Analysis
-
max time kernel
130s -
max time network
130s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 13:07
Static task
static1
Behavioral task
behavioral1
Sample
887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe
Resource
win10
General
-
Target
887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe
-
Size
1.1MB
-
MD5
6b20ef8fb494cc6e455220356de298d0
-
SHA1
763d356d30e81d1cd15f6bc6a31f96181edb0b8f
-
SHA256
887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d
-
SHA512
ef53b73a911a608439bf929fa66a66fbf015ed274735b91c1d3b08128b14d6514d5514157e541441b9de0827d068c8f514cfd24a3a52fecb2d09764c4fb3311a
Malware Config
Extracted
C:\Users\Admin\Desktop\FormatRequest.wmf.txt
wastedlocker
91645@PROTONMAIL.CH
61258@ECLIPSO.CH
Signatures
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3876 vssadmin.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Drops file in System32 directory 2 IoCs
Processes:
Hal:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Hal.exe Hal:bin File opened for modification C:\Windows\SysWOW64\Hal.exe attrib.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2088 NOTEPAD.EXE -
NTFS ADS 1 IoCs
Processes:
887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Hal:bin 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 740 icacls.exe 3496 takeown.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3496 takeown.exe 740 icacls.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 3308 attrib.exe 3496 attrib.exe 3876 attrib.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exeHal:binHal.execmd.execmd.execmd.exedescription pid process target process PID 3932 wrote to memory of 3992 3932 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe Hal:bin PID 3932 wrote to memory of 3992 3932 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe Hal:bin PID 3932 wrote to memory of 3992 3932 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe Hal:bin PID 3992 wrote to memory of 3876 3992 Hal:bin vssadmin.exe PID 3992 wrote to memory of 3876 3992 Hal:bin vssadmin.exe PID 3992 wrote to memory of 3496 3992 Hal:bin takeown.exe PID 3992 wrote to memory of 3496 3992 Hal:bin takeown.exe PID 3992 wrote to memory of 3496 3992 Hal:bin takeown.exe PID 3992 wrote to memory of 740 3992 Hal:bin icacls.exe PID 3992 wrote to memory of 740 3992 Hal:bin icacls.exe PID 3992 wrote to memory of 740 3992 Hal:bin icacls.exe PID 688 wrote to memory of 2524 688 Hal.exe cmd.exe PID 688 wrote to memory of 2524 688 Hal.exe cmd.exe PID 688 wrote to memory of 2524 688 Hal.exe cmd.exe PID 2524 wrote to memory of 2184 2524 cmd.exe choice.exe PID 2524 wrote to memory of 2184 2524 cmd.exe choice.exe PID 2524 wrote to memory of 2184 2524 cmd.exe choice.exe PID 3992 wrote to memory of 1540 3992 Hal:bin cmd.exe PID 3992 wrote to memory of 1540 3992 Hal:bin cmd.exe PID 3992 wrote to memory of 1540 3992 Hal:bin cmd.exe PID 3932 wrote to memory of 2388 3932 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe cmd.exe PID 3932 wrote to memory of 2388 3932 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe cmd.exe PID 3932 wrote to memory of 2388 3932 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe cmd.exe PID 1540 wrote to memory of 3872 1540 cmd.exe choice.exe PID 1540 wrote to memory of 3872 1540 cmd.exe choice.exe PID 1540 wrote to memory of 3872 1540 cmd.exe choice.exe PID 2388 wrote to memory of 3300 2388 cmd.exe choice.exe PID 2388 wrote to memory of 3300 2388 cmd.exe choice.exe PID 2388 wrote to memory of 3300 2388 cmd.exe choice.exe PID 2524 wrote to memory of 3876 2524 cmd.exe attrib.exe PID 2524 wrote to memory of 3876 2524 cmd.exe attrib.exe PID 2524 wrote to memory of 3876 2524 cmd.exe attrib.exe PID 1540 wrote to memory of 3308 1540 cmd.exe attrib.exe PID 1540 wrote to memory of 3308 1540 cmd.exe attrib.exe PID 1540 wrote to memory of 3308 1540 cmd.exe attrib.exe PID 2388 wrote to memory of 3496 2388 cmd.exe attrib.exe PID 2388 wrote to memory of 3496 2388 cmd.exe attrib.exe PID 2388 wrote to memory of 3496 2388 cmd.exe attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
Hal:binHal.exepid process 3992 Hal:bin 688 Hal.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3956 vssvc.exe Token: SeRestorePrivilege 3956 vssvc.exe Token: SeAuditPrivilege 3956 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe"C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Hal:binC:\Users\Admin\AppData\Roaming\Hal:bin -r2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Hal.exe3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Hal.exe /reset3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Hal" & del "C:\Users\Admin\AppData\Roaming\Hal"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Hal"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe" & del "C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Hal.exeC:\Windows\SysWOW64\Hal.exe -s1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Hal.exe" & del "C:\Windows\SysWOW64\Hal.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Hal.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FormatRequest.wmf.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Hal:bin
-
C:\Users\Admin\AppData\Roaming\Hal:bin
-
C:\Users\Admin\Desktop\FormatRequest.wmf.txt
-
C:\Windows\SysWOW64\Hal.exe
-
C:\Windows\SysWOW64\Hal.exe
-
memory/740-6-0x0000000000000000-mapping.dmp
-
memory/1540-10-0x0000000000000000-mapping.dmp
-
memory/2184-9-0x0000000000000000-mapping.dmp
-
memory/2388-11-0x0000000000000000-mapping.dmp
-
memory/2524-8-0x0000000000000000-mapping.dmp
-
memory/3300-13-0x0000000000000000-mapping.dmp
-
memory/3308-15-0x0000000000000000-mapping.dmp
-
memory/3496-4-0x0000000000000000-mapping.dmp
-
memory/3496-16-0x0000000000000000-mapping.dmp
-
memory/3872-12-0x0000000000000000-mapping.dmp
-
memory/3876-14-0x0000000000000000-mapping.dmp
-
memory/3876-3-0x0000000000000000-mapping.dmp
-
memory/3992-0-0x0000000000000000-mapping.dmp