wastedlocker | 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

General

Target

Interfaces.bin.exe
Size

1MB
MD5

2cc4534b0dd0e1c8d5b89644274a10c1
SHA1

735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA256

905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
SHA512

a842b2d171aa6efa1b391d5d0f84663e78021b485555e2bf10a5e589d8652057f5abbd88e1a5ec628b714692ec5d63c3172894aa7846d5897e87d99dad67e2b8

Score

10^/10

persistence ransomware wastedlocker exploit discovery

Malware Config

Signatures

WastedLocker
Ransomware family seen in the wild since May 2020.
ransomware wastedlocker

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Machine.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ResolveGrant.raw.garminwasted_info	Machine.exe
File renamed	C:\Users\Admin\Pictures\ResolveGrant.raw => C:\Users\Admin\Pictures\ResolveGrant.raw.garminwasted	Machine.exe
File created	C:\Users\Admin\Pictures\SyncDismount.raw.garminwasted_info	Machine.exe
File renamed	C:\Users\Admin\Pictures\SyncDismount.raw => C:\Users\Admin\Pictures\SyncDismount.raw.garminwasted	Machine.exe
File created	C:\Users\Admin\Pictures\FormatMerge.png.garminwasted_info	Machine.exe
File created	C:\Users\Admin\Pictures\GetBlock.crw.garminwasted_info	Machine.exe
File renamed	C:\Users\Admin\Pictures\FormatMerge.png => C:\Users\Admin\Pictures\FormatMerge.png.garminwasted	Machine.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveGrant.raw.garminwasted	Machine.exe
File opened for modification	C:\Users\Admin\Pictures\SyncDismount.raw.garminwasted	Machine.exe
File opened for modification	C:\Users\Admin\Pictures\FormatMerge.png.garminwasted	Machine.exe
File renamed	C:\Users\Admin\Pictures\GetBlock.crw => C:\Users\Admin\Pictures\GetBlock.crw.garminwasted	Machine.exe
File opened for modification	C:\Users\Admin\Pictures\GetBlock.crw.garminwasted	Machine.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

2056 attrib.exe
3136 attrib.exe
3756 attrib.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1272 takeown.exe
1564 icacls.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 388 vssvc.exe
Token: SeRestorePrivilege 388 vssvc.exe
Token: SeAuditPrivilege 388 vssvc.exe

pid	process
2056	attrib.exe
3136	attrib.exe
3756	attrib.exe

pid	process
1272	takeown.exe
1564	icacls.exe

description	pid	process
Token: SeBackupPrivilege	388	vssvc.exe
Token: SeRestorePrivilege	388	vssvc.exe
Token: SeAuditPrivilege	388	vssvc.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

640 vssadmin.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1272 takeown.exe
1564 icacls.exe
NTFS ADS 1 IoCs

Processes:

Interfaces.bin.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Machine:bin Interfaces.bin.exe

pid	process
640	vssadmin.exe

pid	process
1272	takeown.exe
1564	icacls.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Machine:bin	Interfaces.bin.exe

Drops file in System32 directory 2 IoCs

Processes:

attrib.exeMachine:bin

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Machine.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Machine.exe	Machine:bin

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

Interfaces.bin.exeMachine:binMachine.execmd.execmd.execmd.exe

description	pid	process	target process
PID 408 wrote to memory of 504	408	Interfaces.bin.exe	Machine:bin
PID 408 wrote to memory of 504	408	Interfaces.bin.exe	Machine:bin
PID 408 wrote to memory of 504	408	Interfaces.bin.exe	Machine:bin
PID 504 wrote to memory of 640	504	Machine:bin	vssadmin.exe
PID 504 wrote to memory of 640	504	Machine:bin	vssadmin.exe
PID 504 wrote to memory of 1272	504	Machine:bin	takeown.exe
PID 504 wrote to memory of 1272	504	Machine:bin	takeown.exe
PID 504 wrote to memory of 1272	504	Machine:bin	takeown.exe
PID 504 wrote to memory of 1564	504	Machine:bin	icacls.exe
PID 504 wrote to memory of 1564	504	Machine:bin	icacls.exe
PID 504 wrote to memory of 1564	504	Machine:bin	icacls.exe
PID 1780 wrote to memory of 2312	1780	Machine.exe	cmd.exe
PID 1780 wrote to memory of 2312	1780	Machine.exe	cmd.exe
PID 1780 wrote to memory of 2312	1780	Machine.exe	cmd.exe
PID 2312 wrote to memory of 2492	2312	cmd.exe	choice.exe
PID 2312 wrote to memory of 2492	2312	cmd.exe	choice.exe
PID 2312 wrote to memory of 2492	2312	cmd.exe	choice.exe
PID 504 wrote to memory of 2540	504	Machine:bin	cmd.exe
PID 504 wrote to memory of 2540	504	Machine:bin	cmd.exe
PID 504 wrote to memory of 2540	504	Machine:bin	cmd.exe
PID 408 wrote to memory of 2648	408	Interfaces.bin.exe	cmd.exe
PID 408 wrote to memory of 2648	408	Interfaces.bin.exe	cmd.exe
PID 408 wrote to memory of 2648	408	Interfaces.bin.exe	cmd.exe
PID 2540 wrote to memory of 4012	2540	cmd.exe	choice.exe
PID 2540 wrote to memory of 4012	2540	cmd.exe	choice.exe
PID 2540 wrote to memory of 4012	2540	cmd.exe	choice.exe
PID 2648 wrote to memory of 2460	2648	cmd.exe	choice.exe
PID 2648 wrote to memory of 2460	2648	cmd.exe	choice.exe
PID 2648 wrote to memory of 2460	2648	cmd.exe	choice.exe
PID 2312 wrote to memory of 2056	2312	cmd.exe	attrib.exe
PID 2312 wrote to memory of 2056	2312	cmd.exe	attrib.exe
PID 2312 wrote to memory of 2056	2312	cmd.exe	attrib.exe
PID 2540 wrote to memory of 3136	2540	cmd.exe	attrib.exe
PID 2540 wrote to memory of 3136	2540	cmd.exe	attrib.exe
PID 2540 wrote to memory of 3136	2540	cmd.exe	attrib.exe
PID 2648 wrote to memory of 3756	2648	cmd.exe	attrib.exe
PID 2648 wrote to memory of 3756	2648	cmd.exe	attrib.exe
PID 2648 wrote to memory of 3756	2648	cmd.exe	attrib.exe

Executes dropped EXE 2 IoCs

Processes:

Machine:binMachine.exe

pid process

504 Machine:bin
1780 Machine.exe

pid	process
504	Machine:bin
1780	Machine.exe

C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe"
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Roaming\Machine:bin
C:\Users\Admin\AppData\Roaming\Machine:bin -r
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:504

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
- Interacts with shadow copies
PID:640

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Windows\system32\Machine.exe
- Modifies file permissions
- Possible privilege escalation attempt
PID:1272

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Windows\system32\Machine.exe /reset
- Modifies file permissions
- Possible privilege escalation attempt
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Machine" & del "C:\Users\Admin\AppData\Roaming\Machine"
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
PID:4012

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Users\Admin\AppData\Roaming\Machine"
- Views/modifies file attributes
PID:3136

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe"
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
PID:2460

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Users\Admin\AppData\Local\Temp\Interfaces.bin.exe"
- Views/modifies file attributes
PID:3756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:388

C:\Windows\SysWOW64\Machine.exe
C:\Windows\SysWOW64\Machine.exe -s
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Machine.exe" & del "C:\Windows\SysWOW64\Machine.exe"
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\choice.exe
choice /t 10 /d y
PID:2492

C:\Windows\SysWOW64\attrib.exe
attrib -h "C:\Windows\SysWOW64\Machine.exe"
- Views/modifies file attributes
- Drops file in System32 directory
PID:2056