wastedlocker | 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d

Analysis

max time kernel
44s
max time network
52s
platform
windows7_x64
resource
win7v200430
submitted
30-06-2020 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe
Size

1.1MB
MD5

6b20ef8fb494cc6e455220356de298d0
SHA1

763d356d30e81d1cd15f6bc6a31f96181edb0b8f
SHA256

887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d
SHA512

ef53b73a911a608439bf929fa66a66fbf015ed274735b91c1d3b08128b14d6514d5514157e541441b9de0827d068c8f514cfd24a3a52fecb2d09764c4fb3311a

Score

10^/10

ransomware persistence discovery exploit wastedlocker

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RenameRequest.mpg.txt

Family

wastedlocker

Ransom Note

BBA Aviation YOUR NETWORK IS ENCRYPTED NOW USE [email protected] | [email protected] TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]ix/b/i1n5IoAXTHl/eUGlha2dAFkpgTmpX6cRY1GQ3nevRmzkvv2OWdWToJOTFVt dBzlVKYRzqK2GiU8c8UEHnA0O/h2BaDmnFcPp66p+6vyQ9eBkwXu5QAP2YnUWGVu I0QQQsWgbr6q39mYF/FNBubqLahue6D0w7lpJeIvOZQC25yhYfk+YzGRwY49QYDf jxGch4Mv1t9CcJXE8IAc6GUcVFPUQrUPmWn0NJ1iynJo3u1IAAhlt/IYBmfqFgeF my89vA9Cy8oS4BlQ+ywp5v5KoU5yTXpefSMefOX4zFYIsCsu6wFqGhyMDy/Nbys9 2Ie6JWZ8rFxzx8xQGXojCA2D8Y9MKOf51EJFcmKzL4k4RiJYJz7KaeA3Q8Dy1RsU iuaSvlu5vnRJTHCCTdnFmLVz6jAHys91va04roEWLbJlwlxtyEN+Ez4tn+iug0bN G6Hjp04NvFJGke7jt0d6281AYDe9tDs2eTQ8G8M+2a0U1jfoOIVMbu5B4QPGv8Jy GID5c9m0r4AbX4Qqa/NLmLuwVXSyrt1Z6RvRjfk4YQx7UbtrWumKRCMMwnFg1rq9 QPIt0wD3luyBrtdcVprS5AUbc6rXqFS/7k7ohV8EjJVeisx1CBvLOEBtn2iTn8cX 7RhTm1FRjq9Gz7NmF69c7r0RAamdb6iJCDVkrcBj9xJ=[end_key] KEEP IT

Emails

[email protected]

Signatures

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1424	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	24
PID 1388 wrote to memory of 1424	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	24
PID 1388 wrote to memory of 1424	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	24
PID 1388 wrote to memory of 1424	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	24
PID 1424 wrote to memory of 1556	1424	Backup:bin	25
PID 1424 wrote to memory of 1556	1424	Backup:bin	25
PID 1424 wrote to memory of 1556	1424	Backup:bin	25
PID 1424 wrote to memory of 1556	1424	Backup:bin	25
PID 1424 wrote to memory of 1804	1424	Backup:bin	29
PID 1424 wrote to memory of 1804	1424	Backup:bin	29
PID 1424 wrote to memory of 1804	1424	Backup:bin	29
PID 1424 wrote to memory of 1804	1424	Backup:bin	29
PID 1424 wrote to memory of 1824	1424	Backup:bin	31
PID 1424 wrote to memory of 1824	1424	Backup:bin	31
PID 1424 wrote to memory of 1824	1424	Backup:bin	31
PID 1424 wrote to memory of 1824	1424	Backup:bin	31
PID 1864 wrote to memory of 520	1864	Backup.exe	35
PID 1864 wrote to memory of 520	1864	Backup.exe	35
PID 1864 wrote to memory of 520	1864	Backup.exe	35
PID 1864 wrote to memory of 520	1864	Backup.exe	35
PID 520 wrote to memory of 1584	520	cmd.exe	37
PID 520 wrote to memory of 1584	520	cmd.exe	37
PID 520 wrote to memory of 1584	520	cmd.exe	37
PID 520 wrote to memory of 1584	520	cmd.exe	37
PID 1424 wrote to memory of 1616	1424	Backup:bin	38
PID 1424 wrote to memory of 1616	1424	Backup:bin	38
PID 1424 wrote to memory of 1616	1424	Backup:bin	38
PID 1424 wrote to memory of 1616	1424	Backup:bin	38
PID 1388 wrote to memory of 1608	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	39
PID 1388 wrote to memory of 1608	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	39
PID 1388 wrote to memory of 1608	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	39
PID 1388 wrote to memory of 1608	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	39
PID 1616 wrote to memory of 268	1616	cmd.exe	42
PID 1616 wrote to memory of 268	1616	cmd.exe	42
PID 1616 wrote to memory of 268	1616	cmd.exe	42
PID 1616 wrote to memory of 268	1616	cmd.exe	42
PID 1608 wrote to memory of 760	1608	cmd.exe	43
PID 1608 wrote to memory of 760	1608	cmd.exe	43
PID 1608 wrote to memory of 760	1608	cmd.exe	43
PID 1608 wrote to memory of 760	1608	cmd.exe	43
PID 520 wrote to memory of 1916	520	cmd.exe	44
PID 520 wrote to memory of 1916	520	cmd.exe	44
PID 520 wrote to memory of 1916	520	cmd.exe	44
PID 520 wrote to memory of 1916	520	cmd.exe	44
PID 1616 wrote to memory of 1940	1616	cmd.exe	45
PID 1616 wrote to memory of 1940	1616	cmd.exe	45
PID 1616 wrote to memory of 1940	1616	cmd.exe	45
PID 1616 wrote to memory of 1940	1616	cmd.exe	45
PID 1608 wrote to memory of 1948	1608	cmd.exe	46
PID 1608 wrote to memory of 1948	1608	cmd.exe	46
PID 1608 wrote to memory of 1948	1608	cmd.exe	46
PID 1608 wrote to memory of 1948	1608	cmd.exe	46

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1560	NOTEPAD.EXE

Loads dropped DLL 2 IoCs

pid	Process
1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe
1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Backup:bin	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1804	takeown.exe
1824	icacls.exe

WastedLocker
Ransomware family seen in the wild since May 2020.
ransomware wastedlocker

Executes dropped EXE 2 IoCs

pid	Process
1424	Backup:bin
1864	Backup.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	836	vssvc.exe
Token: SeRestorePrivilege	836	vssvc.exe
Token: SeAuditPrivilege	836	vssvc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1556	vssadmin.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
1804	takeown.exe
1824	icacls.exe

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1916	attrib.exe
1940	attrib.exe
1948	attrib.exe

Deletes itself 1 IoCs

pid	Process
1608	cmd.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Backup.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Backup.exe	Backup:bin

C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe
"C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- NTFS ADS
PID:1388
- C:\Users\Admin\AppData\Roaming\Backup:bin
  C:\Users\Admin\AppData\Roaming\Backup:bin -r
  2⤵
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1424
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1556
- - C:\Windows\SysWOW64\takeown.exe
    C:\Windows\system32\takeown.exe /F C:\Windows\system32\Backup.exe
    3⤵
    - Modifies file permissions
    - Possible privilege escalation attempt
    PID:1804
- - C:\Windows\SysWOW64\icacls.exe
    C:\Windows\system32\icacls.exe C:\Windows\system32\Backup.exe /reset
    3⤵
    - Modifies file permissions
    - Possible privilege escalation attempt
    PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Backup" & del "C:\Users\Admin\AppData\Roaming\Backup"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\choice.exe
      choice /t 10 /d y
      4⤵
      PID:268
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h "C:\Users\Admin\AppData\Roaming\Backup"
      4⤵
      Views/modifies file attributes
      PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe" & del "C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Deletes itself
  PID:1608
- - C:\Windows\SysWOW64\choice.exe
    choice /t 10 /d y
    3⤵
    PID:760
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h "C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe"
    3⤵
    - Views/modifies file attributes
    PID:1948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:836

C:\Windows\SysWOW64\Backup.exe
C:\Windows\SysWOW64\Backup.exe -s
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Backup.exe" & del "C:\Windows\SysWOW64\Backup.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\SysWOW64\choice.exe
    choice /t 10 /d y
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h "C:\Windows\SysWOW64\Backup.exe"
    3⤵
    - Views/modifies file attributes
    - Drops file in System32 directory
    PID:1916

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RenameRequest.mpg.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads