wastedlocker | 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d

General

Target

887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe
Size

1.1MB
MD5

6b20ef8fb494cc6e455220356de298d0
SHA1

763d356d30e81d1cd15f6bc6a31f96181edb0b8f
SHA256

887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d
SHA512

ef53b73a911a608439bf929fa66a66fbf015ed274735b91c1d3b08128b14d6514d5514157e541441b9de0827d068c8f514cfd24a3a52fecb2d09764c4fb3311a

Score

10^/10

ransomware persistence discovery exploit wastedlocker

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RenameRequest.mpg.txt

Family

wastedlocker

Ransom Note

BBA Aviation YOUR NETWORK IS ENCRYPTED NOW USE 91645@PROTONMAIL.CH | 61258@ECLIPSO.CH TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]ix/b/i1n5IoAXTHl/eUGlha2dAFkpgTmpX6cRY1GQ3nevRmzkvv2OWdWToJOTFVt dBzlVKYRzqK2GiU8c8UEHnA0O/h2BaDmnFcPp66p+6vyQ9eBkwXu5QAP2YnUWGVu I0QQQsWgbr6q39mYF/FNBubqLahue6D0w7lpJeIvOZQC25yhYfk+YzGRwY49QYDf jxGch4Mv1t9CcJXE8IAc6GUcVFPUQrUPmWn0NJ1iynJo3u1IAAhlt/IYBmfqFgeF my89vA9Cy8oS4BlQ+ywp5v5KoU5yTXpefSMefOX4zFYIsCsu6wFqGhyMDy/Nbys9 2Ie6JWZ8rFxzx8xQGXojCA2D8Y9MKOf51EJFcmKzL4k4RiJYJz7KaeA3Q8Dy1RsU iuaSvlu5vnRJTHCCTdnFmLVz6jAHys91va04roEWLbJlwlxtyEN+Ez4tn+iug0bN G6Hjp04NvFJGke7jt0d6281AYDe9tDs2eTQ8G8M+2a0U1jfoOIVMbu5B4QPGv8Jy GID5c9m0r4AbX4Qqa/NLmLuwVXSyrt1Z6RvRjfk4YQx7UbtrWumKRCMMwnFg1rq9 QPIt0wD3luyBrtdcVprS5AUbc6rXqFS/7k7ohV8EjJVeisx1CBvLOEBtn2iTn8cX 7RhTm1FRjq9Gz7NmF69c7r0RAamdb6iJCDVkrcBj9xJ=[end_key] KEEP IT

Emails

91645@PROTONMAIL.CH

61258@ECLIPSO.CH

Signatures

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exeBackup:binBackup.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1388 wrote to memory of 1424	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	Backup:bin
PID 1388 wrote to memory of 1424	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	Backup:bin
PID 1388 wrote to memory of 1424	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	Backup:bin
PID 1388 wrote to memory of 1424	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	Backup:bin
PID 1424 wrote to memory of 1556	1424	Backup:bin	vssadmin.exe
PID 1424 wrote to memory of 1556	1424	Backup:bin	vssadmin.exe
PID 1424 wrote to memory of 1556	1424	Backup:bin	vssadmin.exe
PID 1424 wrote to memory of 1556	1424	Backup:bin	vssadmin.exe
PID 1424 wrote to memory of 1804	1424	Backup:bin	takeown.exe
PID 1424 wrote to memory of 1804	1424	Backup:bin	takeown.exe
PID 1424 wrote to memory of 1804	1424	Backup:bin	takeown.exe
PID 1424 wrote to memory of 1804	1424	Backup:bin	takeown.exe
PID 1424 wrote to memory of 1824	1424	Backup:bin	icacls.exe
PID 1424 wrote to memory of 1824	1424	Backup:bin	icacls.exe
PID 1424 wrote to memory of 1824	1424	Backup:bin	icacls.exe
PID 1424 wrote to memory of 1824	1424	Backup:bin	icacls.exe
PID 1864 wrote to memory of 520	1864	Backup.exe	cmd.exe
PID 1864 wrote to memory of 520	1864	Backup.exe	cmd.exe
PID 1864 wrote to memory of 520	1864	Backup.exe	cmd.exe
PID 1864 wrote to memory of 520	1864	Backup.exe	cmd.exe
PID 520 wrote to memory of 1584	520	cmd.exe	choice.exe
PID 520 wrote to memory of 1584	520	cmd.exe	choice.exe
PID 520 wrote to memory of 1584	520	cmd.exe	choice.exe
PID 520 wrote to memory of 1584	520	cmd.exe	choice.exe
PID 1424 wrote to memory of 1616	1424	Backup:bin	cmd.exe
PID 1424 wrote to memory of 1616	1424	Backup:bin	cmd.exe
PID 1424 wrote to memory of 1616	1424	Backup:bin	cmd.exe
PID 1424 wrote to memory of 1616	1424	Backup:bin	cmd.exe
PID 1388 wrote to memory of 1608	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	cmd.exe
PID 1388 wrote to memory of 1608	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	cmd.exe
PID 1388 wrote to memory of 1608	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	cmd.exe
PID 1388 wrote to memory of 1608	1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe	cmd.exe
PID 1616 wrote to memory of 268	1616	cmd.exe	choice.exe
PID 1616 wrote to memory of 268	1616	cmd.exe	choice.exe
PID 1616 wrote to memory of 268	1616	cmd.exe	choice.exe
PID 1616 wrote to memory of 268	1616	cmd.exe	choice.exe
PID 1608 wrote to memory of 760	1608	cmd.exe	choice.exe
PID 1608 wrote to memory of 760	1608	cmd.exe	choice.exe
PID 1608 wrote to memory of 760	1608	cmd.exe	choice.exe
PID 1608 wrote to memory of 760	1608	cmd.exe	choice.exe
PID 520 wrote to memory of 1916	520	cmd.exe	attrib.exe
PID 520 wrote to memory of 1916	520	cmd.exe	attrib.exe
PID 520 wrote to memory of 1916	520	cmd.exe	attrib.exe
PID 520 wrote to memory of 1916	520	cmd.exe	attrib.exe
PID 1616 wrote to memory of 1940	1616	cmd.exe	attrib.exe
PID 1616 wrote to memory of 1940	1616	cmd.exe	attrib.exe
PID 1616 wrote to memory of 1940	1616	cmd.exe	attrib.exe
PID 1616 wrote to memory of 1940	1616	cmd.exe	attrib.exe
PID 1608 wrote to memory of 1948	1608	cmd.exe	attrib.exe
PID 1608 wrote to memory of 1948	1608	cmd.exe	attrib.exe
PID 1608 wrote to memory of 1948	1608	cmd.exe	attrib.exe
PID 1608 wrote to memory of 1948	1608	cmd.exe	attrib.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1560 NOTEPAD.EXE

pid	process
1560	NOTEPAD.EXE

Loads dropped DLL 2 IoCs

Processes:

887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe

pid	process
1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe
1388	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe

NTFS ADS 1 IoCs

Processes:

887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Backup:bin	887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1804 takeown.exe
1824 icacls.exe
WastedLocker
Ransomware family seen in the wild since May 2020.
ransomware wastedlocker
Executes dropped EXE 2 IoCs

Processes:

Backup:binBackup.exe

pid process

1424 Backup:bin
1864 Backup.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 836 vssvc.exe
Token: SeRestorePrivilege 836 vssvc.exe
Token: SeAuditPrivilege 836 vssvc.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1556 vssadmin.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1804 takeown.exe
1824 icacls.exe
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1916 attrib.exe
1940 attrib.exe
1948 attrib.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1608 cmd.exe

pid	process
1804	takeown.exe
1824	icacls.exe

pid	process
1424	Backup:bin
1864	Backup.exe

description	pid	process
Token: SeBackupPrivilege	836	vssvc.exe
Token: SeRestorePrivilege	836	vssvc.exe
Token: SeAuditPrivilege	836	vssvc.exe

pid	process
1556	vssadmin.exe

pid	process
1804	takeown.exe
1824	icacls.exe

pid	process
1916	attrib.exe
1940	attrib.exe
1948	attrib.exe

pid	process
1608	cmd.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in System32 directory 2 IoCs

Processes:

attrib.exeBackup:bin

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Backup.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Backup.exe	Backup:bin

C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe
"C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- NTFS ADS
PID:1388

C:\Users\Admin\AppData\Roaming\Backup:bin
C:\Users\Admin\AppData\Roaming\Backup:bin -r
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Drops file in System32 directory
PID:1424

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1556

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Windows\system32\Backup.exe
3⤵
- Modifies file permissions
- Possible privilege escalation attempt
PID:1804

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Windows\system32\Backup.exe /reset
3⤵
- Modifies file permissions
- Possible privilege escalation attempt
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Backup" & del "C:\Users\Admin\AppData\Roaming\Backup"
3⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
4⤵
PID:268

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Users\Admin\AppData\Roaming\Backup"
4⤵
- Views/modifies file attributes
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe" & del "C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
PID:1608

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
3⤵
PID:760

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe"
3⤵
- Views/modifies file attributes
PID:1948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:836

C:\Windows\SysWOW64\Backup.exe
C:\Windows\SysWOW64\Backup.exe -s
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Backup.exe" & del "C:\Windows\SysWOW64\Backup.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
3⤵
PID:1584

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Windows\SysWOW64\Backup.exe"
3⤵
- Views/modifies file attributes
- Drops file in System32 directory
PID:1916

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RenameRequest.mpg.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1560