wastedlocker | e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb

General

Target

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe
Size

1.1MB
MD5

f67ea8e471e827e4b7b65b65647d1d46
SHA1

e62d3a4fe0da1b1b8e9bcff3148becd6d02bcb07
SHA256

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb
SHA512

b6b2cc29a5c5247d4a68ec7e7d0080e2f6e460eee98ece85498fe25b044beea8d3e15139bcdbaad744c6fb3e9caff7a127bd4487ba35c191a57883e2b47aecc4

Score

10^/10

ransomware persistence exploit discovery wastedlocker

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\EnterPush.mpg.eswasted_info.txt

Family

wastedlocker

Ransom Note

ENERGYSOLUTIONS YOUR NETWORK IS ENCRYPTED NOW USE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]Dcp3nv6ZsPAdUdrPKGlRjfu+X1FwH71NEi+yJcmwIv4BIy6NoV65O6wYD6bHg9ca 3dBgnb5q5+9hn5lLSSiub9n2BCYZQfrYeXO8jjs2QIStz78Ty9iCsKRPl0JapnmW /xfLxVZJWew1Glqvt1C10+i68G5HG3ooCoIWyjx2P0ksre/6852ZfmYGMupGbbbi Y8gEUl8uBlDgnEgfpn6sz1PUs8IP0Duf7TCmzmlsFBATKJfTWwQmvOSaY25w835D tXE4HWvPJGSp2UjI8DUQY/lopf3S+fuedyvBTpwJVDOtsS2G58fSQ70fzjigMXqO /yYxwjzNsL8UkiNJm4ymd/bjKKLAeiCFRFp+LUsL9vz/OtF5EneMwjNyWCV6sSqm Vw4MDVq/EPvBNH45TrasKqE+xMD1I8HpzKYeIOkTrpGdBTe5x5dqMWd6pEDbZAf/ EAfQ8bDWdldfu/ViosTZeg80lEw/0Z8B25UpABApQi7PPICPNoiAoA/D1SJZQuh0 mIGbrjNAXwDmpQPlaLZwnLaRZGGBGoDCtSq5sSZj5OjKLDTwX21nQgDmBLfiRaiq dSxVBSJdJA4ReLjxFfLBVx8Hb45zaLVXnp/0W9rvJeoG+LGY4xjPjnqiKWJO6z/i iKZEtM46A4No+S25XKJR6WPyThOZVw0LZGhypYxtGHd=[end_key] KEEP IT

Emails

48907@PROTONMAIL.COM

78470@TUTANOTA.COM

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3848 vssvc.exe
Token: SeRestorePrivilege 3848 vssvc.exe
Token: SeAuditPrivilege 3848 vssvc.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

description	pid	process
Token: SeBackupPrivilege	3848	vssvc.exe
Token: SeRestorePrivilege	3848	vssvc.exe
Token: SeAuditPrivilege	3848	vssvc.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Drops file in System32 directory 2 IoCs

Processes:

Information:binattrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Information.exe	Information:bin
File opened for modification	C:\Windows\SysWOW64\Information.exe	attrib.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

332 takeown.exe
3320 icacls.exe
Executes dropped EXE 2 IoCs

Processes:

Information:binInformation.exe

pid process

3840 Information:bin
728 Information.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1892 vssadmin.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

332 takeown.exe
3320 icacls.exe
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

896 attrib.exe
60 attrib.exe
1040 attrib.exe

pid	process
332	takeown.exe
3320	icacls.exe

pid	process
3840	Information:bin
728	Information.exe

pid	process
1892	vssadmin.exe

pid	process
332	takeown.exe
3320	icacls.exe

pid	process
896	attrib.exe
60	attrib.exe
1040	attrib.exe

NTFS ADS 1 IoCs

Processes:

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Information:bin	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe

WastedLocker
Ransomware family seen in the wild since May 2020.
ransomware wastedlocker
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2500 NOTEPAD.EXE

pid	process
2500	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exeInformation:binInformation.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3676 wrote to memory of 3840	3676	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe	Information:bin
PID 3676 wrote to memory of 3840	3676	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe	Information:bin
PID 3676 wrote to memory of 3840	3676	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe	Information:bin
PID 3840 wrote to memory of 1892	3840	Information:bin	vssadmin.exe
PID 3840 wrote to memory of 1892	3840	Information:bin	vssadmin.exe
PID 3840 wrote to memory of 332	3840	Information:bin	takeown.exe
PID 3840 wrote to memory of 332	3840	Information:bin	takeown.exe
PID 3840 wrote to memory of 332	3840	Information:bin	takeown.exe
PID 3840 wrote to memory of 3320	3840	Information:bin	icacls.exe
PID 3840 wrote to memory of 3320	3840	Information:bin	icacls.exe
PID 3840 wrote to memory of 3320	3840	Information:bin	icacls.exe
PID 728 wrote to memory of 2224	728	Information.exe	cmd.exe
PID 728 wrote to memory of 2224	728	Information.exe	cmd.exe
PID 728 wrote to memory of 2224	728	Information.exe	cmd.exe
PID 2224 wrote to memory of 2108	2224	cmd.exe	choice.exe
PID 2224 wrote to memory of 2108	2224	cmd.exe	choice.exe
PID 2224 wrote to memory of 2108	2224	cmd.exe	choice.exe
PID 3840 wrote to memory of 2836	3840	Information:bin	cmd.exe
PID 3840 wrote to memory of 2836	3840	Information:bin	cmd.exe
PID 3840 wrote to memory of 2836	3840	Information:bin	cmd.exe
PID 3676 wrote to memory of 3744	3676	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe	cmd.exe
PID 3676 wrote to memory of 3744	3676	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe	cmd.exe
PID 3676 wrote to memory of 3744	3676	e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe	cmd.exe
PID 2836 wrote to memory of 632	2836	cmd.exe	choice.exe
PID 2836 wrote to memory of 632	2836	cmd.exe	choice.exe
PID 2836 wrote to memory of 632	2836	cmd.exe	choice.exe
PID 3744 wrote to memory of 664	3744	cmd.exe	choice.exe
PID 3744 wrote to memory of 664	3744	cmd.exe	choice.exe
PID 3744 wrote to memory of 664	3744	cmd.exe	choice.exe
PID 2224 wrote to memory of 896	2224	cmd.exe	attrib.exe
PID 2224 wrote to memory of 896	2224	cmd.exe	attrib.exe
PID 2224 wrote to memory of 896	2224	cmd.exe	attrib.exe
PID 2836 wrote to memory of 60	2836	cmd.exe	attrib.exe
PID 2836 wrote to memory of 60	2836	cmd.exe	attrib.exe
PID 2836 wrote to memory of 60	2836	cmd.exe	attrib.exe
PID 3744 wrote to memory of 1040	3744	cmd.exe	attrib.exe
PID 3744 wrote to memory of 1040	3744	cmd.exe	attrib.exe
PID 3744 wrote to memory of 1040	3744	cmd.exe	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe
"C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe"
1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3676

C:\Users\Admin\AppData\Roaming\Information:bin
C:\Users\Admin\AppData\Roaming\Information:bin -r
2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1892

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Windows\system32\Information.exe
3⤵
- Modifies file permissions
- Possible privilege escalation attempt
PID:332

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Windows\system32\Information.exe /reset
3⤵
- Modifies file permissions
- Possible privilege escalation attempt
PID:3320

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Information" & del "C:\Users\Admin\AppData\Roaming\Information"
3⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
4⤵
PID:632

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Users\Admin\AppData\Roaming\Information"
4⤵
- Views/modifies file attributes
PID:60

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe" & del "C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
3⤵
PID:664

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Users\Admin\AppData\Local\Temp\e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb.exe"
3⤵
- Views/modifies file attributes
PID:1040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:3848

C:\Windows\SysWOW64\Information.exe
C:\Windows\SysWOW64\Information.exe -s
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Information.exe" & del "C:\Windows\SysWOW64\Information.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
3⤵
PID:2108

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Windows\SysWOW64\Information.exe"
3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:896

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EnterPush.mpg.eswasted_info.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2500