wastedlocker | bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

General

Target

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
Size

60KB
MD5

0ed2ca539a01cdb86c88a9a1604b2005
SHA1

4fed7eae00bfa21938e49f33b7c6794fd7d0750c
SHA256

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
SHA512

34dad101cd7c5f9ff2267674d224986b9274e0e17d9ae665ca1af4ffa57408106238b1e248045465ab17c72a4b92473ab3714aefb705d95f9725a4251379c7e2

Score

10^/10

ransomware persistence discovery exploit wastedlocker

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\JoinExport.html.txt

Family

wastedlocker

Ransom Note

BBA Aviation YOUR NETWORK IS ENCRYPTED NOW USE 91645@PROTONMAIL.CH | 61258@ECLIPSO.CH TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]sokp3AknKPVKOBuf+KiKHhVm3kMMqxTldtzJzt1H4i3wX4ekJxAJE07T95hhX85i riq8t1bfZVk+7tkeX7DEXr2tCIUucA/CTpqWr/X6R24gsfykV9vJC2J2N8LW8drR e+9UhSOtBn4B4GaXL1VkW6FN3Ij3C+5ICUSCcMFsfGwXK+Okol4a0cI4fukNc4DO i48JU1BLRdm/IJBAbzSWIuX3/jth+xz7agRGfoMAy790XsoviuykyQB7aHoQWbqY C4qWBkPle5p5AXw+61mGUMpLmnVsdwasSDgcET3gBq0dnC/iSKLqiJAwoejbIvYD 5oBWp92LhMqMT60tL7TmO9Y2qCSDoBn5GMpb79Ef8uze7aeEw9j2+hYvYkHCG8X1 YLMG9edz04xO2gduQAP9OTtHTug9ZyMIKjkpG4+DqsOBRhSAgc8GdOZDBFjHK3J9 7Besr5PPPDfS3C5gk0a1kpPM8YF+6h8IdfmB3ru2TUs3Cm560KL4eEOIVJZtgXl6 dGWn0ZXL9XDinbrimGlU9t67xPNFTIrrQM8tmtT10hnsAKLCP5C0NeeY/a44dvqR wPNtMK3/P92akl19+VjgitfK2vHuFO69Wx0/nF6Oy5apbxj476vwZqsqMKlmJnz5 cTkd3kw4FunpnwSvoFLHZvKjQ+9xeWfubISt7meUgtS=[end_key] KEEP IT

Emails

91645@PROTONMAIL.CH

61258@ECLIPSO.CH

Signatures

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exeBackup:binBackup.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1612 wrote to memory of 364	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	Backup:bin
PID 1612 wrote to memory of 364	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	Backup:bin
PID 1612 wrote to memory of 364	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	Backup:bin
PID 1612 wrote to memory of 364	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	Backup:bin
PID 364 wrote to memory of 1052	364	Backup:bin	vssadmin.exe
PID 364 wrote to memory of 1052	364	Backup:bin	vssadmin.exe
PID 364 wrote to memory of 1052	364	Backup:bin	vssadmin.exe
PID 364 wrote to memory of 1052	364	Backup:bin	vssadmin.exe
PID 364 wrote to memory of 1924	364	Backup:bin	takeown.exe
PID 364 wrote to memory of 1924	364	Backup:bin	takeown.exe
PID 364 wrote to memory of 1924	364	Backup:bin	takeown.exe
PID 364 wrote to memory of 1924	364	Backup:bin	takeown.exe
PID 364 wrote to memory of 1944	364	Backup:bin	icacls.exe
PID 364 wrote to memory of 1944	364	Backup:bin	icacls.exe
PID 364 wrote to memory of 1944	364	Backup:bin	icacls.exe
PID 364 wrote to memory of 1944	364	Backup:bin	icacls.exe
PID 1976 wrote to memory of 1764	1976	Backup.exe	cmd.exe
PID 1976 wrote to memory of 1764	1976	Backup.exe	cmd.exe
PID 1976 wrote to memory of 1764	1976	Backup.exe	cmd.exe
PID 1976 wrote to memory of 1764	1976	Backup.exe	cmd.exe
PID 1764 wrote to memory of 1592	1764	cmd.exe	choice.exe
PID 1764 wrote to memory of 1592	1764	cmd.exe	choice.exe
PID 1764 wrote to memory of 1592	1764	cmd.exe	choice.exe
PID 1764 wrote to memory of 1592	1764	cmd.exe	choice.exe
PID 364 wrote to memory of 1596	364	Backup:bin	cmd.exe
PID 364 wrote to memory of 1596	364	Backup:bin	cmd.exe
PID 364 wrote to memory of 1596	364	Backup:bin	cmd.exe
PID 364 wrote to memory of 1596	364	Backup:bin	cmd.exe
PID 1612 wrote to memory of 1664	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	cmd.exe
PID 1612 wrote to memory of 1664	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	cmd.exe
PID 1612 wrote to memory of 1664	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	cmd.exe
PID 1612 wrote to memory of 1664	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	cmd.exe
PID 1596 wrote to memory of 1088	1596	cmd.exe	choice.exe
PID 1596 wrote to memory of 1088	1596	cmd.exe	choice.exe
PID 1596 wrote to memory of 1088	1596	cmd.exe	choice.exe
PID 1596 wrote to memory of 1088	1596	cmd.exe	choice.exe
PID 1664 wrote to memory of 1080	1664	cmd.exe	choice.exe
PID 1664 wrote to memory of 1080	1664	cmd.exe	choice.exe
PID 1664 wrote to memory of 1080	1664	cmd.exe	choice.exe
PID 1664 wrote to memory of 1080	1664	cmd.exe	choice.exe
PID 1764 wrote to memory of 2008	1764	cmd.exe	attrib.exe
PID 1764 wrote to memory of 2008	1764	cmd.exe	attrib.exe
PID 1764 wrote to memory of 2008	1764	cmd.exe	attrib.exe
PID 1764 wrote to memory of 2008	1764	cmd.exe	attrib.exe
PID 1596 wrote to memory of 832	1596	cmd.exe	attrib.exe
PID 1596 wrote to memory of 832	1596	cmd.exe	attrib.exe
PID 1596 wrote to memory of 832	1596	cmd.exe	attrib.exe
PID 1596 wrote to memory of 832	1596	cmd.exe	attrib.exe
PID 1664 wrote to memory of 1424	1664	cmd.exe	attrib.exe
PID 1664 wrote to memory of 1424	1664	cmd.exe	attrib.exe
PID 1664 wrote to memory of 1424	1664	cmd.exe	attrib.exe
PID 1664 wrote to memory of 1424	1664	cmd.exe	attrib.exe

Executes dropped EXE 2 IoCs

Processes:

Backup:binBackup.exe

pid process

364 Backup:bin
1976 Backup.exe

pid	process
364	Backup:bin
1976	Backup.exe

Loads dropped DLL 2 IoCs

Processes:

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe

pid	process
1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1052 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

216 NOTEPAD.EXE

pid	process
1052	vssadmin.exe

pid	process
216	NOTEPAD.EXE

NTFS ADS 1 IoCs

Processes:

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Backup:bin	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1508 vssvc.exe
Token: SeRestorePrivilege 1508 vssvc.exe
Token: SeAuditPrivilege 1508 vssvc.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1924 takeown.exe
1944 icacls.exe
WastedLocker
Ransomware family seen in the wild since May 2020.
ransomware wastedlocker
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1664 cmd.exe

description	pid	process
Token: SeBackupPrivilege	1508	vssvc.exe
Token: SeRestorePrivilege	1508	vssvc.exe
Token: SeAuditPrivilege	1508	vssvc.exe

pid	process
1924	takeown.exe
1944	icacls.exe

pid	process
1664	cmd.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1924 takeown.exe
1944 icacls.exe

pid	process
1924	takeown.exe
1944	icacls.exe

Drops file in System32 directory 2 IoCs

Processes:

Backup:binattrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Backup.exe	Backup:bin
File opened for modification	C:\Windows\SysWOW64\Backup.exe	attrib.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

2008 attrib.exe
832 attrib.exe
1424 attrib.exe

pid	process
2008	attrib.exe
832	attrib.exe
1424	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
"C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- NTFS ADS
PID:1612

C:\Users\Admin\AppData\Roaming\Backup:bin
C:\Users\Admin\AppData\Roaming\Backup:bin -r
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Drops file in System32 directory
PID:364

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1052

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Windows\system32\Backup.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1924

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Windows\system32\Backup.exe /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Backup" & del "C:\Users\Admin\AppData\Roaming\Backup"
3⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
4⤵
PID:1088

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Users\Admin\AppData\Roaming\Backup"
4⤵
- Views/modifies file attributes
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe" & del "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
PID:1664

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
3⤵
PID:1080

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
3⤵
- Views/modifies file attributes
PID:1424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1508

C:\Windows\SysWOW64\Backup.exe
C:\Windows\SysWOW64\Backup.exe -s
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Backup.exe" & del "C:\Windows\SysWOW64\Backup.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
3⤵
PID:1592

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Windows\SysWOW64\Backup.exe"
3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:2008

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\JoinExport.html.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:216