Analysis
-
max time kernel
126s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10-07-2020 12:03
Static task
static1
Behavioral task
behavioral1
Sample
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
Resource
win7
Behavioral task
behavioral2
Sample
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
Resource
win10v200430
General
-
Target
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
-
Size
1.0MB
-
MD5
572fea5f025df78f2d316216fbeee52e
-
SHA1
91b2bf44b1f9282c09f07f16631deaa3ad9d956d
-
SHA256
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
-
SHA512
eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4080 takeown.exe 3612 icacls.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 952 vssadmin.exe -
Drops file in System32 directory 2 IoCs
Processes:
Mui:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Mui.exe Mui:bin File opened for modification C:\Windows\SysWOW64\Mui.exe attrib.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4080 takeown.exe 3612 icacls.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 3740 attrib.exe 2668 attrib.exe 3228 attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
Mui:binMui.exepid process 1840 Mui:bin 3944 Mui.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
NTFS ADS 1 IoCs
Processes:
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Mui:bin 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exeMui:binMui.execmd.execmd.execmd.exedescription pid process target process PID 1628 wrote to memory of 1840 1628 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe Mui:bin PID 1628 wrote to memory of 1840 1628 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe Mui:bin PID 1628 wrote to memory of 1840 1628 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe Mui:bin PID 1840 wrote to memory of 952 1840 Mui:bin vssadmin.exe PID 1840 wrote to memory of 952 1840 Mui:bin vssadmin.exe PID 1840 wrote to memory of 4080 1840 Mui:bin takeown.exe PID 1840 wrote to memory of 4080 1840 Mui:bin takeown.exe PID 1840 wrote to memory of 4080 1840 Mui:bin takeown.exe PID 1840 wrote to memory of 3612 1840 Mui:bin icacls.exe PID 1840 wrote to memory of 3612 1840 Mui:bin icacls.exe PID 1840 wrote to memory of 3612 1840 Mui:bin icacls.exe PID 3944 wrote to memory of 3996 3944 Mui.exe cmd.exe PID 3944 wrote to memory of 3996 3944 Mui.exe cmd.exe PID 3944 wrote to memory of 3996 3944 Mui.exe cmd.exe PID 3996 wrote to memory of 3256 3996 cmd.exe choice.exe PID 3996 wrote to memory of 3256 3996 cmd.exe choice.exe PID 3996 wrote to memory of 3256 3996 cmd.exe choice.exe PID 1840 wrote to memory of 4064 1840 Mui:bin cmd.exe PID 1840 wrote to memory of 4064 1840 Mui:bin cmd.exe PID 1840 wrote to memory of 4064 1840 Mui:bin cmd.exe PID 1628 wrote to memory of 64 1628 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe cmd.exe PID 1628 wrote to memory of 64 1628 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe cmd.exe PID 1628 wrote to memory of 64 1628 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe cmd.exe PID 4064 wrote to memory of 3644 4064 cmd.exe choice.exe PID 4064 wrote to memory of 3644 4064 cmd.exe choice.exe PID 4064 wrote to memory of 3644 4064 cmd.exe choice.exe PID 64 wrote to memory of 2968 64 cmd.exe choice.exe PID 64 wrote to memory of 2968 64 cmd.exe choice.exe PID 64 wrote to memory of 2968 64 cmd.exe choice.exe PID 3996 wrote to memory of 3740 3996 cmd.exe attrib.exe PID 3996 wrote to memory of 3740 3996 cmd.exe attrib.exe PID 3996 wrote to memory of 3740 3996 cmd.exe attrib.exe PID 64 wrote to memory of 2668 64 cmd.exe attrib.exe PID 64 wrote to memory of 2668 64 cmd.exe attrib.exe PID 64 wrote to memory of 2668 64 cmd.exe attrib.exe PID 4064 wrote to memory of 3228 4064 cmd.exe attrib.exe PID 4064 wrote to memory of 3228 4064 cmd.exe attrib.exe PID 4064 wrote to memory of 3228 4064 cmd.exe attrib.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2084 vssvc.exe Token: SeRestorePrivilege 2084 vssvc.exe Token: SeAuditPrivilege 2084 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Mui:binC:\Users\Admin\AppData\Roaming\Mui:bin -r2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Mui.exe3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Mui.exe /reset3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Mui" & del "C:\Users\Admin\AppData\Roaming\Mui"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Mui"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe" & del "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Mui.exeC:\Windows\SysWOW64\Mui.exe -s1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Mui.exe" & del "C:\Windows\SysWOW64\Mui.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Mui.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mui:bin
-
C:\Users\Admin\AppData\Roaming\Mui:bin
-
C:\Windows\SysWOW64\Mui.exe
-
C:\Windows\SysWOW64\Mui.exe
-
memory/64-11-0x0000000000000000-mapping.dmp
-
memory/952-3-0x0000000000000000-mapping.dmp
-
memory/1840-0-0x0000000000000000-mapping.dmp
-
memory/2668-15-0x0000000000000000-mapping.dmp
-
memory/2968-13-0x0000000000000000-mapping.dmp
-
memory/3228-16-0x0000000000000000-mapping.dmp
-
memory/3256-9-0x0000000000000000-mapping.dmp
-
memory/3612-6-0x0000000000000000-mapping.dmp
-
memory/3644-12-0x0000000000000000-mapping.dmp
-
memory/3740-14-0x0000000000000000-mapping.dmp
-
memory/3996-8-0x0000000000000000-mapping.dmp
-
memory/4064-10-0x0000000000000000-mapping.dmp
-
memory/4080-4-0x0000000000000000-mapping.dmp