Interfaces.bin

General
Target

Interfaces.bin.exe

Filesize

1MB

Completed

26-07-2020 07:47

Score
10 /10
MD5

2cc4534b0dd0e1c8d5b89644274a10c1

SHA1

735ee2c15c0b7172f65d39f0fd33b9186ee69653

SHA256

905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

Malware Config
Signatures 13

Filter: none

Defense Evasion
Impact
Persistence
  • WastedLocker

    Description

    Ransomware family seen in the wild since May 2020.

  • Modifies extensions of user files
    Machine.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\Pictures\ResolveGrant.raw.garminwasted_infoMachine.exe
    File renamedC:\Users\Admin\Pictures\ResolveGrant.raw => C:\Users\Admin\Pictures\ResolveGrant.raw.garminwastedMachine.exe
    File createdC:\Users\Admin\Pictures\SyncDismount.raw.garminwasted_infoMachine.exe
    File renamedC:\Users\Admin\Pictures\SyncDismount.raw => C:\Users\Admin\Pictures\SyncDismount.raw.garminwastedMachine.exe
    File createdC:\Users\Admin\Pictures\FormatMerge.png.garminwasted_infoMachine.exe
    File createdC:\Users\Admin\Pictures\GetBlock.crw.garminwasted_infoMachine.exe
    File renamedC:\Users\Admin\Pictures\FormatMerge.png => C:\Users\Admin\Pictures\FormatMerge.png.garminwastedMachine.exe
    File opened for modificationC:\Users\Admin\Pictures\ResolveGrant.raw.garminwastedMachine.exe
    File opened for modificationC:\Users\Admin\Pictures\SyncDismount.raw.garminwastedMachine.exe
    File opened for modificationC:\Users\Admin\Pictures\FormatMerge.png.garminwastedMachine.exe
    File renamedC:\Users\Admin\Pictures\GetBlock.crw => C:\Users\Admin\Pictures\GetBlock.crw.garminwastedMachine.exe
    File opened for modificationC:\Users\Admin\Pictures\GetBlock.crw.garminwastedMachine.exe
  • Views/modifies file attributes
    attrib.exeattrib.exeattrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    2056attrib.exe
    3136attrib.exe
    3756attrib.exe
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies file permissions
    takeown.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    1272takeown.exe
    1564icacls.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege388vssvc.exe
    Token: SeRestorePrivilege388vssvc.exe
    Token: SeAuditPrivilege388vssvc.exe
  • Modifies service
    vssvc.exe

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    640vssadmin.exe
  • Possible privilege escalation attempt
    takeown.exeicacls.exe

    Tags

    Reported IOCs

    pidprocess
    1272takeown.exe
    1564icacls.exe
  • NTFS ADS
    Interfaces.bin.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Machine:binInterfaces.bin.exe
  • Drops file in System32 directory
    Machine:binattrib.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\Machine.exeattrib.exe
    File opened for modificationC:\Windows\SysWOW64\Machine.exeMachine:bin
  • Suspicious use of WriteProcessMemory
    Interfaces.bin.exeMachine:binMachine.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 408 wrote to memory of 504408Interfaces.bin.exeMachine:bin
    PID 408 wrote to memory of 504408Interfaces.bin.exeMachine:bin
    PID 408 wrote to memory of 504408Interfaces.bin.exeMachine:bin
    PID 504 wrote to memory of 640504Machine:binvssadmin.exe
    PID 504 wrote to memory of 640504Machine:binvssadmin.exe
    PID 504 wrote to memory of 1272504Machine:bintakeown.exe
    PID 504 wrote to memory of 1272504Machine:bintakeown.exe
    PID 504 wrote to memory of 1272504Machine:bintakeown.exe
    PID 504 wrote to memory of 1564504Machine:binicacls.exe
    PID 504 wrote to memory of 1564504Machine:binicacls.exe
    PID 504 wrote to memory of 1564504Machine:binicacls.exe
    PID 1780 wrote to memory of 23121780Machine.execmd.exe
    PID 1780 wrote to memory of 23121780Machine.execmd.exe
    PID 1780 wrote to memory of 23121780Machine.execmd.exe
    PID 2312 wrote to memory of 24922312cmd.exechoice.exe
    PID 2312 wrote to memory of 24922312cmd.exechoice.exe
    PID 2312 wrote to memory of 24922312cmd.exechoice.exe
    PID 504 wrote to memory of 2540504Machine:bincmd.exe
    PID 504 wrote to memory of 2540504Machine:bincmd.exe
    PID 504 wrote to memory of 2540504Machine:bincmd.exe
    PID 408 wrote to memory of 2648408Interfaces.bin.execmd.exe
    PID 408 wrote to memory of 2648408Interfaces.bin.execmd.exe
    PID 408 wrote to memory of 2648408Interfaces.bin.execmd.exe
    PID 2540 wrote to memory of 40122540cmd.exechoice.exe
    PID 2540 wrote to memory of 40122540cmd.exechoice.exe
    PID 2540 wrote to memory of 40122540cmd.exechoice.exe
    PID 2648 wrote to memory of 24602648cmd.exechoice.exe
    PID 2648 wrote to memory of 24602648cmd.exechoice.exe
    PID 2648 wrote to memory of 24602648cmd.exechoice.exe
    PID 2312 wrote to memory of 20562312cmd.exeattrib.exe
    PID 2312 wrote to memory of 20562312cmd.exeattrib.exe
    PID 2312 wrote to memory of 20562312cmd.exeattrib.exe
    PID 2540 wrote to memory of 31362540cmd.exeattrib.exe
    PID 2540 wrote to memory of 31362540cmd.exeattrib.exe
    PID 2540 wrote to memory of 31362540cmd.exeattrib.exe
    PID 2648 wrote to memory of 37562648cmd.exeattrib.exe
    PID 2648 wrote to memory of 37562648cmd.exeattrib.exe
    PID 2648 wrote to memory of 37562648cmd.exeattrib.exe
  • Executes dropped EXE
    Machine:binMachine.exe

    Reported IOCs

    pidprocess
    504Machine:bin
    1780Machine.exe
Processes
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\Machine:bin

                      Download
                    • C:\Users\Admin\AppData\Roaming\Machine:bin

                      Download
                    • C:\Windows\SysWOW64\Machine.exe

                      Download
                    • C:\Windows\SysWOW64\Machine.exe

                      Download
                    • memory/504-0-0x0000000000000000-mapping.dmp

                      Download
                    • memory/640-3-0x0000000000000000-mapping.dmp

                      Download
                    • memory/1272-4-0x0000000000000000-mapping.dmp

                      Download
                    • memory/1564-6-0x0000000000000000-mapping.dmp

                      Download
                    • memory/2056-14-0x0000000000000000-mapping.dmp

                      Download
                    • memory/2312-8-0x0000000000000000-mapping.dmp

                      Download
                    • memory/2460-13-0x0000000000000000-mapping.dmp

                      Download
                    • memory/2492-9-0x0000000000000000-mapping.dmp

                      Download
                    • memory/2540-10-0x0000000000000000-mapping.dmp

                      Download
                    • memory/2648-11-0x0000000000000000-mapping.dmp

                      Download
                    • memory/3136-15-0x0000000000000000-mapping.dmp

                      Download
                    • memory/3756-16-0x0000000000000000-mapping.dmp

                      Download
                    • memory/4012-12-0x0000000000000000-mapping.dmp

                      Download