Interfaces.bin

backendfu1m1
featuresanalog
max_time_kernel115534
max_time_network121533
platformwindows7_x64
reported26-07-2020 07:47
resourcewin7
score10
submitted26-07-2020 07:45
tagspersistence, discovery, exploit, ransomware, family:wastedlocker
ttpT1107, T1490, T1112, T1031, T1222, T1158

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

Interfaces.bin.exe

Filesize

1MB

Completed

26-07-2020 07:47

Score

10 ^/10

MD5

2cc4534b0dd0e1c8d5b89644274a10c1

SHA1

735ee2c15c0b7172f65d39f0fd33b9186ee69653

SHA256

905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

Defense Evasion

Impact

Persistence

Suspicious use of AdjustPrivilegeToken
vssvc.exe

Reported IOCs

description pid process

Token: SeBackupPrivilege 1004 vssvc.exe
Token: SeRestorePrivilege 1004 vssvc.exe
Token: SeAuditPrivilege 1004 vssvc.exe
Possible privilege escalation attempt
takeown.exeicacls.exe

Tags

exploit

Reported IOCs

pid process

1500 takeown.exe
1792 icacls.exe

description	pid	process
Token: SeBackupPrivilege	1004	vssvc.exe
Token: SeRestorePrivilege	1004	vssvc.exe
Token: SeAuditPrivilege	1004	vssvc.exe

pid	process
1500	takeown.exe
1792	icacls.exe

Suspicious use of WriteProcessMemory

Interfaces.bin.exeGroup:binGroup.execmd.execmd.execmd.exe

Reported IOCs

description	pid	process	target process
PID 608 wrote to memory of 1184	608	Interfaces.bin.exe	Group:bin
PID 608 wrote to memory of 1184	608	Interfaces.bin.exe	Group:bin
PID 608 wrote to memory of 1184	608	Interfaces.bin.exe	Group:bin
PID 608 wrote to memory of 1184	608	Interfaces.bin.exe	Group:bin
PID 1184 wrote to memory of 1420	1184	Group:bin	vssadmin.exe
PID 1184 wrote to memory of 1420	1184	Group:bin	vssadmin.exe
PID 1184 wrote to memory of 1420	1184	Group:bin	vssadmin.exe
PID 1184 wrote to memory of 1420	1184	Group:bin	vssadmin.exe
PID 1184 wrote to memory of 1500	1184	Group:bin	takeown.exe
PID 1184 wrote to memory of 1500	1184	Group:bin	takeown.exe
PID 1184 wrote to memory of 1500	1184	Group:bin	takeown.exe
PID 1184 wrote to memory of 1500	1184	Group:bin	takeown.exe
PID 1184 wrote to memory of 1792	1184	Group:bin	icacls.exe
PID 1184 wrote to memory of 1792	1184	Group:bin	icacls.exe
PID 1184 wrote to memory of 1792	1184	Group:bin	icacls.exe
PID 1184 wrote to memory of 1792	1184	Group:bin	icacls.exe
PID 1768 wrote to memory of 1836	1768	Group.exe	cmd.exe
PID 1768 wrote to memory of 1836	1768	Group.exe	cmd.exe
PID 1768 wrote to memory of 1836	1768	Group.exe	cmd.exe
PID 1768 wrote to memory of 1836	1768	Group.exe	cmd.exe
PID 1836 wrote to memory of 1632	1836	cmd.exe	choice.exe
PID 1836 wrote to memory of 1632	1836	cmd.exe	choice.exe
PID 1836 wrote to memory of 1632	1836	cmd.exe	choice.exe
PID 1836 wrote to memory of 1632	1836	cmd.exe	choice.exe
PID 1184 wrote to memory of 1576	1184	Group:bin	cmd.exe
PID 1184 wrote to memory of 1576	1184	Group:bin	cmd.exe
PID 1184 wrote to memory of 1576	1184	Group:bin	cmd.exe
PID 1184 wrote to memory of 1576	1184	Group:bin	cmd.exe
PID 608 wrote to memory of 1636	608	Interfaces.bin.exe	cmd.exe
PID 608 wrote to memory of 1636	608	Interfaces.bin.exe	cmd.exe
PID 608 wrote to memory of 1636	608	Interfaces.bin.exe	cmd.exe
PID 608 wrote to memory of 1636	608	Interfaces.bin.exe	cmd.exe
PID 1576 wrote to memory of 1568	1576	cmd.exe	choice.exe
PID 1576 wrote to memory of 1568	1576	cmd.exe	choice.exe
PID 1576 wrote to memory of 1568	1576	cmd.exe	choice.exe
PID 1576 wrote to memory of 1568	1576	cmd.exe	choice.exe
PID 1636 wrote to memory of 1904	1636	cmd.exe	choice.exe
PID 1636 wrote to memory of 1904	1636	cmd.exe	choice.exe
PID 1636 wrote to memory of 1904	1636	cmd.exe	choice.exe
PID 1636 wrote to memory of 1904	1636	cmd.exe	choice.exe
PID 1836 wrote to memory of 1932	1836	cmd.exe	attrib.exe
PID 1836 wrote to memory of 1932	1836	cmd.exe	attrib.exe
PID 1836 wrote to memory of 1932	1836	cmd.exe	attrib.exe
PID 1836 wrote to memory of 1932	1836	cmd.exe	attrib.exe
PID 1576 wrote to memory of 1896	1576	cmd.exe	attrib.exe
PID 1576 wrote to memory of 1896	1576	cmd.exe	attrib.exe
PID 1576 wrote to memory of 1896	1576	cmd.exe	attrib.exe
PID 1576 wrote to memory of 1896	1576	cmd.exe	attrib.exe
PID 1636 wrote to memory of 1968	1636	cmd.exe	attrib.exe
PID 1636 wrote to memory of 1968	1636	cmd.exe	attrib.exe
PID 1636 wrote to memory of 1968	1636	cmd.exe	attrib.exe
PID 1636 wrote to memory of 1968	1636	cmd.exe	attrib.exe

Interacts with shadow copies
vssadmin.exe

Description

Shadow copies are often targeted by ransomware to inhibit system recovery.

Tags

ransomware

TTPs

File DeletionInhibit System Recovery

Reported IOCs

pid process

1420 vssadmin.exe
Modifies file permissions
takeown.exeicacls.exe

Tags

discovery

TTPs

File Permissions Modification

Reported IOCs

pid process

1500 takeown.exe
1792 icacls.exe
NTFS ADS
Interfaces.bin.exe

Reported IOCs

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Group:bin Interfaces.bin.exe
WastedLocker

Description

Ransomware family seen in the wild since May 2020.

Tags

ransomware wastedlocker
Views/modifies file attributes
attrib.exeattrib.exeattrib.exe

Tags

evasion

TTPs

Hidden Files and Directories

Reported IOCs

pid process

1932 attrib.exe
1896 attrib.exe
1968 attrib.exe
Loads dropped DLL
Interfaces.bin.exe

Reported IOCs

pid process

608 Interfaces.bin.exe
608 Interfaces.bin.exe
Executes dropped EXE
Group:binGroup.exe

Reported IOCs

pid process

1184 Group:bin
1768 Group.exe
Deletes itself
cmd.exe

Reported IOCs

pid process

1636 cmd.exe

pid	process
1420	vssadmin.exe

pid	process
1500	takeown.exe
1792	icacls.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Group:bin	Interfaces.bin.exe

pid	process
1932	attrib.exe
1896	attrib.exe
1968	attrib.exe

pid	process
608	Interfaces.bin.exe
608	Interfaces.bin.exe

pid	process
1184	Group:bin
1768	Group.exe

pid	process
1636	cmd.exe

Modifies service

vssvc.exe

TTPs

Modify RegistryModify Existing Service

Reported IOCs

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Deletes shadow copies

Description

Ransomware often targets backup files to inhibit system recovery.

Tags

ransomware

TTPs

File DeletionInhibit System Recovery

Drops file in System32 directory

Group:binattrib.exe

Reported IOCs

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Group.exe	Group:bin
File opened for modification	C:\Windows\SysWOW64\Group.exe	attrib.exe

Modifies extensions of user files

Group.exe

Description

Ransomware generally changes the extension on encrypted files.

Reported IOCs

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ConfirmResume.tif.garminwasted	Group.exe
File created	C:\Users\Admin\Pictures\SkipUpdate.png.garminwasted_info	Group.exe
File renamed	C:\Users\Admin\Pictures\SkipUpdate.png => C:\Users\Admin\Pictures\SkipUpdate.png.garminwasted	Group.exe
File opened for modification	C:\Users\Admin\Pictures\SkipUpdate.png.garminwasted	Group.exe
File created	C:\Users\Admin\Pictures\ConfirmResume.tif.garminwasted_info	Group.exe
File renamed	C:\Users\Admin\Pictures\ConfirmResume.tif => C:\Users\Admin\Pictures\ConfirmResume.tif.garminwasted	Group.exe

C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe

"C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe"

Loads dropped DLL
NTFS ADS
Suspicious use of WriteProcessMemory

PID:608

C:\Users\Admin\AppData\Roaming\Group:bin

C:\Users\Admin\AppData\Roaming\Group:bin -r

Drops file in System32 directory
Executes dropped EXE
Suspicious use of WriteProcessMemory

PID:1184

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet

Interacts with shadow copies

PID:1420

C:\Windows\SysWOW64\takeown.exe

C:\Windows\system32\takeown.exe /F C:\Windows\system32\Group.exe

Modifies file permissions
Possible privilege escalation attempt

PID:1500

C:\Windows\SysWOW64\icacls.exe

C:\Windows\system32\icacls.exe C:\Windows\system32\Group.exe /reset

Modifies file permissions
Possible privilege escalation attempt

PID:1792

C:\Windows\SysWOW64\cmd.exe

cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Group" & del "C:\Users\Admin\AppData\Roaming\Group"

Suspicious use of WriteProcessMemory

PID:1576

C:\Windows\SysWOW64\choice.exe

choice /t 10 /d y

PID:1568

C:\Windows\SysWOW64\attrib.exe

attrib -h "C:\Users\Admin\AppData\Roaming\Group"

Views/modifies file attributes

PID:1896

C:\Windows\SysWOW64\cmd.exe

cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe"

Deletes itself
Suspicious use of WriteProcessMemory

PID:1636

C:\Windows\SysWOW64\choice.exe

choice /t 10 /d y

PID:1904

C:\Windows\SysWOW64\attrib.exe

attrib -h "C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe"

Views/modifies file attributes

PID:1968

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Modifies service
Suspicious use of AdjustPrivilegeToken

PID:1004

C:\Windows\SysWOW64\Group.exe

C:\Windows\SysWOW64\Group.exe -s

Executes dropped EXE
Modifies extensions of user files
Suspicious use of WriteProcessMemory

PID:1768

C:\Windows\SysWOW64\cmd.exe

cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Group.exe" & del "C:\Windows\SysWOW64\Group.exe"

Suspicious use of WriteProcessMemory

PID:1836

C:\Windows\SysWOW64\choice.exe

choice /t 10 /d y

PID:1632

C:\Windows\SysWOW64\attrib.exe

attrib -h "C:\Windows\SysWOW64\Group.exe"

Drops file in System32 directory
Views/modifies file attributes

PID:1932

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Inhibit System Recovery

Initial Access

Lateral Movement

Persistence

Modify Existing Service

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Roaming\Group:bin

Download Submit
C:\Users\Admin\AppData\Roaming\Group:bin

Download Submit
C:\Windows\SysWOW64\Group.exe

Download Submit
C:\Windows\SysWOW64\Group.exe

Download Submit
\Users\Admin\AppData\Roaming\Group

Download Submit
\Users\Admin\AppData\Roaming\Group

Download Submit
memory/1184-2-0x0000000000000000-mapping.dmp

Download
memory/1420-4-0x0000000000000000-mapping.dmp

Download
memory/1500-6-0x0000000000000000-mapping.dmp

Download
memory/1568-14-0x0000000000000000-mapping.dmp

Download
memory/1576-12-0x0000000000000000-mapping.dmp

Download
memory/1632-11-0x0000000000000000-mapping.dmp

Download
memory/1636-13-0x0000000000000000-mapping.dmp

Download
memory/1792-8-0x0000000000000000-mapping.dmp

Download
memory/1836-10-0x0000000000000000-mapping.dmp

Download
memory/1896-17-0x0000000000000000-mapping.dmp

Download
memory/1904-15-0x0000000000000000-mapping.dmp

Download
memory/1932-16-0x0000000000000000-mapping.dmp

Download
memory/1968-18-0x0000000000000000-mapping.dmp

Download

Interfaces.bin

Filter: none

Reported IOCs

Tags

Reported IOCs

Reported IOCs

Description

Tags

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Description

Tags

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Description

Tags

TTPs

Reported IOCs

Description

Tags

Reported IOCs

Title