wastedlocker | bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

Analysis

max time kernel
130s
max time network
123s
platform
windows10_x64
resource
win10
submitted
30-06-2020 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
Size

60KB
MD5

0ed2ca539a01cdb86c88a9a1604b2005
SHA1

4fed7eae00bfa21938e49f33b7c6794fd7d0750c
SHA256

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
SHA512

34dad101cd7c5f9ff2267674d224986b9274e0e17d9ae665ca1af4ffa57408106238b1e248045465ab17c72a4b92473ab3714aefb705d95f9725a4251379c7e2

Score

10^/10

ransomware persistence discovery exploit wastedlocker

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\GrantPush.mp4.bbawasted_info.txt

Family

wastedlocker

Ransom Note

BBA Aviation YOUR NETWORK IS ENCRYPTED NOW USE [email protected] | [email protected] TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]eWiVIWOKyZhi+k4Xk9XmHRTyqh1mou9rR63QBvua+mGoSRZtf2IP+pYcmJDG60+2 +HXobnzuw/0tJZXCdKVo7vKbYiFrtS+fjQbaUA4uDnG0lBiPwFZrlQ8/5jjSrNCc UBIy0bNpN2nUolQAYBS24NFf+Kws73BEg4rBWfiJchPaj/4exqexSwskjVo0S+ky OeNPHLfkzenJDLlTSK2gYJ8yzn3BhfDDxYNz+MQHPPANfEcWyuUyPTUspbFBGT10 kGtlzKdsd0w3lO31V2gsTcxy+AH3n66oPOJGwR2TKFVulbwkgIiY/0k3UHx8QK40 gZDuufCgscoq7rnyRn4+xIPdjtaCXIZVgKzfwmUdwGSSh93ywcXJlNq1Y8XI3Tb+ /XIHHVfU+fmFPKEyBdZRAt5cXXMssIsc0AKsuELWu/z6Kfxnu2bdyAPgDnMTSDxa IpDFInXnGk+9i0VDeiKxeII8dCV2IBIV4AUnUxC7FDQ+P/q0jYNRM8laajjJ+Fbm sH5gl6OoCHl8bSUK7aHZSbFjffon+ua8C3MZxJl6Nzq5J74Lo2CX+gErcGw4RQqI onaDAnY/HYGluGJqc4TmH7SoptRZj5Wcx4hZahAnpmck9wDWKg9e0kTGgQnoHRYh dnwPfw97uYc8/c0edQlIWqUU0v1KQ1zo0CWdtK2PYp2=[end_key] KEEP IT

Emails

[email protected]

Signatures

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3308	takeown.exe
3328	icacls.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1684	NOTEPAD.EXE

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3308	takeown.exe
3328	icacls.exe

WastedLocker
Ransomware family seen in the wild since May 2020.
ransomware wastedlocker

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 3636	3104	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	67
PID 3104 wrote to memory of 3636	3104	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	67
PID 3104 wrote to memory of 3636	3104	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	67
PID 3636 wrote to memory of 3848	3636	Information:bin	68
PID 3636 wrote to memory of 3848	3636	Information:bin	68
PID 3636 wrote to memory of 3308	3636	Information:bin	72
PID 3636 wrote to memory of 3308	3636	Information:bin	72
PID 3636 wrote to memory of 3308	3636	Information:bin	72
PID 3636 wrote to memory of 3328	3636	Information:bin	74
PID 3636 wrote to memory of 3328	3636	Information:bin	74
PID 3636 wrote to memory of 3328	3636	Information:bin	74
PID 3608 wrote to memory of 4000	3608	Information.exe	77
PID 3608 wrote to memory of 4000	3608	Information.exe	77
PID 3608 wrote to memory of 4000	3608	Information.exe	77
PID 4000 wrote to memory of 972	4000	cmd.exe	79
PID 4000 wrote to memory of 972	4000	cmd.exe	79
PID 4000 wrote to memory of 972	4000	cmd.exe	79
PID 3636 wrote to memory of 2692	3636	Information:bin	81
PID 3636 wrote to memory of 2692	3636	Information:bin	81
PID 3636 wrote to memory of 2692	3636	Information:bin	81
PID 3104 wrote to memory of 2268	3104	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	83
PID 3104 wrote to memory of 2268	3104	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	83
PID 3104 wrote to memory of 2268	3104	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe	83
PID 2692 wrote to memory of 492	2692	cmd.exe	85
PID 2692 wrote to memory of 492	2692	cmd.exe	85
PID 2692 wrote to memory of 492	2692	cmd.exe	85
PID 2268 wrote to memory of 3732	2268	cmd.exe	86
PID 2268 wrote to memory of 3732	2268	cmd.exe	86
PID 2268 wrote to memory of 3732	2268	cmd.exe	86
PID 4000 wrote to memory of 252	4000	cmd.exe	87
PID 4000 wrote to memory of 252	4000	cmd.exe	87
PID 4000 wrote to memory of 252	4000	cmd.exe	87
PID 2692 wrote to memory of 272	2692	cmd.exe	88
PID 2692 wrote to memory of 272	2692	cmd.exe	88
PID 2692 wrote to memory of 272	2692	cmd.exe	88
PID 2268 wrote to memory of 3700	2268	cmd.exe	89
PID 2268 wrote to memory of 3700	2268	cmd.exe	89
PID 2268 wrote to memory of 3700	2268	cmd.exe	89

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3816	vssvc.exe
Token: SeRestorePrivilege	3816	vssvc.exe
Token: SeAuditPrivilege	3816	vssvc.exe

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
252	attrib.exe
272	attrib.exe
3700	attrib.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Information:bin	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
3636	Information:bin
3608	Information.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3848	vssadmin.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Information.exe	Information:bin
File opened for modification	C:\Windows\SysWOW64\Information.exe	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
"C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
1⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
PID:3104
- C:\Users\Admin\AppData\Roaming\Information:bin
  C:\Users\Admin\AppData\Roaming\Information:bin -r
  2⤵
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3636
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3848
- - C:\Windows\SysWOW64\takeown.exe
    C:\Windows\system32\takeown.exe /F C:\Windows\system32\Information.exe
    3⤵
    - Modifies file permissions
    - Possible privilege escalation attempt
    PID:3308
- - C:\Windows\SysWOW64\icacls.exe
    C:\Windows\system32\icacls.exe C:\Windows\system32\Information.exe /reset
    3⤵
    - Modifies file permissions
    - Possible privilege escalation attempt
    PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Information" & del "C:\Users\Admin\AppData\Roaming\Information"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\choice.exe
      choice /t 10 /d y
      4⤵
      PID:492
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h "C:\Users\Admin\AppData\Roaming\Information"
      4⤵
      Views/modifies file attributes
      PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe" & del "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\choice.exe
    choice /t 10 /d y
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
    3⤵
    - Views/modifies file attributes
    PID:3700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\SysWOW64\Information.exe
C:\Windows\SysWOW64\Information.exe -s
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:3608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Information.exe" & del "C:\Windows\SysWOW64\Information.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SysWOW64\choice.exe
    choice /t 10 /d y
    3⤵
    PID:972
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h "C:\Windows\SysWOW64\Information.exe"
    3⤵
    - Views/modifies file attributes
    - Drops file in System32 directory
    PID:252

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GrantPush.mp4.bbawasted_info.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads