Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 15:30
Static task
static1
Behavioral task
behavioral1
Sample
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
Resource
win7
Behavioral task
behavioral2
Sample
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
Resource
win10
General
-
Target
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
-
Size
60KB
-
MD5
0ed2ca539a01cdb86c88a9a1604b2005
-
SHA1
4fed7eae00bfa21938e49f33b7c6794fd7d0750c
-
SHA256
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
-
SHA512
34dad101cd7c5f9ff2267674d224986b9274e0e17d9ae665ca1af4ffa57408106238b1e248045465ab17c72a4b92473ab3714aefb705d95f9725a4251379c7e2
Malware Config
Extracted
C:\Users\Admin\Desktop\JoinExport.html.txt
wastedlocker
91645@PROTONMAIL.CH
61258@ECLIPSO.CH
Signatures
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exeBackup:binBackup.execmd.execmd.execmd.exedescription pid process target process PID 1612 wrote to memory of 364 1612 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe Backup:bin PID 1612 wrote to memory of 364 1612 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe Backup:bin PID 1612 wrote to memory of 364 1612 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe Backup:bin PID 1612 wrote to memory of 364 1612 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe Backup:bin PID 364 wrote to memory of 1052 364 Backup:bin vssadmin.exe PID 364 wrote to memory of 1052 364 Backup:bin vssadmin.exe PID 364 wrote to memory of 1052 364 Backup:bin vssadmin.exe PID 364 wrote to memory of 1052 364 Backup:bin vssadmin.exe PID 364 wrote to memory of 1924 364 Backup:bin takeown.exe PID 364 wrote to memory of 1924 364 Backup:bin takeown.exe PID 364 wrote to memory of 1924 364 Backup:bin takeown.exe PID 364 wrote to memory of 1924 364 Backup:bin takeown.exe PID 364 wrote to memory of 1944 364 Backup:bin icacls.exe PID 364 wrote to memory of 1944 364 Backup:bin icacls.exe PID 364 wrote to memory of 1944 364 Backup:bin icacls.exe PID 364 wrote to memory of 1944 364 Backup:bin icacls.exe PID 1976 wrote to memory of 1764 1976 Backup.exe cmd.exe PID 1976 wrote to memory of 1764 1976 Backup.exe cmd.exe PID 1976 wrote to memory of 1764 1976 Backup.exe cmd.exe PID 1976 wrote to memory of 1764 1976 Backup.exe cmd.exe PID 1764 wrote to memory of 1592 1764 cmd.exe choice.exe PID 1764 wrote to memory of 1592 1764 cmd.exe choice.exe PID 1764 wrote to memory of 1592 1764 cmd.exe choice.exe PID 1764 wrote to memory of 1592 1764 cmd.exe choice.exe PID 364 wrote to memory of 1596 364 Backup:bin cmd.exe PID 364 wrote to memory of 1596 364 Backup:bin cmd.exe PID 364 wrote to memory of 1596 364 Backup:bin cmd.exe PID 364 wrote to memory of 1596 364 Backup:bin cmd.exe PID 1612 wrote to memory of 1664 1612 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe cmd.exe PID 1612 wrote to memory of 1664 1612 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe cmd.exe PID 1612 wrote to memory of 1664 1612 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe cmd.exe PID 1612 wrote to memory of 1664 1612 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe cmd.exe PID 1596 wrote to memory of 1088 1596 cmd.exe choice.exe PID 1596 wrote to memory of 1088 1596 cmd.exe choice.exe PID 1596 wrote to memory of 1088 1596 cmd.exe choice.exe PID 1596 wrote to memory of 1088 1596 cmd.exe choice.exe PID 1664 wrote to memory of 1080 1664 cmd.exe choice.exe PID 1664 wrote to memory of 1080 1664 cmd.exe choice.exe PID 1664 wrote to memory of 1080 1664 cmd.exe choice.exe PID 1664 wrote to memory of 1080 1664 cmd.exe choice.exe PID 1764 wrote to memory of 2008 1764 cmd.exe attrib.exe PID 1764 wrote to memory of 2008 1764 cmd.exe attrib.exe PID 1764 wrote to memory of 2008 1764 cmd.exe attrib.exe PID 1764 wrote to memory of 2008 1764 cmd.exe attrib.exe PID 1596 wrote to memory of 832 1596 cmd.exe attrib.exe PID 1596 wrote to memory of 832 1596 cmd.exe attrib.exe PID 1596 wrote to memory of 832 1596 cmd.exe attrib.exe PID 1596 wrote to memory of 832 1596 cmd.exe attrib.exe PID 1664 wrote to memory of 1424 1664 cmd.exe attrib.exe PID 1664 wrote to memory of 1424 1664 cmd.exe attrib.exe PID 1664 wrote to memory of 1424 1664 cmd.exe attrib.exe PID 1664 wrote to memory of 1424 1664 cmd.exe attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
Backup:binBackup.exepid process 364 Backup:bin 1976 Backup.exe -
Loads dropped DLL 2 IoCs
Processes:
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exepid process 1612 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe 1612 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1052 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 216 NOTEPAD.EXE -
NTFS ADS 1 IoCs
Processes:
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Backup:bin bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1508 vssvc.exe Token: SeRestorePrivilege 1508 vssvc.exe Token: SeAuditPrivilege 1508 vssvc.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1924 takeown.exe 1944 icacls.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1664 cmd.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1924 takeown.exe 1944 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Backup:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Backup.exe Backup:bin File opened for modification C:\Windows\SysWOW64\Backup.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 2008 attrib.exe 832 attrib.exe 1424 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\Backup:binC:\Users\Admin\AppData\Roaming\Backup:bin -r2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Backup.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Backup.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Backup" & del "C:\Users\Admin\AppData\Roaming\Backup"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Backup"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe" & del "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"2⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\SysWOW64\Backup.exeC:\Windows\SysWOW64\Backup.exe -s1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Backup.exe" & del "C:\Windows\SysWOW64\Backup.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Backup.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\JoinExport.html.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Backup:bin
-
C:\Users\Admin\AppData\Roaming\Backup:bin
-
C:\Users\Admin\Desktop\JoinExport.html.txt
-
C:\Windows\SysWOW64\Backup.exe
-
C:\Windows\SysWOW64\Backup.exe
-
\Users\Admin\AppData\Roaming\Backup
-
\Users\Admin\AppData\Roaming\Backup
-
memory/364-2-0x0000000000000000-mapping.dmp
-
memory/832-17-0x0000000000000000-mapping.dmp
-
memory/1052-4-0x0000000000000000-mapping.dmp
-
memory/1080-15-0x0000000000000000-mapping.dmp
-
memory/1088-14-0x0000000000000000-mapping.dmp
-
memory/1424-18-0x0000000000000000-mapping.dmp
-
memory/1592-11-0x0000000000000000-mapping.dmp
-
memory/1596-12-0x0000000000000000-mapping.dmp
-
memory/1664-13-0x0000000000000000-mapping.dmp
-
memory/1764-10-0x0000000000000000-mapping.dmp
-
memory/1924-6-0x0000000000000000-mapping.dmp
-
memory/1944-8-0x0000000000000000-mapping.dmp
-
memory/2008-16-0x0000000000000000-mapping.dmp