Interfaces.bin
General
Target
Filesize
Completed
Interfaces.bin.exe
1MB
26-07-2020 07:47
Score
10
/10
MD5
SHA1
SHA256
2cc4534b0dd0e1c8d5b89644274a10c1
735ee2c15c0b7172f65d39f0fd33b9186ee69653
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
Malware Config
Signatures 13
Filter: none
Defense Evasion
Impact
Persistence
-
WastedLocker
Description
Ransomware family seen in the wild since May 2020.
Tags
-
Modifies extensions of user filesMachine.exe
Description
Ransomware generally changes the extension on encrypted files.
Tags
Reported IOCs
description ioc process File created C:\Users\Admin\Pictures\ResolveGrant.raw.garminwasted_info Machine.exe File renamed C:\Users\Admin\Pictures\ResolveGrant.raw => C:\Users\Admin\Pictures\ResolveGrant.raw.garminwasted Machine.exe File created C:\Users\Admin\Pictures\SyncDismount.raw.garminwasted_info Machine.exe File renamed C:\Users\Admin\Pictures\SyncDismount.raw => C:\Users\Admin\Pictures\SyncDismount.raw.garminwasted Machine.exe File created C:\Users\Admin\Pictures\FormatMerge.png.garminwasted_info Machine.exe File created C:\Users\Admin\Pictures\GetBlock.crw.garminwasted_info Machine.exe File renamed C:\Users\Admin\Pictures\FormatMerge.png => C:\Users\Admin\Pictures\FormatMerge.png.garminwasted Machine.exe File opened for modification C:\Users\Admin\Pictures\ResolveGrant.raw.garminwasted Machine.exe File opened for modification C:\Users\Admin\Pictures\SyncDismount.raw.garminwasted Machine.exe File opened for modification C:\Users\Admin\Pictures\FormatMerge.png.garminwasted Machine.exe File renamed C:\Users\Admin\Pictures\GetBlock.crw => C:\Users\Admin\Pictures\GetBlock.crw.garminwasted Machine.exe File opened for modification C:\Users\Admin\Pictures\GetBlock.crw.garminwasted Machine.exe -
Views/modifies file attributesattrib.exeattrib.exeattrib.exe
Tags
TTPs
Reported IOCs
pid process 2056 attrib.exe 3136 attrib.exe 3756 attrib.exe -
Deletes shadow copies
Description
Ransomware often targets backup files to inhibit system recovery.
Tags
TTPs
-
Modifies file permissionstakeown.exeicacls.exe
Tags
TTPs
Reported IOCs
pid process 1272 takeown.exe 1564 icacls.exe -
Suspicious use of AdjustPrivilegeTokenvssvc.exe
Reported IOCs
description pid process Token: SeBackupPrivilege 388 vssvc.exe Token: SeRestorePrivilege 388 vssvc.exe Token: SeAuditPrivilege 388 vssvc.exe -
Modifies servicevssvc.exe
Tags
TTPs
Reported IOCs
description ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Interacts with shadow copiesvssadmin.exe
Description
Shadow copies are often targeted by ransomware to inhibit system recovery.
Tags
TTPs
Reported IOCs
pid process 640 vssadmin.exe -
Possible privilege escalation attempttakeown.exeicacls.exe
Tags
Reported IOCs
pid process 1272 takeown.exe 1564 icacls.exe -
NTFS ADSInterfaces.bin.exe
Reported IOCs
description ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Machine:bin Interfaces.bin.exe -
Drops file in System32 directoryattrib.exeMachine:bin
Reported IOCs
description ioc process File opened for modification C:\Windows\SysWOW64\Machine.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Machine.exe Machine:bin -
Suspicious use of WriteProcessMemoryInterfaces.bin.exeMachine:binMachine.execmd.execmd.execmd.exe
Reported IOCs
description pid process target process PID 408 wrote to memory of 504 408 Interfaces.bin.exe Machine:bin PID 408 wrote to memory of 504 408 Interfaces.bin.exe Machine:bin PID 408 wrote to memory of 504 408 Interfaces.bin.exe Machine:bin PID 504 wrote to memory of 640 504 Machine:bin vssadmin.exe PID 504 wrote to memory of 640 504 Machine:bin vssadmin.exe PID 504 wrote to memory of 1272 504 Machine:bin takeown.exe PID 504 wrote to memory of 1272 504 Machine:bin takeown.exe PID 504 wrote to memory of 1272 504 Machine:bin takeown.exe PID 504 wrote to memory of 1564 504 Machine:bin icacls.exe PID 504 wrote to memory of 1564 504 Machine:bin icacls.exe PID 504 wrote to memory of 1564 504 Machine:bin icacls.exe PID 1780 wrote to memory of 2312 1780 Machine.exe cmd.exe PID 1780 wrote to memory of 2312 1780 Machine.exe cmd.exe PID 1780 wrote to memory of 2312 1780 Machine.exe cmd.exe PID 2312 wrote to memory of 2492 2312 cmd.exe choice.exe PID 2312 wrote to memory of 2492 2312 cmd.exe choice.exe PID 2312 wrote to memory of 2492 2312 cmd.exe choice.exe PID 504 wrote to memory of 2540 504 Machine:bin cmd.exe PID 504 wrote to memory of 2540 504 Machine:bin cmd.exe PID 504 wrote to memory of 2540 504 Machine:bin cmd.exe PID 408 wrote to memory of 2648 408 Interfaces.bin.exe cmd.exe PID 408 wrote to memory of 2648 408 Interfaces.bin.exe cmd.exe PID 408 wrote to memory of 2648 408 Interfaces.bin.exe cmd.exe PID 2540 wrote to memory of 4012 2540 cmd.exe choice.exe PID 2540 wrote to memory of 4012 2540 cmd.exe choice.exe PID 2540 wrote to memory of 4012 2540 cmd.exe choice.exe PID 2648 wrote to memory of 2460 2648 cmd.exe choice.exe PID 2648 wrote to memory of 2460 2648 cmd.exe choice.exe PID 2648 wrote to memory of 2460 2648 cmd.exe choice.exe PID 2312 wrote to memory of 2056 2312 cmd.exe attrib.exe PID 2312 wrote to memory of 2056 2312 cmd.exe attrib.exe PID 2312 wrote to memory of 2056 2312 cmd.exe attrib.exe PID 2540 wrote to memory of 3136 2540 cmd.exe attrib.exe PID 2540 wrote to memory of 3136 2540 cmd.exe attrib.exe PID 2540 wrote to memory of 3136 2540 cmd.exe attrib.exe PID 2648 wrote to memory of 3756 2648 cmd.exe attrib.exe PID 2648 wrote to memory of 3756 2648 cmd.exe attrib.exe PID 2648 wrote to memory of 3756 2648 cmd.exe attrib.exe -
Executes dropped EXEMachine:binMachine.exe
Reported IOCs
pid process 504 Machine:bin 1780 Machine.exe
Processes 16
-
C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exePID:408"C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe"NTFS ADSSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Machine:binPID:504C:\Users\Admin\AppData\Roaming\Machine:bin -rDrops file in System32 directorySuspicious use of WriteProcessMemoryExecutes dropped EXE
-
C:\Windows\system32\vssadmin.exePID:640C:\Windows\system32\vssadmin.exe Delete Shadows /All /QuietInteracts with shadow copies
-
C:\Windows\SysWOW64\takeown.exePID:1272C:\Windows\system32\takeown.exe /F C:\Windows\system32\Machine.exeModifies file permissionsPossible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exePID:1564C:\Windows\system32\icacls.exe C:\Windows\system32\Machine.exe /resetModifies file permissionsPossible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.exePID:2540cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Machine" & del "C:\Users\Admin\AppData\Roaming\Machine"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exePID:4012choice /t 10 /d y
-
C:\Windows\SysWOW64\attrib.exePID:3136attrib -h "C:\Users\Admin\AppData\Roaming\Machine"Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exePID:2648cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exePID:2460choice /t 10 /d y
-
C:\Windows\SysWOW64\attrib.exePID:3756attrib -h "C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe"Views/modifies file attributes
-
C:\Windows\system32\vssvc.exePID:388C:\Windows\system32\vssvc.exeSuspicious use of AdjustPrivilegeTokenModifies service
-
C:\Windows\SysWOW64\Machine.exePID:1780C:\Windows\SysWOW64\Machine.exe -sModifies extensions of user filesSuspicious use of WriteProcessMemoryExecutes dropped EXE
-
C:\Windows\SysWOW64\cmd.exePID:2312cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Machine.exe" & del "C:\Windows\SysWOW64\Machine.exe"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exePID:2492choice /t 10 /d y
-
C:\Windows\SysWOW64\attrib.exePID:2056attrib -h "C:\Windows\SysWOW64\Machine.exe"Views/modifies file attributesDrops file in System32 directory
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
C:\Users\Admin\AppData\Roaming\Machine:bin
-
C:\Users\Admin\AppData\Roaming\Machine:bin
-
C:\Windows\SysWOW64\Machine.exe
-
C:\Windows\SysWOW64\Machine.exe
-
memory/504-0-0x0000000000000000-mapping.dmp
-
memory/640-3-0x0000000000000000-mapping.dmp
-
memory/1272-4-0x0000000000000000-mapping.dmp
-
memory/1564-6-0x0000000000000000-mapping.dmp
-
memory/2056-14-0x0000000000000000-mapping.dmp
-
memory/2312-8-0x0000000000000000-mapping.dmp
-
memory/2460-13-0x0000000000000000-mapping.dmp
-
memory/2492-9-0x0000000000000000-mapping.dmp
-
memory/2540-10-0x0000000000000000-mapping.dmp
-
memory/2648-11-0x0000000000000000-mapping.dmp
-
memory/3136-15-0x0000000000000000-mapping.dmp
-
memory/3756-16-0x0000000000000000-mapping.dmp
-
memory/4012-12-0x0000000000000000-mapping.dmp
Title
Loading Data