wastedlocker | e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb

General

Target

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe
Size

1.1MB
MD5

f67ea8e471e827e4b7b65b65647d1d46
SHA1

e62d3a4fe0da1b1b8e9bcff3148becd6d02bcb07
SHA256

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb
SHA512

b6b2cc29a5c5247d4a68ec7e7d0080e2f6e460eee98ece85498fe25b044beea8d3e15139bcdbaad744c6fb3e9caff7a127bd4487ba35c191a57883e2b47aecc4

Score

10^/10

ransomware persistence discovery exploit wastedlocker

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\ExpandRegister.xlt.eswasted_info.txt

Family

wastedlocker

Ransom Note

ENERGYSOLUTIONS YOUR NETWORK IS ENCRYPTED NOW USE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]pa89x+Qk8czXwYsq+77NJ+kmi8+JPLuP0ZvaEl9PBJNGPGWHEn/WeIgSu1lXs7/f OJ3j2aNYwhPFuZvavVHUbM5wPI8NoAfzkuLbIAQJMhkRfr+Ph+7S/0e6/8QmlQL2 QvmiD1wExkLM5Y+zF3wp/X8NtVRQ2DyiikWySHYjew7CKf48NgjHnCmF/UcL28S/ 2pXGFoXlbamsqZS6HzuY3mt+Bcl8A/1lnPoHkAimwB53PUSdL1zC1zd5BQjEm6uU MXD/wLgZrERAw6yw5dX3Aoz8+BKNvGSKnxOjWJSdz4+nitca/c6Yj5VNaSDgAA6D vSMxw8X7fHv8eK3yRiVcucvygqIooFyAjcuUo3bVE3IogsPvqT2DFLym7JzwSvol 7FnQpnJQl9dk1BuVytju4dBKwHStSzncK6BRtAKfFL4sUCAG8lpzudFQ4IIbNKvE 8ZnNA3YCqilpjOGWxgwCLMwsMC+FEcUk3C5Ngm7UouND52aMy2B2uurU89oydUOh f6rIvVNfBNJQDM5fn4bR9NsJEk2KKKFzIU8zyXiGD9hLN9nUP78WawgfzjoB2iLc ZeNPisyTchYKXiI6X9Hmi1jg2GZ1k36fwfnHygFkN5rseeMTtEboXE7MGfX9iTJV 4LDcrCmIvvJsGD2Y76YX9m2v1L5MCsjFWdTmuhZ+1Od=[end_key] KEEP IT

Emails

48907@PROTONMAIL.COM

78470@TUTANOTA.COM

Signatures

NTFS ADS 1 IoCs

Processes:

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Mobile:bin	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1588 vssvc.exe
Token: SeRestorePrivilege 1588 vssvc.exe
Token: SeAuditPrivilege 1588 vssvc.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1584 cmd.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

480 vssadmin.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1820 takeown.exe
1756 icacls.exe
WastedLocker
Ransomware family seen in the wild since May 2020.
ransomware wastedlocker

description	pid	process
Token: SeBackupPrivilege	1588	vssvc.exe
Token: SeRestorePrivilege	1588	vssvc.exe
Token: SeAuditPrivilege	1588	vssvc.exe

pid	process
1584	cmd.exe

pid	process
480	vssadmin.exe

pid	process
1820	takeown.exe
1756	icacls.exe

Loads dropped DLL 2 IoCs

Processes:

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe

pid	process
1400	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe
1400	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe

Drops file in System32 directory 2 IoCs

Processes:

Mobile:binattrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Mobile.exe	Mobile:bin
File opened for modification	C:\Windows\SysWOW64\Mobile.exe	attrib.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1260 attrib.exe
1000 attrib.exe
2040 attrib.exe
Executes dropped EXE 2 IoCs

Processes:

Mobile:binMobile.exe

pid process

1404 Mobile:bin
688 Mobile.exe

pid	process
1260	attrib.exe
1000	attrib.exe
2040	attrib.exe

pid	process
1404	Mobile:bin
688	Mobile.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1820 takeown.exe
1756 icacls.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1488 NOTEPAD.EXE

pid	process
1820	takeown.exe
1756	icacls.exe

pid	process
1488	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exeMobile:binMobile.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1400 wrote to memory of 1404	1400	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe	Mobile:bin
PID 1400 wrote to memory of 1404	1400	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe	Mobile:bin
PID 1400 wrote to memory of 1404	1400	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe	Mobile:bin
PID 1400 wrote to memory of 1404	1400	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe	Mobile:bin
PID 1404 wrote to memory of 480	1404	Mobile:bin	vssadmin.exe
PID 1404 wrote to memory of 480	1404	Mobile:bin	vssadmin.exe
PID 1404 wrote to memory of 480	1404	Mobile:bin	vssadmin.exe
PID 1404 wrote to memory of 480	1404	Mobile:bin	vssadmin.exe
PID 1404 wrote to memory of 1820	1404	Mobile:bin	takeown.exe
PID 1404 wrote to memory of 1820	1404	Mobile:bin	takeown.exe
PID 1404 wrote to memory of 1820	1404	Mobile:bin	takeown.exe
PID 1404 wrote to memory of 1820	1404	Mobile:bin	takeown.exe
PID 1404 wrote to memory of 1756	1404	Mobile:bin	icacls.exe
PID 1404 wrote to memory of 1756	1404	Mobile:bin	icacls.exe
PID 1404 wrote to memory of 1756	1404	Mobile:bin	icacls.exe
PID 1404 wrote to memory of 1756	1404	Mobile:bin	icacls.exe
PID 688 wrote to memory of 1296	688	Mobile.exe	cmd.exe
PID 688 wrote to memory of 1296	688	Mobile.exe	cmd.exe
PID 688 wrote to memory of 1296	688	Mobile.exe	cmd.exe
PID 688 wrote to memory of 1296	688	Mobile.exe	cmd.exe
PID 1296 wrote to memory of 1864	1296	cmd.exe	choice.exe
PID 1296 wrote to memory of 1864	1296	cmd.exe	choice.exe
PID 1296 wrote to memory of 1864	1296	cmd.exe	choice.exe
PID 1296 wrote to memory of 1864	1296	cmd.exe	choice.exe
PID 1404 wrote to memory of 1576	1404	Mobile:bin	cmd.exe
PID 1404 wrote to memory of 1576	1404	Mobile:bin	cmd.exe
PID 1404 wrote to memory of 1576	1404	Mobile:bin	cmd.exe
PID 1404 wrote to memory of 1576	1404	Mobile:bin	cmd.exe
PID 1400 wrote to memory of 1584	1400	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe	cmd.exe
PID 1400 wrote to memory of 1584	1400	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe	cmd.exe
PID 1400 wrote to memory of 1584	1400	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe	cmd.exe
PID 1400 wrote to memory of 1584	1400	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe	cmd.exe
PID 1576 wrote to memory of 1624	1576	cmd.exe	choice.exe
PID 1576 wrote to memory of 1624	1576	cmd.exe	choice.exe
PID 1576 wrote to memory of 1624	1576	cmd.exe	choice.exe
PID 1576 wrote to memory of 1624	1576	cmd.exe	choice.exe
PID 1584 wrote to memory of 1520	1584	cmd.exe	choice.exe
PID 1584 wrote to memory of 1520	1584	cmd.exe	choice.exe
PID 1584 wrote to memory of 1520	1584	cmd.exe	choice.exe
PID 1584 wrote to memory of 1520	1584	cmd.exe	choice.exe
PID 1296 wrote to memory of 1260	1296	cmd.exe	attrib.exe
PID 1296 wrote to memory of 1260	1296	cmd.exe	attrib.exe
PID 1296 wrote to memory of 1260	1296	cmd.exe	attrib.exe
PID 1296 wrote to memory of 1260	1296	cmd.exe	attrib.exe
PID 1576 wrote to memory of 1000	1576	cmd.exe	attrib.exe
PID 1576 wrote to memory of 1000	1576	cmd.exe	attrib.exe
PID 1576 wrote to memory of 1000	1576	cmd.exe	attrib.exe
PID 1576 wrote to memory of 1000	1576	cmd.exe	attrib.exe
PID 1584 wrote to memory of 2040	1584	cmd.exe	attrib.exe
PID 1584 wrote to memory of 2040	1584	cmd.exe	attrib.exe
PID 1584 wrote to memory of 2040	1584	cmd.exe	attrib.exe
PID 1584 wrote to memory of 2040	1584	cmd.exe	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe
"C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe"
1⤵
- NTFS ADS
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Roaming\Mobile:bin
C:\Users\Admin\AppData\Roaming\Mobile:bin -r
2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:480

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Windows\system32\Mobile.exe
3⤵
- Modifies file permissions
- Possible privilege escalation attempt
PID:1820

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Windows\system32\Mobile.exe /reset
3⤵
- Modifies file permissions
- Possible privilege escalation attempt
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Mobile" & del "C:\Users\Admin\AppData\Roaming\Mobile"
3⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
4⤵
PID:1624

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Users\Admin\AppData\Roaming\Mobile"
4⤵
- Views/modifies file attributes
PID:1000

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe" & del "C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
3⤵
PID:1520

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe"
3⤵
- Views/modifies file attributes
PID:2040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1588

C:\Windows\SysWOW64\Mobile.exe
C:\Windows\SysWOW64\Mobile.exe -s
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Mobile.exe" & del "C:\Windows\SysWOW64\Mobile.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
3⤵
PID:1864

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Windows\SysWOW64\Mobile.exe"
3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:1260

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ExpandRegister.xlt.eswasted_info.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

File Permissions Modification

1

T1222

Hidden Files and Directories

1

T1158

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mobile:bin

Download Submit
C:\Users\Admin\AppData\Roaming\Mobile:bin

Download Submit
C:\Users\Admin\Desktop\ExpandRegister.xlt.eswasted_info.txt

Download Submit
C:\Windows\SysWOW64\Mobile.exe

Download Submit
C:\Windows\SysWOW64\Mobile.exe

Download Submit
\Users\Admin\AppData\Roaming\Mobile

Download Submit
\Users\Admin\AppData\Roaming\Mobile

Download Submit
memory/480-4-0x0000000000000000-mapping.dmp

Download
memory/1000-17-0x0000000000000000-mapping.dmp

Download
memory/1260-16-0x0000000000000000-mapping.dmp

Download
memory/1296-10-0x0000000000000000-mapping.dmp

Download
memory/1404-2-0x0000000000000000-mapping.dmp

Download
memory/1520-15-0x0000000000000000-mapping.dmp

Download
memory/1576-12-0x0000000000000000-mapping.dmp

Download
memory/1584-13-0x0000000000000000-mapping.dmp

Download
memory/1624-14-0x0000000000000000-mapping.dmp

Download
memory/1756-8-0x0000000000000000-mapping.dmp

Download
memory/1820-6-0x0000000000000000-mapping.dmp

Download
memory/1864-11-0x0000000000000000-mapping.dmp

Download
memory/2040-18-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads