Overview

overview

10

Static

static

e3bf41de3a...eb.exe

windows7_x64

10

e3bf41de3a...eb.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb

  • Size

    1.1MB

  • Sample

    200630-cpx65y1s8j

  • MD5

    f67ea8e471e827e4b7b65b65647d1d46

  • SHA1

    e62d3a4fe0da1b1b8e9bcff3148becd6d02bcb07

  • SHA256

    e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb

  • SHA512

    b6b2cc29a5c5247d4a68ec7e7d0080e2f6e460eee98ece85498fe25b044beea8d3e15139bcdbaad744c6fb3e9caff7a127bd4487ba35c191a57883e2b47aecc4

Score
10/10
wastedlockerdiscoveryexploitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\ExpandRegister.xlt.eswasted_info.txt

Family

wastedlocker

Ransom Note
ENERGYSOLUTIONS YOUR NETWORK IS ENCRYPTED NOW USE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]pa89x+Qk8czXwYsq+77NJ+kmi8+JPLuP0ZvaEl9PBJNGPGWHEn/WeIgSu1lXs7/f OJ3j2aNYwhPFuZvavVHUbM5wPI8NoAfzkuLbIAQJMhkRfr+Ph+7S/0e6/8QmlQL2 QvmiD1wExkLM5Y+zF3wp/X8NtVRQ2DyiikWySHYjew7CKf48NgjHnCmF/UcL28S/ 2pXGFoXlbamsqZS6HzuY3mt+Bcl8A/1lnPoHkAimwB53PUSdL1zC1zd5BQjEm6uU MXD/wLgZrERAw6yw5dX3Aoz8+BKNvGSKnxOjWJSdz4+nitca/c6Yj5VNaSDgAA6D vSMxw8X7fHv8eK3yRiVcucvygqIooFyAjcuUo3bVE3IogsPvqT2DFLym7JzwSvol 7FnQpnJQl9dk1BuVytju4dBKwHStSzncK6BRtAKfFL4sUCAG8lpzudFQ4IIbNKvE 8ZnNA3YCqilpjOGWxgwCLMwsMC+FEcUk3C5Ngm7UouND52aMy2B2uurU89oydUOh f6rIvVNfBNJQDM5fn4bR9NsJEk2KKKFzIU8zyXiGD9hLN9nUP78WawgfzjoB2iLc ZeNPisyTchYKXiI6X9Hmi1jg2GZ1k36fwfnHygFkN5rseeMTtEboXE7MGfX9iTJV 4LDcrCmIvvJsGD2Y76YX9m2v1L5MCsjFWdTmuhZ+1Od=[end_key] KEEP IT
Emails

48907@PROTONMAIL.COM

78470@TUTANOTA.COM

Extracted

Path

C:\Users\Admin\Desktop\EnterPush.mpg.eswasted_info.txt

Family

wastedlocker

Ransom Note
ENERGYSOLUTIONS YOUR NETWORK IS ENCRYPTED NOW USE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]Dcp3nv6ZsPAdUdrPKGlRjfu+X1FwH71NEi+yJcmwIv4BIy6NoV65O6wYD6bHg9ca 3dBgnb5q5+9hn5lLSSiub9n2BCYZQfrYeXO8jjs2QIStz78Ty9iCsKRPl0JapnmW /xfLxVZJWew1Glqvt1C10+i68G5HG3ooCoIWyjx2P0ksre/6852ZfmYGMupGbbbi Y8gEUl8uBlDgnEgfpn6sz1PUs8IP0Duf7TCmzmlsFBATKJfTWwQmvOSaY25w835D tXE4HWvPJGSp2UjI8DUQY/lopf3S+fuedyvBTpwJVDOtsS2G58fSQ70fzjigMXqO /yYxwjzNsL8UkiNJm4ymd/bjKKLAeiCFRFp+LUsL9vz/OtF5EneMwjNyWCV6sSqm Vw4MDVq/EPvBNH45TrasKqE+xMD1I8HpzKYeIOkTrpGdBTe5x5dqMWd6pEDbZAf/ EAfQ8bDWdldfu/ViosTZeg80lEw/0Z8B25UpABApQi7PPICPNoiAoA/D1SJZQuh0 mIGbrjNAXwDmpQPlaLZwnLaRZGGBGoDCtSq5sSZj5OjKLDTwX21nQgDmBLfiRaiq dSxVBSJdJA4ReLjxFfLBVx8Hb45zaLVXnp/0W9rvJeoG+LGY4xjPjnqiKWJO6z/i iKZEtM46A4No+S25XKJR6WPyThOZVw0LZGhypYxtGHd=[end_key] KEEP IT
Emails

48907@PROTONMAIL.COM

78470@TUTANOTA.COM

Targets

    • Target

      e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb

    • Size

      1.1MB

    • MD5

      f67ea8e471e827e4b7b65b65647d1d46

    • SHA1

      e62d3a4fe0da1b1b8e9bcff3148becd6d02bcb07

    • SHA256

      e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb

    • SHA512

      b6b2cc29a5c5247d4a68ec7e7d0080e2f6e460eee98ece85498fe25b044beea8d3e15139bcdbaad744c6fb3e9caff7a127bd4487ba35c191a57883e2b47aecc4

    Score
    10/10
    ransomwarepersistencediscoveryexploitwastedlocker

    • WastedLocker

      Ransomware family seen in the wild since May 2020.

      ransomwarewastedlocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops file in System32 directory

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

File Permissions Modification

1
T1222

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks