-0x0000000000000000-mapping.dmp
-
memory/2836-6-0x0000000000000000-mapping.dmp
-
memory/3544-13-0x0000000000000000-mapping.dmp
-
memory/3868-8-0x0000000000000000-mapping.dmp
-
memory/4004-9-0x0000000000000000-mapping.dmp
-
memory/4024-11-0x0000000000000000-mapping.dmp