Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
04-07-2020 03:56
Static task
static1
Behavioral task
behavioral1
Sample
gstabl72.exe
Resource
win7
Behavioral task
behavioral2
Sample
gstabl72.exe
Resource
win10v200430
General
-
Target
gstabl72.exe
-
Size
848KB
-
MD5
3208a14c9bad334e331febe00f1e9734
-
SHA1
809fbd450e1a484a5af4ec05c345b2a7072723e7
-
SHA256
85f391ecd480711401f6da2f371156f995dd5cff7580f37791e79e62b91fd9eb
-
SHA512
b1460826b0a15e9cf752f001426ae6c9fffe96d01d7ab2802d0843b2c51f3dc1590c9c1f80e26ed9a751e7ac59f584fde4cb937841d5b4ea51a1883302da4029
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
Processes:
Order:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Order.exe Order:bin File opened for modification C:\Windows\SysWOW64\Order.exe attrib.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 2040 attrib.exe 1496 attrib.exe 1560 attrib.exe -
Loads dropped DLL 2 IoCs
Processes:
gstabl72.exepid process 608 gstabl72.exe 608 gstabl72.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
gstabl72.exeOrder:binOrder.execmd.execmd.execmd.exedescription pid process target process PID 608 wrote to memory of 1376 608 gstabl72.exe Order:bin PID 608 wrote to memory of 1376 608 gstabl72.exe Order:bin PID 608 wrote to memory of 1376 608 gstabl72.exe Order:bin PID 608 wrote to memory of 1376 608 gstabl72.exe Order:bin PID 1376 wrote to memory of 1428 1376 Order:bin vssadmin.exe PID 1376 wrote to memory of 1428 1376 Order:bin vssadmin.exe PID 1376 wrote to memory of 1428 1376 Order:bin vssadmin.exe PID 1376 wrote to memory of 1428 1376 Order:bin vssadmin.exe PID 1376 wrote to memory of 1680 1376 Order:bin takeown.exe PID 1376 wrote to memory of 1680 1376 Order:bin takeown.exe PID 1376 wrote to memory of 1680 1376 Order:bin takeown.exe PID 1376 wrote to memory of 1680 1376 Order:bin takeown.exe PID 1376 wrote to memory of 1816 1376 Order:bin icacls.exe PID 1376 wrote to memory of 1816 1376 Order:bin icacls.exe PID 1376 wrote to memory of 1816 1376 Order:bin icacls.exe PID 1376 wrote to memory of 1816 1376 Order:bin icacls.exe PID 1764 wrote to memory of 1836 1764 Order.exe cmd.exe PID 1764 wrote to memory of 1836 1764 Order.exe cmd.exe PID 1764 wrote to memory of 1836 1764 Order.exe cmd.exe PID 1764 wrote to memory of 1836 1764 Order.exe cmd.exe PID 1836 wrote to memory of 1632 1836 cmd.exe choice.exe PID 1836 wrote to memory of 1632 1836 cmd.exe choice.exe PID 1836 wrote to memory of 1632 1836 cmd.exe choice.exe PID 1836 wrote to memory of 1632 1836 cmd.exe choice.exe PID 1376 wrote to memory of 1576 1376 Order:bin cmd.exe PID 1376 wrote to memory of 1576 1376 Order:bin cmd.exe PID 1376 wrote to memory of 1576 1376 Order:bin cmd.exe PID 1376 wrote to memory of 1576 1376 Order:bin cmd.exe PID 608 wrote to memory of 1636 608 gstabl72.exe cmd.exe PID 608 wrote to memory of 1636 608 gstabl72.exe cmd.exe PID 608 wrote to memory of 1636 608 gstabl72.exe cmd.exe PID 608 wrote to memory of 1636 608 gstabl72.exe cmd.exe PID 1576 wrote to memory of 1568 1576 cmd.exe choice.exe PID 1576 wrote to memory of 1568 1576 cmd.exe choice.exe PID 1576 wrote to memory of 1568 1576 cmd.exe choice.exe PID 1576 wrote to memory of 1568 1576 cmd.exe choice.exe PID 1636 wrote to memory of 1904 1636 cmd.exe choice.exe PID 1636 wrote to memory of 1904 1636 cmd.exe choice.exe PID 1636 wrote to memory of 1904 1636 cmd.exe choice.exe PID 1636 wrote to memory of 1904 1636 cmd.exe choice.exe PID 1836 wrote to memory of 2040 1836 cmd.exe attrib.exe PID 1836 wrote to memory of 2040 1836 cmd.exe attrib.exe PID 1836 wrote to memory of 2040 1836 cmd.exe attrib.exe PID 1836 wrote to memory of 2040 1836 cmd.exe attrib.exe PID 1636 wrote to memory of 1496 1636 cmd.exe attrib.exe PID 1636 wrote to memory of 1496 1636 cmd.exe attrib.exe PID 1636 wrote to memory of 1496 1636 cmd.exe attrib.exe PID 1636 wrote to memory of 1496 1636 cmd.exe attrib.exe PID 1576 wrote to memory of 1560 1576 cmd.exe attrib.exe PID 1576 wrote to memory of 1560 1576 cmd.exe attrib.exe PID 1576 wrote to memory of 1560 1576 cmd.exe attrib.exe PID 1576 wrote to memory of 1560 1576 cmd.exe attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
Order:binOrder.exepid process 1376 Order:bin 1764 Order.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1680 takeown.exe 1816 icacls.exe -
NTFS ADS 1 IoCs
Processes:
gstabl72.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Order:bin gstabl72.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1680 takeown.exe 1816 icacls.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1428 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1000 vssvc.exe Token: SeRestorePrivilege 1000 vssvc.exe Token: SeAuditPrivilege 1000 vssvc.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1636 cmd.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\Order:binC:\Users\Admin\AppData\Roaming\Order:bin -r2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Order.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Order.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Order" & del "C:\Users\Admin\AppData\Roaming\Order"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Order"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\gstabl72.exe" & del "C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"2⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\SysWOW64\Order.exeC:\Windows\SysWOW64\Order.exe -s1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Order.exe" & del "C:\Windows\SysWOW64\Order.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Order.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Order:bin
-
C:\Users\Admin\AppData\Roaming\Order:bin
-
C:\Users\Admin\Documents\Are.docx.gannettwasted_info
-
C:\Windows\SysWOW64\Order.exe
-
C:\Windows\SysWOW64\Order.exe
-
\Users\Admin\AppData\Roaming\Order
-
\Users\Admin\AppData\Roaming\Order
-
memory/1376-2-0x0000000000000000-mapping.dmp
-
memory/1428-4-0x0000000000000000-mapping.dmp
-
memory/1496-17-0x0000000000000000-mapping.dmp
-
memory/1560-18-0x0000000000000000-mapping.dmp
-
memory/1568-14-0x0000000000000000-mapping.dmp
-
memory/1576-12-0x0000000000000000-mapping.dmp
-
memory/1632-11-0x0000000000000000-mapping.dmp
-
memory/1636-13-0x0000000000000000-mapping.dmp
-
memory/1680-6-0x0000000000000000-mapping.dmp
-
memory/1816-8-0x0000000000000000-mapping.dmp
-
memory/1836-10-0x0000000000000000-mapping.dmp
-
memory/1904-15-0x0000000000000000-mapping.dmp
-
memory/2040-16-0x0000000000000000-mapping.dmp