Interfaces.bin

General
Target

Interfaces.bin.exe

Filesize

1MB

Completed

26-07-2020 07:47

Score
10 /10
MD5

2cc4534b0dd0e1c8d5b89644274a10c1

SHA1

735ee2c15c0b7172f65d39f0fd33b9186ee69653

SHA256

905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

Malware Config
Signatures 15

Filter: none

Defense Evasion
Impact
Persistence
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege1004vssvc.exe
    Token: SeRestorePrivilege1004vssvc.exe
    Token: SeAuditPrivilege1004vssvc.exe
  • Possible privilege escalation attempt
    takeown.exeicacls.exe

    Tags

    Reported IOCs

    pidprocess
    1500takeown.exe
    1792icacls.exe
  • Suspicious use of WriteProcessMemory
    Interfaces.bin.exeGroup:binGroup.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 608 wrote to memory of 1184608Interfaces.bin.exeGroup:bin
    PID 608 wrote to memory of 1184608Interfaces.bin.exeGroup:bin
    PID 608 wrote to memory of 1184608Interfaces.bin.exeGroup:bin
    PID 608 wrote to memory of 1184608Interfaces.bin.exeGroup:bin
    PID 1184 wrote to memory of 14201184Group:binvssadmin.exe
    PID 1184 wrote to memory of 14201184Group:binvssadmin.exe
    PID 1184 wrote to memory of 14201184Group:binvssadmin.exe
    PID 1184 wrote to memory of 14201184Group:binvssadmin.exe
    PID 1184 wrote to memory of 15001184Group:bintakeown.exe
    PID 1184 wrote to memory of 15001184Group:bintakeown.exe
    PID 1184 wrote to memory of 15001184Group:bintakeown.exe
    PID 1184 wrote to memory of 15001184Group:bintakeown.exe
    PID 1184 wrote to memory of 17921184Group:binicacls.exe
    PID 1184 wrote to memory of 17921184Group:binicacls.exe
    PID 1184 wrote to memory of 17921184Group:binicacls.exe
    PID 1184 wrote to memory of 17921184Group:binicacls.exe
    PID 1768 wrote to memory of 18361768Group.execmd.exe
    PID 1768 wrote to memory of 18361768Group.execmd.exe
    PID 1768 wrote to memory of 18361768Group.execmd.exe
    PID 1768 wrote to memory of 18361768Group.execmd.exe
    PID 1836 wrote to memory of 16321836cmd.exechoice.exe
    PID 1836 wrote to memory of 16321836cmd.exechoice.exe
    PID 1836 wrote to memory of 16321836cmd.exechoice.exe
    PID 1836 wrote to memory of 16321836cmd.exechoice.exe
    PID 1184 wrote to memory of 15761184Group:bincmd.exe
    PID 1184 wrote to memory of 15761184Group:bincmd.exe
    PID 1184 wrote to memory of 15761184Group:bincmd.exe
    PID 1184 wrote to memory of 15761184Group:bincmd.exe
    PID 608 wrote to memory of 1636608Interfaces.bin.execmd.exe
    PID 608 wrote to memory of 1636608Interfaces.bin.execmd.exe
    PID 608 wrote to memory of 1636608Interfaces.bin.execmd.exe
    PID 608 wrote to memory of 1636608Interfaces.bin.execmd.exe
    PID 1576 wrote to memory of 15681576cmd.exechoice.exe
    PID 1576 wrote to memory of 15681576cmd.exechoice.exe
    PID 1576 wrote to memory of 15681576cmd.exechoice.exe
    PID 1576 wrote to memory of 15681576cmd.exechoice.exe
    PID 1636 wrote to memory of 19041636cmd.exechoice.exe
    PID 1636 wrote to memory of 19041636cmd.exechoice.exe
    PID 1636 wrote to memory of 19041636cmd.exechoice.exe
    PID 1636 wrote to memory of 19041636cmd.exechoice.exe
    PID 1836 wrote to memory of 19321836cmd.exeattrib.exe
    PID 1836 wrote to memory of 19321836cmd.exeattrib.exe
    PID 1836 wrote to memory of 19321836cmd.exeattrib.exe
    PID 1836 wrote to memory of 19321836cmd.exeattrib.exe
    PID 1576 wrote to memory of 18961576cmd.exeattrib.exe
    PID 1576 wrote to memory of 18961576cmd.exeattrib.exe
    PID 1576 wrote to memory of 18961576cmd.exeattrib.exe
    PID 1576 wrote to memory of 18961576cmd.exeattrib.exe
    PID 1636 wrote to memory of 19681636cmd.exeattrib.exe
    PID 1636 wrote to memory of 19681636cmd.exeattrib.exe
    PID 1636 wrote to memory of 19681636cmd.exeattrib.exe
    PID 1636 wrote to memory of 19681636cmd.exeattrib.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1420vssadmin.exe
  • Modifies file permissions
    takeown.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    1500takeown.exe
    1792icacls.exe
  • NTFS ADS
    Interfaces.bin.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Group:binInterfaces.bin.exe
  • WastedLocker

    Description

    Ransomware family seen in the wild since May 2020.

  • Views/modifies file attributes
    attrib.exeattrib.exeattrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    1932attrib.exe
    1896attrib.exe
    1968attrib.exe
  • Loads dropped DLL
    Interfaces.bin.exe

    Reported IOCs

    pidprocess
    608Interfaces.bin.exe
    608Interfaces.bin.exe
  • Executes dropped EXE
    Group:binGroup.exe

    Reported IOCs

    pidprocess
    1184Group:bin
    1768Group.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1636cmd.exe
  • Modifies service
    vssvc.exe

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Drops file in System32 directory
    Group:binattrib.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\Group.exeGroup:bin
    File opened for modificationC:\Windows\SysWOW64\Group.exeattrib.exe
  • Modifies extensions of user files
    Group.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\ConfirmResume.tif.garminwastedGroup.exe
    File createdC:\Users\Admin\Pictures\SkipUpdate.png.garminwasted_infoGroup.exe
    File renamedC:\Users\Admin\Pictures\SkipUpdate.png => C:\Users\Admin\Pictures\SkipUpdate.png.garminwastedGroup.exe
    File opened for modificationC:\Users\Admin\Pictures\SkipUpdate.png.garminwastedGroup.exe
    File createdC:\Users\Admin\Pictures\ConfirmResume.tif.garminwasted_infoGroup.exe
    File renamedC:\Users\Admin\Pictures\ConfirmResume.tif => C:\Users\Admin\Pictures\ConfirmResume.tif.garminwastedGroup.exe
Processes 16
  • C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe"
    Loads dropped DLL
    NTFS ADS
    Suspicious use of WriteProcessMemory
    PID:608
    • C:\Users\Admin\AppData\Roaming\Group:bin
      C:\Users\Admin\AppData\Roaming\Group:bin -r
      Drops file in System32 directory
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
        Interacts with shadow copies
        PID:1420
      • C:\Windows\SysWOW64\takeown.exe
        C:\Windows\system32\takeown.exe /F C:\Windows\system32\Group.exe
        Modifies file permissions
        Possible privilege escalation attempt
        PID:1500
      • C:\Windows\SysWOW64\icacls.exe
        C:\Windows\system32\icacls.exe C:\Windows\system32\Group.exe /reset
        Modifies file permissions
        Possible privilege escalation attempt
        PID:1792
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Group" & del "C:\Users\Admin\AppData\Roaming\Group"
        Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Windows\SysWOW64\choice.exe
          choice /t 10 /d y
          PID:1568
        • C:\Windows\SysWOW64\attrib.exe
          attrib -h "C:\Users\Admin\AppData\Roaming\Group"
          Views/modifies file attributes
          PID:1896
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe"
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\choice.exe
        choice /t 10 /d y
        PID:1904
      • C:\Windows\SysWOW64\attrib.exe
        attrib -h "C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe"
        Views/modifies file attributes
        PID:1968
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:1004
  • C:\Windows\SysWOW64\Group.exe
    C:\Windows\SysWOW64\Group.exe -s
    Executes dropped EXE
    Modifies extensions of user files
    Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Group.exe" & del "C:\Windows\SysWOW64\Group.exe"
      Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Windows\SysWOW64\choice.exe
        choice /t 10 /d y
        PID:1632
      • C:\Windows\SysWOW64\attrib.exe
        attrib -h "C:\Windows\SysWOW64\Group.exe"
        Drops file in System32 directory
        Views/modifies file attributes
        PID:1932
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\Group:bin

                    • C:\Users\Admin\AppData\Roaming\Group:bin

                    • C:\Windows\SysWOW64\Group.exe

                    • C:\Windows\SysWOW64\Group.exe

                    • \Users\Admin\AppData\Roaming\Group

                    • \Users\Admin\AppData\Roaming\Group

                    • memory/1184-2-0x0000000000000000-mapping.dmp

                    • memory/1420-4-0x0000000000000000-mapping.dmp

                    • memory/1500-6-0x0000000000000000-mapping.dmp

                    • memory/1568-14-0x0000000000000000-mapping.dmp

                    • memory/1576-12-0x0000000000000000-mapping.dmp

                    • memory/1632-11-0x0000000000000000-mapping.dmp

                    • memory/1636-13-0x0000000000000000-mapping.dmp

                    • memory/1792-8-0x0000000000000000-mapping.dmp

                    • memory/1836-10-0x0000000000000000-mapping.dmp

                    • memory/1896-17-0x0000000000000000-mapping.dmp

                    • memory/1904-15-0x0000000000000000-mapping.dmp

                    • memory/1932-16-0x0000000000000000-mapping.dmp

                    • memory/1968-18-0x0000000000000000-mapping.dmp