Analysis
-
max time kernel
136s -
max time network
121s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 15:30
Static task
static1
Behavioral task
behavioral1
Sample
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe
Resource
win10
General
-
Target
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe
-
Size
1.1MB
-
MD5
f67ea8e471e827e4b7b65b65647d1d46
-
SHA1
e62d3a4fe0da1b1b8e9bcff3148becd6d02bcb07
-
SHA256
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb
-
SHA512
b6b2cc29a5c5247d4a68ec7e7d0080e2f6e460eee98ece85498fe25b044beea8d3e15139bcdbaad744c6fb3e9caff7a127bd4487ba35c191a57883e2b47aecc4
Malware Config
Extracted
C:\Users\Admin\Desktop\EnterPush.mpg.eswasted_info.txt
wastedlocker
48907@PROTONMAIL.COM
78470@TUTANOTA.COM
Signatures
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3848 vssvc.exe Token: SeRestorePrivilege 3848 vssvc.exe Token: SeAuditPrivilege 3848 vssvc.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in System32 directory 2 IoCs
Processes:
Information:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Information.exe Information:bin File opened for modification C:\Windows\SysWOW64\Information.exe attrib.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 332 takeown.exe 3320 icacls.exe -
Executes dropped EXE 2 IoCs
Processes:
Information:binInformation.exepid process 3840 Information:bin 728 Information.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1892 vssadmin.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 332 takeown.exe 3320 icacls.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 896 attrib.exe 60 attrib.exe 1040 attrib.exe -
NTFS ADS 1 IoCs
Processes:
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Information:bin e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2500 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exeInformation:binInformation.execmd.execmd.execmd.exedescription pid process target process PID 3676 wrote to memory of 3840 3676 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe Information:bin PID 3676 wrote to memory of 3840 3676 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe Information:bin PID 3676 wrote to memory of 3840 3676 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe Information:bin PID 3840 wrote to memory of 1892 3840 Information:bin vssadmin.exe PID 3840 wrote to memory of 1892 3840 Information:bin vssadmin.exe PID 3840 wrote to memory of 332 3840 Information:bin takeown.exe PID 3840 wrote to memory of 332 3840 Information:bin takeown.exe PID 3840 wrote to memory of 332 3840 Information:bin takeown.exe PID 3840 wrote to memory of 3320 3840 Information:bin icacls.exe PID 3840 wrote to memory of 3320 3840 Information:bin icacls.exe PID 3840 wrote to memory of 3320 3840 Information:bin icacls.exe PID 728 wrote to memory of 2224 728 Information.exe cmd.exe PID 728 wrote to memory of 2224 728 Information.exe cmd.exe PID 728 wrote to memory of 2224 728 Information.exe cmd.exe PID 2224 wrote to memory of 2108 2224 cmd.exe choice.exe PID 2224 wrote to memory of 2108 2224 cmd.exe choice.exe PID 2224 wrote to memory of 2108 2224 cmd.exe choice.exe PID 3840 wrote to memory of 2836 3840 Information:bin cmd.exe PID 3840 wrote to memory of 2836 3840 Information:bin cmd.exe PID 3840 wrote to memory of 2836 3840 Information:bin cmd.exe PID 3676 wrote to memory of 3744 3676 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe cmd.exe PID 3676 wrote to memory of 3744 3676 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe cmd.exe PID 3676 wrote to memory of 3744 3676 e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe cmd.exe PID 2836 wrote to memory of 632 2836 cmd.exe choice.exe PID 2836 wrote to memory of 632 2836 cmd.exe choice.exe PID 2836 wrote to memory of 632 2836 cmd.exe choice.exe PID 3744 wrote to memory of 664 3744 cmd.exe choice.exe PID 3744 wrote to memory of 664 3744 cmd.exe choice.exe PID 3744 wrote to memory of 664 3744 cmd.exe choice.exe PID 2224 wrote to memory of 896 2224 cmd.exe attrib.exe PID 2224 wrote to memory of 896 2224 cmd.exe attrib.exe PID 2224 wrote to memory of 896 2224 cmd.exe attrib.exe PID 2836 wrote to memory of 60 2836 cmd.exe attrib.exe PID 2836 wrote to memory of 60 2836 cmd.exe attrib.exe PID 2836 wrote to memory of 60 2836 cmd.exe attrib.exe PID 3744 wrote to memory of 1040 3744 cmd.exe attrib.exe PID 3744 wrote to memory of 1040 3744 cmd.exe attrib.exe PID 3744 wrote to memory of 1040 3744 cmd.exe attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe"C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Information:binC:\Users\Admin\AppData\Roaming\Information:bin -r2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Information.exe3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Information.exe /reset3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Information" & del "C:\Users\Admin\AppData\Roaming\Information"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Information"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe" & del "C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\SysWOW64\Information.exeC:\Windows\SysWOW64\Information.exe -s1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Information.exe" & del "C:\Windows\SysWOW64\Information.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Information.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EnterPush.mpg.eswasted_info.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Information:bin
-
C:\Users\Admin\AppData\Roaming\Information:bin
-
C:\Users\Admin\Desktop\EnterPush.mpg.eswasted_info.txt
-
C:\Windows\SysWOW64\Information.exe
-
C:\Windows\SysWOW64\Information.exe
-
memory/60-15-0x0000000000000000-mapping.dmp
-
memory/332-4-0x0000000000000000-mapping.dmp
-
memory/632-12-0x0000000000000000-mapping.dmp
-
memory/664-13-0x0000000000000000-mapping.dmp
-
memory/896-14-0x0000000000000000-mapping.dmp
-
memory/1040-16-0x0000000000000000-mapping.dmp
-
memory/1892-3-0x0000000000000000-mapping.dmp
-
memory/2108-9-0x0000000000000000-mapping.dmp
-
memory/2224-8-0x0000000000000000-mapping.dmp
-
memory/2836-10-0x0000000000000000-mapping.dmp
-
memory/3320-6-0x0000000000000000-mapping.dmp
-
memory/3744-11-0x0000000000000000-mapping.dmp
-
memory/3840-0-0x0000000000000000-mapping.dmp