wastedlocker | 85f391ecd480711401f6da2f371156f995dd5cff7580f37791e79e62b91fd9eb

General

Target

gstabl72.exe
Size

848KB
MD5

3208a14c9bad334e331febe00f1e9734
SHA1

809fbd450e1a484a5af4ec05c345b2a7072723e7
SHA256

85f391ecd480711401f6da2f371156f995dd5cff7580f37791e79e62b91fd9eb
SHA512

b1460826b0a15e9cf752f001426ae6c9fffe96d01d7ab2802d0843b2c51f3dc1590c9c1f80e26ed9a751e7ac59f584fde4cb937841d5b4ea51a1883302da4029

Score

10^/10

ransomware persistence discovery exploit wastedlocker

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

Processes:

Order:binattrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Order.exe	Order:bin
File opened for modification	C:\Windows\SysWOW64\Order.exe	attrib.exe

WastedLocker
Ransomware family seen in the wild since May 2020.
ransomware wastedlocker
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

2040 attrib.exe
1496 attrib.exe
1560 attrib.exe
Loads dropped DLL 2 IoCs

Processes:

gstabl72.exe

pid process

608 gstabl72.exe
608 gstabl72.exe

pid	process
2040	attrib.exe
1496	attrib.exe
1560	attrib.exe

pid	process
608	gstabl72.exe
608	gstabl72.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

gstabl72.exeOrder:binOrder.execmd.execmd.execmd.exe

description	pid	process	target process
PID 608 wrote to memory of 1376	608	gstabl72.exe	Order:bin
PID 608 wrote to memory of 1376	608	gstabl72.exe	Order:bin
PID 608 wrote to memory of 1376	608	gstabl72.exe	Order:bin
PID 608 wrote to memory of 1376	608	gstabl72.exe	Order:bin
PID 1376 wrote to memory of 1428	1376	Order:bin	vssadmin.exe
PID 1376 wrote to memory of 1428	1376	Order:bin	vssadmin.exe
PID 1376 wrote to memory of 1428	1376	Order:bin	vssadmin.exe
PID 1376 wrote to memory of 1428	1376	Order:bin	vssadmin.exe
PID 1376 wrote to memory of 1680	1376	Order:bin	takeown.exe
PID 1376 wrote to memory of 1680	1376	Order:bin	takeown.exe
PID 1376 wrote to memory of 1680	1376	Order:bin	takeown.exe
PID 1376 wrote to memory of 1680	1376	Order:bin	takeown.exe
PID 1376 wrote to memory of 1816	1376	Order:bin	icacls.exe
PID 1376 wrote to memory of 1816	1376	Order:bin	icacls.exe
PID 1376 wrote to memory of 1816	1376	Order:bin	icacls.exe
PID 1376 wrote to memory of 1816	1376	Order:bin	icacls.exe
PID 1764 wrote to memory of 1836	1764	Order.exe	cmd.exe
PID 1764 wrote to memory of 1836	1764	Order.exe	cmd.exe
PID 1764 wrote to memory of 1836	1764	Order.exe	cmd.exe
PID 1764 wrote to memory of 1836	1764	Order.exe	cmd.exe
PID 1836 wrote to memory of 1632	1836	cmd.exe	choice.exe
PID 1836 wrote to memory of 1632	1836	cmd.exe	choice.exe
PID 1836 wrote to memory of 1632	1836	cmd.exe	choice.exe
PID 1836 wrote to memory of 1632	1836	cmd.exe	choice.exe
PID 1376 wrote to memory of 1576	1376	Order:bin	cmd.exe
PID 1376 wrote to memory of 1576	1376	Order:bin	cmd.exe
PID 1376 wrote to memory of 1576	1376	Order:bin	cmd.exe
PID 1376 wrote to memory of 1576	1376	Order:bin	cmd.exe
PID 608 wrote to memory of 1636	608	gstabl72.exe	cmd.exe
PID 608 wrote to memory of 1636	608	gstabl72.exe	cmd.exe
PID 608 wrote to memory of 1636	608	gstabl72.exe	cmd.exe
PID 608 wrote to memory of 1636	608	gstabl72.exe	cmd.exe
PID 1576 wrote to memory of 1568	1576	cmd.exe	choice.exe
PID 1576 wrote to memory of 1568	1576	cmd.exe	choice.exe
PID 1576 wrote to memory of 1568	1576	cmd.exe	choice.exe
PID 1576 wrote to memory of 1568	1576	cmd.exe	choice.exe
PID 1636 wrote to memory of 1904	1636	cmd.exe	choice.exe
PID 1636 wrote to memory of 1904	1636	cmd.exe	choice.exe
PID 1636 wrote to memory of 1904	1636	cmd.exe	choice.exe
PID 1636 wrote to memory of 1904	1636	cmd.exe	choice.exe
PID 1836 wrote to memory of 2040	1836	cmd.exe	attrib.exe
PID 1836 wrote to memory of 2040	1836	cmd.exe	attrib.exe
PID 1836 wrote to memory of 2040	1836	cmd.exe	attrib.exe
PID 1836 wrote to memory of 2040	1836	cmd.exe	attrib.exe
PID 1636 wrote to memory of 1496	1636	cmd.exe	attrib.exe
PID 1636 wrote to memory of 1496	1636	cmd.exe	attrib.exe
PID 1636 wrote to memory of 1496	1636	cmd.exe	attrib.exe
PID 1636 wrote to memory of 1496	1636	cmd.exe	attrib.exe
PID 1576 wrote to memory of 1560	1576	cmd.exe	attrib.exe
PID 1576 wrote to memory of 1560	1576	cmd.exe	attrib.exe
PID 1576 wrote to memory of 1560	1576	cmd.exe	attrib.exe
PID 1576 wrote to memory of 1560	1576	cmd.exe	attrib.exe

Executes dropped EXE 2 IoCs

Processes:

Order:binOrder.exe

pid process

1376 Order:bin
1764 Order.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1680 takeown.exe
1816 icacls.exe
NTFS ADS 1 IoCs

Processes:

gstabl72.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Order:bin gstabl72.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1680 takeown.exe
1816 icacls.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1428 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1000 vssvc.exe
Token: SeRestorePrivilege 1000 vssvc.exe
Token: SeAuditPrivilege 1000 vssvc.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1636 cmd.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

pid	process
1376	Order:bin
1764	Order.exe

pid	process
1680	takeown.exe
1816	icacls.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Order:bin	gstabl72.exe

pid	process
1680	takeown.exe
1816	icacls.exe

pid	process
1428	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	1000	vssvc.exe
Token: SeRestorePrivilege	1000	vssvc.exe
Token: SeAuditPrivilege	1000	vssvc.exe

pid	process
1636	cmd.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\gstabl72.exe
"C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- NTFS ADS
PID:608

C:\Users\Admin\AppData\Roaming\Order:bin
C:\Users\Admin\AppData\Roaming\Order:bin -r
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1376

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1428

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Windows\system32\Order.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1680

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Windows\system32\Order.exe /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Order" & del "C:\Users\Admin\AppData\Roaming\Order"
3⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
4⤵
PID:1568

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Users\Admin\AppData\Roaming\Order"
4⤵
- Views/modifies file attributes
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\gstabl72.exe" & del "C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
PID:1636

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
3⤵
PID:1904

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"
3⤵
- Views/modifies file attributes
PID:1496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1000

C:\Windows\SysWOW64\Order.exe
C:\Windows\SysWOW64\Order.exe -s
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Order.exe" & del "C:\Windows\SysWOW64\Order.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
3⤵
PID:1632

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Windows\SysWOW64\Order.exe"
3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:2040