wastedlocker | bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

Analysis

max time kernel
143s
max time network
150s
platform
windows7_x64
resource
win7
submitted
30/06/2020, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
Size

60KB
MD5

0ed2ca539a01cdb86c88a9a1604b2005
SHA1

4fed7eae00bfa21938e49f33b7c6794fd7d0750c
SHA256

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
SHA512

34dad101cd7c5f9ff2267674d224986b9274e0e17d9ae665ca1af4ffa57408106238b1e248045465ab17c72a4b92473ab3714aefb705d95f9725a4251379c7e2

Score

10^/10

ransomware persistence discovery exploit wastedlocker

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\JoinExport.html.txt

Family

wastedlocker

Ransom Note

BBA Aviation YOUR NETWORK IS ENCRYPTED NOW USE [email protected] | [email protected] TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]sokp3AknKPVKOBuf+KiKHhVm3kMMqxTldtzJzt1H4i3wX4ekJxAJE07T95hhX85i riq8t1bfZVk+7tkeX7DEXr2tCIUucA/CTpqWr/X6R24gsfykV9vJC2J2N8LW8drR e+9UhSOtBn4B4GaXL1VkW6FN3Ij3C+5ICUSCcMFsfGwXK+Okol4a0cI4fukNc4DO i48JU1BLRdm/IJBAbzSWIuX3/jth+xz7agRGfoMAy790XsoviuykyQB7aHoQWbqY C4qWBkPle5p5AXw+61mGUMpLmnVsdwasSDgcET3gBq0dnC/iSKLqiJAwoejbIvYD 5oBWp92LhMqMT60tL7TmO9Y2qCSDoBn5GMpb79Ef8uze7aeEw9j2+hYvYkHCG8X1 YLMG9edz04xO2gduQAP9OTtHTug9ZyMIKjkpG4+DqsOBRhSAgc8GdOZDBFjHK3J9 7Besr5PPPDfS3C5gk0a1kpPM8YF+6h8IdfmB3ru2TUs3Cm560KL4eEOIVJZtgXl6 dGWn0ZXL9XDinbrimGlU9t67xPNFTIrrQM8tmtT10hnsAKLCP5C0NeeY/a44dvqR wPNtMK3/P92akl19+VjgitfK2vHuFO69Wx0/nF6Oy5apbxj476vwZqsqMKlmJnz5 cTkd3kw4FunpnwSvoFLHZvKjQ+9xeWfubISt7meUgtS=[end_key] KEEP IT

Emails

[email protected]

Signatures

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 364	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	24
PID 1612 wrote to memory of 364	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	24
PID 1612 wrote to memory of 364	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	24
PID 1612 wrote to memory of 364	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	24
PID 364 wrote to memory of 1052	364	Backup:bin	25
PID 364 wrote to memory of 1052	364	Backup:bin	25
PID 364 wrote to memory of 1052	364	Backup:bin	25
PID 364 wrote to memory of 1052	364	Backup:bin	25
PID 364 wrote to memory of 1924	364	Backup:bin	29
PID 364 wrote to memory of 1924	364	Backup:bin	29
PID 364 wrote to memory of 1924	364	Backup:bin	29
PID 364 wrote to memory of 1924	364	Backup:bin	29
PID 364 wrote to memory of 1944	364	Backup:bin	31
PID 364 wrote to memory of 1944	364	Backup:bin	31
PID 364 wrote to memory of 1944	364	Backup:bin	31
PID 364 wrote to memory of 1944	364	Backup:bin	31
PID 1976 wrote to memory of 1764	1976	Backup.exe	35
PID 1976 wrote to memory of 1764	1976	Backup.exe	35
PID 1976 wrote to memory of 1764	1976	Backup.exe	35
PID 1976 wrote to memory of 1764	1976	Backup.exe	35
PID 1764 wrote to memory of 1592	1764	cmd.exe	37
PID 1764 wrote to memory of 1592	1764	cmd.exe	37
PID 1764 wrote to memory of 1592	1764	cmd.exe	37
PID 1764 wrote to memory of 1592	1764	cmd.exe	37
PID 364 wrote to memory of 1596	364	Backup:bin	38
PID 364 wrote to memory of 1596	364	Backup:bin	38
PID 364 wrote to memory of 1596	364	Backup:bin	38
PID 364 wrote to memory of 1596	364	Backup:bin	38
PID 1612 wrote to memory of 1664	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	39
PID 1612 wrote to memory of 1664	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	39
PID 1612 wrote to memory of 1664	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	39
PID 1612 wrote to memory of 1664	1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	39
PID 1596 wrote to memory of 1088	1596	cmd.exe	42
PID 1596 wrote to memory of 1088	1596	cmd.exe	42
PID 1596 wrote to memory of 1088	1596	cmd.exe	42
PID 1596 wrote to memory of 1088	1596	cmd.exe	42
PID 1664 wrote to memory of 1080	1664	cmd.exe	43
PID 1664 wrote to memory of 1080	1664	cmd.exe	43
PID 1664 wrote to memory of 1080	1664	cmd.exe	43
PID 1664 wrote to memory of 1080	1664	cmd.exe	43
PID 1764 wrote to memory of 2008	1764	cmd.exe	44
PID 1764 wrote to memory of 2008	1764	cmd.exe	44
PID 1764 wrote to memory of 2008	1764	cmd.exe	44
PID 1764 wrote to memory of 2008	1764	cmd.exe	44
PID 1596 wrote to memory of 832	1596	cmd.exe	45
PID 1596 wrote to memory of 832	1596	cmd.exe	45
PID 1596 wrote to memory of 832	1596	cmd.exe	45
PID 1596 wrote to memory of 832	1596	cmd.exe	45
PID 1664 wrote to memory of 1424	1664	cmd.exe	46
PID 1664 wrote to memory of 1424	1664	cmd.exe	46
PID 1664 wrote to memory of 1424	1664	cmd.exe	46
PID 1664 wrote to memory of 1424	1664	cmd.exe	46

Executes dropped EXE 2 IoCs

pid	Process
364	Backup:bin
1976	Backup.exe

Loads dropped DLL 2 IoCs

pid	Process
1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
1612	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1052	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
216	NOTEPAD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Backup:bin	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1508	vssvc.exe
Token: SeRestorePrivilege	1508	vssvc.exe
Token: SeAuditPrivilege	1508	vssvc.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
1924	takeown.exe
1944	icacls.exe

WastedLocker
Ransomware family seen in the wild since May 2020.
ransomware wastedlocker

Deletes itself 1 IoCs

pid	Process
1664	cmd.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1924	takeown.exe
1944	icacls.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Backup.exe	Backup:bin
File opened for modification	C:\Windows\SysWOW64\Backup.exe	attrib.exe

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2008	attrib.exe
832	attrib.exe
1424	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
"C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- NTFS ADS
PID:1612
- C:\Users\Admin\AppData\Roaming\Backup:bin
  C:\Users\Admin\AppData\Roaming\Backup:bin -r
  2⤵
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:364
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1052
- - C:\Windows\SysWOW64\takeown.exe
    C:\Windows\system32\takeown.exe /F C:\Windows\system32\Backup.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1924
- - C:\Windows\SysWOW64\icacls.exe
    C:\Windows\system32\icacls.exe C:\Windows\system32\Backup.exe /reset
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Backup" & del "C:\Users\Admin\AppData\Roaming\Backup"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\SysWOW64\choice.exe
      choice /t 10 /d y
      4⤵
      PID:1088
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h "C:\Users\Admin\AppData\Roaming\Backup"
      4⤵
      Views/modifies file attributes
      PID:832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe" & del "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Deletes itself
  PID:1664
- - C:\Windows\SysWOW64\choice.exe
    choice /t 10 /d y
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
    3⤵
    - Views/modifies file attributes
    PID:1424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1508

C:\Windows\SysWOW64\Backup.exe
C:\Windows\SysWOW64\Backup.exe -s
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Backup.exe" & del "C:\Windows\SysWOW64\Backup.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\choice.exe
    choice /t 10 /d y
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h "C:\Windows\SysWOW64\Backup.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2008

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\JoinExport.html.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads