Analysis
-
max time kernel
138s -
max time network
32s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 15:30
Static task
static1
Behavioral task
behavioral1
Sample
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe
Resource
win10
General
-
Target
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe
-
Size
1.1MB
-
MD5
f67ea8e471e827e4b7b65b65647d1d46
-
SHA1
e62d3a4fe0da1b1b8e9bcff3148becd6d02bcb07
-
SHA256
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb
-
SHA512
b6b2cc29a5c5247d4a68ec7e7d0080e2f6e460eee98ece85498fe25b044beea8d3e15139bcdbaad744c6fb3e9caff7a127bd4487ba35c191a57883e2b47aecc4
Malware Config
Extracted
C:\Users\Admin\Desktop\ExpandRegister.xlt.eswasted_info.txt
wastedlocker
48907@PROTONMAIL.COM
78470@TUTANOTA.COM
Signatures
-
NTFS ADS 1 IoCs
Processes:
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Mobile:bin e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1588 vssvc.exe Token: SeRestorePrivilege 1588 vssvc.exe Token: SeAuditPrivilege 1588 vssvc.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1584 cmd.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 480 vssadmin.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1820 takeown.exe 1756 icacls.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Loads dropped DLL 2 IoCs
Processes:
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exepid process 1400 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe 1400 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe -
Drops file in System32 directory 2 IoCs
Processes:
Mobile:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Mobile.exe Mobile:bin File opened for modification C:\Windows\SysWOW64\Mobile.exe attrib.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1260 attrib.exe 1000 attrib.exe 2040 attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
Mobile:binMobile.exepid process 1404 Mobile:bin 688 Mobile.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1820 takeown.exe 1756 icacls.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1488 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exeMobile:binMobile.execmd.execmd.execmd.exedescription pid process target process PID 1400 wrote to memory of 1404 1400 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe Mobile:bin PID 1400 wrote to memory of 1404 1400 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe Mobile:bin PID 1400 wrote to memory of 1404 1400 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe Mobile:bin PID 1400 wrote to memory of 1404 1400 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe Mobile:bin PID 1404 wrote to memory of 480 1404 Mobile:bin vssadmin.exe PID 1404 wrote to memory of 480 1404 Mobile:bin vssadmin.exe PID 1404 wrote to memory of 480 1404 Mobile:bin vssadmin.exe PID 1404 wrote to memory of 480 1404 Mobile:bin vssadmin.exe PID 1404 wrote to memory of 1820 1404 Mobile:bin takeown.exe PID 1404 wrote to memory of 1820 1404 Mobile:bin takeown.exe PID 1404 wrote to memory of 1820 1404 Mobile:bin takeown.exe PID 1404 wrote to memory of 1820 1404 Mobile:bin takeown.exe PID 1404 wrote to memory of 1756 1404 Mobile:bin icacls.exe PID 1404 wrote to memory of 1756 1404 Mobile:bin icacls.exe PID 1404 wrote to memory of 1756 1404 Mobile:bin icacls.exe PID 1404 wrote to memory of 1756 1404 Mobile:bin icacls.exe PID 688 wrote to memory of 1296 688 Mobile.exe cmd.exe PID 688 wrote to memory of 1296 688 Mobile.exe cmd.exe PID 688 wrote to memory of 1296 688 Mobile.exe cmd.exe PID 688 wrote to memory of 1296 688 Mobile.exe cmd.exe PID 1296 wrote to memory of 1864 1296 cmd.exe choice.exe PID 1296 wrote to memory of 1864 1296 cmd.exe choice.exe PID 1296 wrote to memory of 1864 1296 cmd.exe choice.exe PID 1296 wrote to memory of 1864 1296 cmd.exe choice.exe PID 1404 wrote to memory of 1576 1404 Mobile:bin cmd.exe PID 1404 wrote to memory of 1576 1404 Mobile:bin cmd.exe PID 1404 wrote to memory of 1576 1404 Mobile:bin cmd.exe PID 1404 wrote to memory of 1576 1404 Mobile:bin cmd.exe PID 1400 wrote to memory of 1584 1400 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe cmd.exe PID 1400 wrote to memory of 1584 1400 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe cmd.exe PID 1400 wrote to memory of 1584 1400 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe cmd.exe PID 1400 wrote to memory of 1584 1400 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe cmd.exe PID 1576 wrote to memory of 1624 1576 cmd.exe choice.exe PID 1576 wrote to memory of 1624 1576 cmd.exe choice.exe PID 1576 wrote to memory of 1624 1576 cmd.exe choice.exe PID 1576 wrote to memory of 1624 1576 cmd.exe choice.exe PID 1584 wrote to memory of 1520 1584 cmd.exe choice.exe PID 1584 wrote to memory of 1520 1584 cmd.exe choice.exe PID 1584 wrote to memory of 1520 1584 cmd.exe choice.exe PID 1584 wrote to memory of 1520 1584 cmd.exe choice.exe PID 1296 wrote to memory of 1260 1296 cmd.exe attrib.exe PID 1296 wrote to memory of 1260 1296 cmd.exe attrib.exe PID 1296 wrote to memory of 1260 1296 cmd.exe attrib.exe PID 1296 wrote to memory of 1260 1296 cmd.exe attrib.exe PID 1576 wrote to memory of 1000 1576 cmd.exe attrib.exe PID 1576 wrote to memory of 1000 1576 cmd.exe attrib.exe PID 1576 wrote to memory of 1000 1576 cmd.exe attrib.exe PID 1576 wrote to memory of 1000 1576 cmd.exe attrib.exe PID 1584 wrote to memory of 2040 1584 cmd.exe attrib.exe PID 1584 wrote to memory of 2040 1584 cmd.exe attrib.exe PID 1584 wrote to memory of 2040 1584 cmd.exe attrib.exe PID 1584 wrote to memory of 2040 1584 cmd.exe attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe"C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe"1⤵
- NTFS ADS
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Mobile:binC:\Users\Admin\AppData\Roaming\Mobile:bin -r2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Mobile.exe3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Mobile.exe /reset3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Mobile" & del "C:\Users\Admin\AppData\Roaming\Mobile"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Mobile"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe" & del "C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\SysWOW64\Mobile.exeC:\Windows\SysWOW64\Mobile.exe -s1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Mobile.exe" & del "C:\Windows\SysWOW64\Mobile.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Mobile.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ExpandRegister.xlt.eswasted_info.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mobile:bin
-
C:\Users\Admin\AppData\Roaming\Mobile:bin
-
C:\Users\Admin\Desktop\ExpandRegister.xlt.eswasted_info.txt
-
C:\Windows\SysWOW64\Mobile.exe
-
C:\Windows\SysWOW64\Mobile.exe
-
\Users\Admin\AppData\Roaming\Mobile
-
\Users\Admin\AppData\Roaming\Mobile
-
memory/480-4-0x0000000000000000-mapping.dmp
-
memory/1000-17-0x0000000000000000-mapping.dmp
-
memory/1260-16-0x0000000000000000-mapping.dmp
-
memory/1296-10-0x0000000000000000-mapping.dmp
-
memory/1404-2-0x0000000000000000-mapping.dmp
-
memory/1520-15-0x0000000000000000-mapping.dmp
-
memory/1576-12-0x0000000000000000-mapping.dmp
-
memory/1584-13-0x0000000000000000-mapping.dmp
-
memory/1624-14-0x0000000000000000-mapping.dmp
-
memory/1756-8-0x0000000000000000-mapping.dmp
-
memory/1820-6-0x0000000000000000-mapping.dmp
-
memory/1864-11-0x0000000000000000-mapping.dmp
-
memory/2040-18-0x0000000000000000-mapping.dmp