Analysis
-
max time kernel
130s -
max time network
123s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 15:30
Static task
static1
Behavioral task
behavioral1
Sample
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
Resource
win7
Behavioral task
behavioral2
Sample
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
Resource
win10
General
-
Target
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
-
Size
60KB
-
MD5
0ed2ca539a01cdb86c88a9a1604b2005
-
SHA1
4fed7eae00bfa21938e49f33b7c6794fd7d0750c
-
SHA256
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
-
SHA512
34dad101cd7c5f9ff2267674d224986b9274e0e17d9ae665ca1af4ffa57408106238b1e248045465ab17c72a4b92473ab3714aefb705d95f9725a4251379c7e2
Malware Config
Extracted
C:\Users\Admin\Desktop\GrantPush.mp4.bbawasted_info.txt
wastedlocker
91645@PROTONMAIL.CH
61258@ECLIPSO.CH
Signatures
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3308 takeown.exe 3328 icacls.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1684 NOTEPAD.EXE -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3308 takeown.exe 3328 icacls.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exeInformation:binInformation.execmd.execmd.execmd.exedescription pid process target process PID 3104 wrote to memory of 3636 3104 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe Information:bin PID 3104 wrote to memory of 3636 3104 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe Information:bin PID 3104 wrote to memory of 3636 3104 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe Information:bin PID 3636 wrote to memory of 3848 3636 Information:bin vssadmin.exe PID 3636 wrote to memory of 3848 3636 Information:bin vssadmin.exe PID 3636 wrote to memory of 3308 3636 Information:bin takeown.exe PID 3636 wrote to memory of 3308 3636 Information:bin takeown.exe PID 3636 wrote to memory of 3308 3636 Information:bin takeown.exe PID 3636 wrote to memory of 3328 3636 Information:bin icacls.exe PID 3636 wrote to memory of 3328 3636 Information:bin icacls.exe PID 3636 wrote to memory of 3328 3636 Information:bin icacls.exe PID 3608 wrote to memory of 4000 3608 Information.exe cmd.exe PID 3608 wrote to memory of 4000 3608 Information.exe cmd.exe PID 3608 wrote to memory of 4000 3608 Information.exe cmd.exe PID 4000 wrote to memory of 972 4000 cmd.exe choice.exe PID 4000 wrote to memory of 972 4000 cmd.exe choice.exe PID 4000 wrote to memory of 972 4000 cmd.exe choice.exe PID 3636 wrote to memory of 2692 3636 Information:bin cmd.exe PID 3636 wrote to memory of 2692 3636 Information:bin cmd.exe PID 3636 wrote to memory of 2692 3636 Information:bin cmd.exe PID 3104 wrote to memory of 2268 3104 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe cmd.exe PID 3104 wrote to memory of 2268 3104 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe cmd.exe PID 3104 wrote to memory of 2268 3104 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe cmd.exe PID 2692 wrote to memory of 492 2692 cmd.exe choice.exe PID 2692 wrote to memory of 492 2692 cmd.exe choice.exe PID 2692 wrote to memory of 492 2692 cmd.exe choice.exe PID 2268 wrote to memory of 3732 2268 cmd.exe choice.exe PID 2268 wrote to memory of 3732 2268 cmd.exe choice.exe PID 2268 wrote to memory of 3732 2268 cmd.exe choice.exe PID 4000 wrote to memory of 252 4000 cmd.exe attrib.exe PID 4000 wrote to memory of 252 4000 cmd.exe attrib.exe PID 4000 wrote to memory of 252 4000 cmd.exe attrib.exe PID 2692 wrote to memory of 272 2692 cmd.exe attrib.exe PID 2692 wrote to memory of 272 2692 cmd.exe attrib.exe PID 2692 wrote to memory of 272 2692 cmd.exe attrib.exe PID 2268 wrote to memory of 3700 2268 cmd.exe attrib.exe PID 2268 wrote to memory of 3700 2268 cmd.exe attrib.exe PID 2268 wrote to memory of 3700 2268 cmd.exe attrib.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3816 vssvc.exe Token: SeRestorePrivilege 3816 vssvc.exe Token: SeAuditPrivilege 3816 vssvc.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 252 attrib.exe 272 attrib.exe 3700 attrib.exe -
NTFS ADS 1 IoCs
Processes:
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Information:bin bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Information:binInformation.exepid process 3636 Information:bin 3608 Information.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3848 vssadmin.exe -
Drops file in System32 directory 2 IoCs
Processes:
Information:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Information.exe Information:bin File opened for modification C:\Windows\SysWOW64\Information.exe attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"1⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\Information:binC:\Users\Admin\AppData\Roaming\Information:bin -r2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Information.exe3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Information.exe /reset3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Information" & del "C:\Users\Admin\AppData\Roaming\Information"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Information"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe" & del "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Information.exeC:\Windows\SysWOW64\Information.exe -s1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Information.exe" & del "C:\Windows\SysWOW64\Information.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Information.exe"3⤵
- Views/modifies file attributes
- Drops file in System32 directory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GrantPush.mp4.bbawasted_info.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Information:bin
-
C:\Users\Admin\AppData\Roaming\Information:bin
-
C:\Users\Admin\Desktop\GrantPush.mp4.bbawasted_info.txt
-
C:\Windows\SysWOW64\Information.exe
-
C:\Windows\SysWOW64\Information.exe
-
memory/252-14-0x0000000000000000-mapping.dmp
-
memory/272-15-0x0000000000000000-mapping.dmp
-
memory/492-12-0x0000000000000000-mapping.dmp
-
memory/972-9-0x0000000000000000-mapping.dmp
-
memory/2268-11-0x0000000000000000-mapping.dmp
-
memory/2692-10-0x0000000000000000-mapping.dmp
-
memory/3308-4-0x0000000000000000-mapping.dmp
-
memory/3328-6-0x0000000000000000-mapping.dmp
-
memory/3636-0-0x0000000000000000-mapping.dmp
-
memory/3700-16-0x0000000000000000-mapping.dmp
-
memory/3732-13-0x0000000000000000-mapping.dmp
-
memory/3848-3-0x0000000000000000-mapping.dmp
-
memory/4000-8-0x0000000000000000-mapping.dmp