Overview

overview

10

Static

static

887aac6177...9d.exe

windows7_x64

10

887aac6177...9d.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d

  • Size

    1.1MB

  • Sample

    200630-wtwbvyh1jj

  • MD5

    6b20ef8fb494cc6e455220356de298d0

  • SHA1

    763d356d30e81d1cd15f6bc6a31f96181edb0b8f

  • SHA256

    887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d

  • SHA512

    ef53b73a911a608439bf929fa66a66fbf015ed274735b91c1d3b08128b14d6514d5514157e541441b9de0827d068c8f514cfd24a3a52fecb2d09764c4fb3311a

Score
10/10
wastedlockerdiscoveryexploitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RenameRequest.mpg.txt

Family

wastedlocker

Ransom Note
BBA Aviation YOUR NETWORK IS ENCRYPTED NOW USE 91645@PROTONMAIL.CH | 61258@ECLIPSO.CH TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]ix/b/i1n5IoAXTHl/eUGlha2dAFkpgTmpX6cRY1GQ3nevRmzkvv2OWdWToJOTFVt dBzlVKYRzqK2GiU8c8UEHnA0O/h2BaDmnFcPp66p+6vyQ9eBkwXu5QAP2YnUWGVu I0QQQsWgbr6q39mYF/FNBubqLahue6D0w7lpJeIvOZQC25yhYfk+YzGRwY49QYDf jxGch4Mv1t9CcJXE8IAc6GUcVFPUQrUPmWn0NJ1iynJo3u1IAAhlt/IYBmfqFgeF my89vA9Cy8oS4BlQ+ywp5v5KoU5yTXpefSMefOX4zFYIsCsu6wFqGhyMDy/Nbys9 2Ie6JWZ8rFxzx8xQGXojCA2D8Y9MKOf51EJFcmKzL4k4RiJYJz7KaeA3Q8Dy1RsU iuaSvlu5vnRJTHCCTdnFmLVz6jAHys91va04roEWLbJlwlxtyEN+Ez4tn+iug0bN G6Hjp04NvFJGke7jt0d6281AYDe9tDs2eTQ8G8M+2a0U1jfoOIVMbu5B4QPGv8Jy GID5c9m0r4AbX4Qqa/NLmLuwVXSyrt1Z6RvRjfk4YQx7UbtrWumKRCMMwnFg1rq9 QPIt0wD3luyBrtdcVprS5AUbc6rXqFS/7k7ohV8EjJVeisx1CBvLOEBtn2iTn8cX 7RhTm1FRjq9Gz7NmF69c7r0RAamdb6iJCDVkrcBj9xJ=[end_key] KEEP IT
Emails

91645@PROTONMAIL.CH

61258@ECLIPSO.CH

Extracted

Path

C:\Users\Admin\Desktop\FormatRequest.wmf.txt

Family

wastedlocker

Ransom Note
BBA Aviation YOUR NETWORK IS ENCRYPTED NOW USE 91645@PROTONMAIL.CH | 61258@ECLIPSO.CH TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]WKBc2Jtdg8eBI/92fL/IcPyqpDM7ZDUc33WEuLWmgvRvVI6UxpLLmGmm3dugkY+5 o8HXYQTrx1hU/ykMLg4c6ADFH52C4PKXH5o3EU22KJ57hlBKNrj+2gRQ1/uBlTZ2 r/dxlWPf7259NdgB+Br8duD4FJfiDHMt/GnPm9QhZ7KSpEEkNpV6CDaIXHrpNqEr UjfUCIsgVxa4n/5tYCUevauT/OUoHxV+/7EcMfeCeJNXVAnUUMRUV/e0OJ64EAbR OqyJGEPrkS931iaM4WyaPw0Y9npSmutrDTen6q1gFbyLZ5PMaKRzhm/4jMezAARn xfelKR9X8ZnkKwkDHNP0UaFTZfQwl2QyurZFGfGqKI9XybvasI8xRelalr50AFfU SR1/2Dqv3LEPBtaF3Jds460kbKMcH3waZvMznhmGyG348iHcRLP1gdOB2Iaft9fv Ih+uvcWEhth/i55tAamSQoBvrqFYc/jQ2p4haJ7GoHTSrIzYhOzeo0h+YllDpb4N eT81GOaHA3HUMTnlI/D1Wl83sMrDS7rY1JabPlwjuvq+65gbjSqoU/N5WyGQOKdQ cl0rUx7Qp/K3EEeqOlgpuXXsAOsEZBban5DKcR/VVOe1fSkAyZKT12YDkI53lgmU 75DOmD3bO1CQhr2stOcMB5oGesqsXLiboQ/UYCBsyZV=[end_key] KEEP IT
Emails

91645@PROTONMAIL.CH

61258@ECLIPSO.CH

Targets

    • Target

      887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d

    • Size

      1.1MB

    • MD5

      6b20ef8fb494cc6e455220356de298d0

    • SHA1

      763d356d30e81d1cd15f6bc6a31f96181edb0b8f

    • SHA256

      887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d

    • SHA512

      ef53b73a911a608439bf929fa66a66fbf015ed274735b91c1d3b08128b14d6514d5514157e541441b9de0827d068c8f514cfd24a3a52fecb2d09764c4fb3311a

    Score
    10/10
    ransomwarepersistencediscoveryexploitwastedlocker

    • WastedLocker

      Ransomware family seen in the wild since May 2020.

      ransomwarewastedlocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops file in System32 directory

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

File Permissions Modification

1
T1222

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks