Analysis
-
max time kernel
138s -
max time network
51s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
04-07-2020 03:56
Static task
static1
Behavioral task
behavioral1
Sample
gstabl72.exe
Resource
win7
Behavioral task
behavioral2
Sample
gstabl72.exe
Resource
win10v200430
General
-
Target
gstabl72.exe
-
Size
848KB
-
MD5
3208a14c9bad334e331febe00f1e9734
-
SHA1
809fbd450e1a484a5af4ec05c345b2a7072723e7
-
SHA256
85f391ecd480711401f6da2f371156f995dd5cff7580f37791e79e62b91fd9eb
-
SHA512
b1460826b0a15e9cf752f001426ae6c9fffe96d01d7ab2802d0843b2c51f3dc1590c9c1f80e26ed9a751e7ac59f584fde4cb937841d5b4ea51a1883302da4029
Malware Config
Signatures
-
NTFS ADS 1 IoCs
Processes:
gstabl72.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Installers:bin gstabl72.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2680 takeown.exe 3720 icacls.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2680 takeown.exe 3720 icacls.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
gstabl72.exeInstallers:binInstallers.execmd.execmd.execmd.exedescription pid process target process PID 992 wrote to memory of 1796 992 gstabl72.exe Installers:bin PID 992 wrote to memory of 1796 992 gstabl72.exe Installers:bin PID 992 wrote to memory of 1796 992 gstabl72.exe Installers:bin PID 1796 wrote to memory of 1808 1796 Installers:bin vssadmin.exe PID 1796 wrote to memory of 1808 1796 Installers:bin vssadmin.exe PID 1796 wrote to memory of 2680 1796 Installers:bin takeown.exe PID 1796 wrote to memory of 2680 1796 Installers:bin takeown.exe PID 1796 wrote to memory of 2680 1796 Installers:bin takeown.exe PID 1796 wrote to memory of 3720 1796 Installers:bin icacls.exe PID 1796 wrote to memory of 3720 1796 Installers:bin icacls.exe PID 1796 wrote to memory of 3720 1796 Installers:bin icacls.exe PID 4064 wrote to memory of 1732 4064 Installers.exe cmd.exe PID 4064 wrote to memory of 1732 4064 Installers.exe cmd.exe PID 4064 wrote to memory of 1732 4064 Installers.exe cmd.exe PID 1732 wrote to memory of 2988 1732 cmd.exe choice.exe PID 1732 wrote to memory of 2988 1732 cmd.exe choice.exe PID 1732 wrote to memory of 2988 1732 cmd.exe choice.exe PID 1796 wrote to memory of 3520 1796 Installers:bin cmd.exe PID 1796 wrote to memory of 3520 1796 Installers:bin cmd.exe PID 1796 wrote to memory of 3520 1796 Installers:bin cmd.exe PID 992 wrote to memory of 3740 992 gstabl72.exe cmd.exe PID 992 wrote to memory of 3740 992 gstabl72.exe cmd.exe PID 992 wrote to memory of 3740 992 gstabl72.exe cmd.exe PID 3520 wrote to memory of 3616 3520 cmd.exe choice.exe PID 3520 wrote to memory of 3616 3520 cmd.exe choice.exe PID 3520 wrote to memory of 3616 3520 cmd.exe choice.exe PID 3740 wrote to memory of 1916 3740 cmd.exe choice.exe PID 3740 wrote to memory of 1916 3740 cmd.exe choice.exe PID 3740 wrote to memory of 1916 3740 cmd.exe choice.exe PID 1732 wrote to memory of 796 1732 cmd.exe attrib.exe PID 1732 wrote to memory of 796 1732 cmd.exe attrib.exe PID 1732 wrote to memory of 796 1732 cmd.exe attrib.exe PID 3520 wrote to memory of 2040 3520 cmd.exe attrib.exe PID 3520 wrote to memory of 2040 3520 cmd.exe attrib.exe PID 3520 wrote to memory of 2040 3520 cmd.exe attrib.exe PID 3740 wrote to memory of 4004 3740 cmd.exe attrib.exe PID 3740 wrote to memory of 4004 3740 cmd.exe attrib.exe PID 3740 wrote to memory of 4004 3740 cmd.exe attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
Installers:binInstallers.exepid process 1796 Installers:bin 4064 Installers.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1808 vssadmin.exe -
Drops file in System32 directory 2 IoCs
Processes:
Installers:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Installers.exe Installers:bin File opened for modification C:\Windows\SysWOW64\Installers.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 4004 attrib.exe 796 attrib.exe 2040 attrib.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1632 vssvc.exe Token: SeRestorePrivilege 1632 vssvc.exe Token: SeAuditPrivilege 1632 vssvc.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
Processes
-
C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Installers:binC:\Users\Admin\AppData\Roaming\Installers:bin -r2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Installers.exe3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Installers.exe /reset3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Installers" & del "C:\Users\Admin\AppData\Roaming\Installers"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Installers"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\gstabl72.exe" & del "C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Installers.exeC:\Windows\SysWOW64\Installers.exe -s1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Installers.exe" & del "C:\Windows\SysWOW64\Installers.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Installers.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Installers:bin
-
C:\Users\Admin\AppData\Roaming\Installers:bin
-
C:\Windows\SysWOW64\Installers.exe
-
C:\Windows\SysWOW64\Installers.exe
-
memory/796-14-0x0000000000000000-mapping.dmp
-
memory/1732-8-0x0000000000000000-mapping.dmp
-
memory/1796-0-0x0000000000000000-mapping.dmp
-
memory/1808-3-0x0000000000000000-mapping.dmp
-
memory/1916-13-0x0000000000000000-mapping.dmp
-
memory/2040-15-0x0000000000000000-mapping.dmp
-
memory/2680-4-0x0000000000000000-mapping.dmp
-
memory/2988-9-0x0000000000000000-mapping.dmp
-
memory/3520-10-0x0000000000000000-mapping.dmp
-
memory/3616-12-0x0000000000000000-mapping.dmp
-
memory/3720-6-0x0000000000000000-mapping.dmp
-
memory/3740-11-0x0000000000000000-mapping.dmp
-
memory/4004-16-0x0000000000000000-mapping.dmp