Analysis
-
max time kernel
274s -
max time network
276s -
platform
windows10_x64 -
resource
win10 -
submitted
13-07-2020 16:49
Static task
static1
Behavioral task
behavioral1
Sample
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
Resource
win10
General
-
Target
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
-
Size
1.0MB
-
MD5
572fea5f025df78f2d316216fbeee52e
-
SHA1
91b2bf44b1f9282c09f07f16631deaa3ad9d956d
-
SHA256
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
-
SHA512
eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exeSc:binLsa.execmd.execmd.execmd.exedescription pid process target process PID 3544 wrote to memory of 3672 3544 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe Sc:bin PID 3544 wrote to memory of 3672 3544 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe Sc:bin PID 3544 wrote to memory of 3672 3544 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe Sc:bin PID 3672 wrote to memory of 3932 3672 Sc:bin vssadmin.exe PID 3672 wrote to memory of 3932 3672 Sc:bin vssadmin.exe PID 3672 wrote to memory of 3972 3672 Sc:bin takeown.exe PID 3672 wrote to memory of 3972 3672 Sc:bin takeown.exe PID 3672 wrote to memory of 3972 3672 Sc:bin takeown.exe PID 3672 wrote to memory of 3444 3672 Sc:bin icacls.exe PID 3672 wrote to memory of 3444 3672 Sc:bin icacls.exe PID 3672 wrote to memory of 3444 3672 Sc:bin icacls.exe PID 1812 wrote to memory of 2828 1812 Lsa.exe cmd.exe PID 1812 wrote to memory of 2828 1812 Lsa.exe cmd.exe PID 1812 wrote to memory of 2828 1812 Lsa.exe cmd.exe PID 2828 wrote to memory of 3056 2828 cmd.exe choice.exe PID 2828 wrote to memory of 3056 2828 cmd.exe choice.exe PID 2828 wrote to memory of 3056 2828 cmd.exe choice.exe PID 3672 wrote to memory of 3264 3672 Sc:bin cmd.exe PID 3672 wrote to memory of 3264 3672 Sc:bin cmd.exe PID 3672 wrote to memory of 3264 3672 Sc:bin cmd.exe PID 3544 wrote to memory of 3240 3544 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe cmd.exe PID 3544 wrote to memory of 3240 3544 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe cmd.exe PID 3544 wrote to memory of 3240 3544 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe cmd.exe PID 3264 wrote to memory of 3720 3264 cmd.exe choice.exe PID 3264 wrote to memory of 3720 3264 cmd.exe choice.exe PID 3264 wrote to memory of 3720 3264 cmd.exe choice.exe PID 3240 wrote to memory of 520 3240 cmd.exe choice.exe PID 3240 wrote to memory of 520 3240 cmd.exe choice.exe PID 3240 wrote to memory of 520 3240 cmd.exe choice.exe PID 2828 wrote to memory of 636 2828 cmd.exe attrib.exe PID 2828 wrote to memory of 636 2828 cmd.exe attrib.exe PID 2828 wrote to memory of 636 2828 cmd.exe attrib.exe PID 3264 wrote to memory of 808 3264 cmd.exe attrib.exe PID 3264 wrote to memory of 808 3264 cmd.exe attrib.exe PID 3264 wrote to memory of 808 3264 cmd.exe attrib.exe PID 3240 wrote to memory of 912 3240 cmd.exe attrib.exe PID 3240 wrote to memory of 912 3240 cmd.exe attrib.exe PID 3240 wrote to memory of 912 3240 cmd.exe attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
Sc:binLsa.exepid process 3672 Sc:bin 1812 Lsa.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3812 vssvc.exe Token: SeRestorePrivilege 3812 vssvc.exe Token: SeAuditPrivilege 3812 vssvc.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 636 attrib.exe 808 attrib.exe 912 attrib.exe -
Drops file in System32 directory 2 IoCs
Processes:
Sc:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Lsa.exe Sc:bin File opened for modification C:\Windows\SysWOW64\Lsa.exe attrib.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3972 takeown.exe 3444 icacls.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3972 takeown.exe 3444 icacls.exe -
NTFS ADS 1 IoCs
Processes:
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Sc:bin 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3932 vssadmin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"1⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\Sc:binC:\Users\Admin\AppData\Roaming\Sc:bin -r2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Lsa.exe3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Lsa.exe /reset3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Sc" & del "C:\Users\Admin\AppData\Roaming\Sc"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Sc"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe" & del "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\SysWOW64\Lsa.exeC:\Windows\SysWOW64\Lsa.exe -s1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Lsa.exe" & del "C:\Windows\SysWOW64\Lsa.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Lsa.exe"3⤵
- Views/modifies file attributes
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Sc:bin
-
C:\Users\Admin\AppData\Roaming\Sc:bin
-
C:\Windows\SysWOW64\Lsa.exe
-
C:\Windows\SysWOW64\Lsa.exe
-
memory/520-13-0x0000000000000000-mapping.dmp
-
memory/636-14-0x0000000000000000-mapping.dmp
-
memory/808-15-0x0000000000000000-mapping.dmp
-
memory/912-16-0x0000000000000000-mapping.dmp
-
memory/2828-8-0x0000000000000000-mapping.dmp
-
memory/3056-9-0x0000000000000000-mapping.dmp
-
memory/3240-11-0x0000000000000000-mapping.dmp
-
memory/3264-10-0x0000000000000000-mapping.dmp
-
memory/3444-6-0x0000000000000000-mapping.dmp
-
memory/3672-0-0x0000000000000000-mapping.dmp
-
memory/3720-12-0x0000000000000000-mapping.dmp
-
memory/3932-3-0x0000000000000000-mapping.dmp
-
memory/3972-4-0x0000000000000000-mapping.dmp