Analysis
-
max time kernel
145s -
max time network
60s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
29-07-2020 07:12
Static task
static1
Behavioral task
behavioral1
Sample
30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe
Resource
win7
Behavioral task
behavioral2
Sample
30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe
Resource
win10v200722
General
-
Target
30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe
-
Size
1.2MB
-
MD5
14e610e2acb5f15e72f528b385f3e20f
-
SHA1
749b5283028a6f2c9df529eb14e051a5bf620f25
-
SHA256
30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0
-
SHA512
6d8d42e65b5bb09aaaf3c0cf103e7b97ebdc593065f1ecd3e3cd7c5d0a289d93867d617ac3b69c126a754f6f37cfd1867e12822004169077e4eafeb40a79f90a
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1076 vssvc.exe Token: SeRestorePrivilege 1076 vssvc.exe Token: SeAuditPrivilege 1076 vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 912 vssadmin.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exeLocker:binLocker.exepid process 424 30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe 672 Locker:bin 2324 Locker.exe -
Executes dropped EXE 2 IoCs
Processes:
Locker:binLocker.exepid process 672 Locker:bin 2324 Locker.exe -
Drops file in System32 directory 2 IoCs
Processes:
attrib.exeLocker:bindescription ioc process File opened for modification C:\Windows\SysWOW64\Locker.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Locker.exe Locker:bin -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1488 takeown.exe 1796 icacls.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exeLocker:binLocker.exepid process 424 30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe 424 30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe 672 Locker:bin 672 Locker:bin 2324 Locker.exe 424 30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe 2324 Locker.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1488 takeown.exe 1796 icacls.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exeLocker:binLocker.execmd.execmd.execmd.exedescription pid process target process PID 424 wrote to memory of 672 424 30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe Locker:bin PID 424 wrote to memory of 672 424 30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe Locker:bin PID 424 wrote to memory of 672 424 30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe Locker:bin PID 672 wrote to memory of 912 672 Locker:bin vssadmin.exe PID 672 wrote to memory of 912 672 Locker:bin vssadmin.exe PID 672 wrote to memory of 1488 672 Locker:bin takeown.exe PID 672 wrote to memory of 1488 672 Locker:bin takeown.exe PID 672 wrote to memory of 1488 672 Locker:bin takeown.exe PID 672 wrote to memory of 1796 672 Locker:bin icacls.exe PID 672 wrote to memory of 1796 672 Locker:bin icacls.exe PID 672 wrote to memory of 1796 672 Locker:bin icacls.exe PID 2324 wrote to memory of 764 2324 Locker.exe cmd.exe PID 2324 wrote to memory of 764 2324 Locker.exe cmd.exe PID 2324 wrote to memory of 764 2324 Locker.exe cmd.exe PID 764 wrote to memory of 3564 764 cmd.exe choice.exe PID 764 wrote to memory of 3564 764 cmd.exe choice.exe PID 764 wrote to memory of 3564 764 cmd.exe choice.exe PID 672 wrote to memory of 3084 672 Locker:bin cmd.exe PID 672 wrote to memory of 3084 672 Locker:bin cmd.exe PID 672 wrote to memory of 3084 672 Locker:bin cmd.exe PID 424 wrote to memory of 3104 424 30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe cmd.exe PID 424 wrote to memory of 3104 424 30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe cmd.exe PID 424 wrote to memory of 3104 424 30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe cmd.exe PID 3104 wrote to memory of 4016 3104 cmd.exe choice.exe PID 3104 wrote to memory of 4016 3104 cmd.exe choice.exe PID 3104 wrote to memory of 4016 3104 cmd.exe choice.exe PID 3084 wrote to memory of 3720 3084 cmd.exe choice.exe PID 3084 wrote to memory of 3720 3084 cmd.exe choice.exe PID 3084 wrote to memory of 3720 3084 cmd.exe choice.exe PID 764 wrote to memory of 492 764 cmd.exe attrib.exe PID 764 wrote to memory of 492 764 cmd.exe attrib.exe PID 764 wrote to memory of 492 764 cmd.exe attrib.exe PID 3104 wrote to memory of 344 3104 cmd.exe attrib.exe PID 3104 wrote to memory of 344 3104 cmd.exe attrib.exe PID 3104 wrote to memory of 344 3104 cmd.exe attrib.exe PID 3084 wrote to memory of 392 3084 cmd.exe attrib.exe PID 3084 wrote to memory of 392 3084 cmd.exe attrib.exe PID 3084 wrote to memory of 392 3084 cmd.exe attrib.exe -
NTFS ADS 1 IoCs
Processes:
30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Locker:bin 30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 344 attrib.exe 392 attrib.exe 492 attrib.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Modifies extensions of user files 24 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Locker.exedescription ioc process File renamed C:\Users\Admin\Pictures\GetLimit.png => C:\Users\Admin\Pictures\GetLimit.png.garminwasted Locker.exe File opened for modification C:\Users\Admin\Pictures\GetLimit.png.garminwasted Locker.exe File created C:\Users\Admin\Pictures\InstallBackup.tiff.garminwasted_info Locker.exe File created C:\Users\Admin\Pictures\RevokeBackup.tiff.garminwasted_info Locker.exe File opened for modification C:\Users\Admin\Pictures\WatchLock.tiff.garminwasted Locker.exe File created C:\Users\Admin\Pictures\JoinDisconnect.tif.garminwasted_info Locker.exe File renamed C:\Users\Admin\Pictures\MountRead.tiff => C:\Users\Admin\Pictures\MountRead.tiff.garminwasted Locker.exe File renamed C:\Users\Admin\Pictures\RedoUnprotect.tiff => C:\Users\Admin\Pictures\RedoUnprotect.tiff.garminwasted Locker.exe File opened for modification C:\Users\Admin\Pictures\RevokeBackup.tiff.garminwasted Locker.exe File created C:\Users\Admin\Pictures\WatchLock.tiff.garminwasted_info Locker.exe File renamed C:\Users\Admin\Pictures\WatchLock.tiff => C:\Users\Admin\Pictures\WatchLock.tiff.garminwasted Locker.exe File opened for modification C:\Users\Admin\Pictures\RedoUnprotect.tiff.garminwasted Locker.exe File created C:\Users\Admin\Pictures\GetLimit.png.garminwasted_info Locker.exe File renamed C:\Users\Admin\Pictures\JoinDisconnect.tif => C:\Users\Admin\Pictures\JoinDisconnect.tif.garminwasted Locker.exe File created C:\Users\Admin\Pictures\MountRead.tiff.garminwasted_info Locker.exe File renamed C:\Users\Admin\Pictures\PopSwitch.crw => C:\Users\Admin\Pictures\PopSwitch.crw.garminwasted Locker.exe File opened for modification C:\Users\Admin\Pictures\PopSwitch.crw.garminwasted Locker.exe File created C:\Users\Admin\Pictures\RedoUnprotect.tiff.garminwasted_info Locker.exe File renamed C:\Users\Admin\Pictures\InstallBackup.tiff => C:\Users\Admin\Pictures\InstallBackup.tiff.garminwasted Locker.exe File opened for modification C:\Users\Admin\Pictures\JoinDisconnect.tif.garminwasted Locker.exe File opened for modification C:\Users\Admin\Pictures\InstallBackup.tiff.garminwasted Locker.exe File opened for modification C:\Users\Admin\Pictures\MountRead.tiff.garminwasted Locker.exe File created C:\Users\Admin\Pictures\PopSwitch.crw.garminwasted_info Locker.exe File renamed C:\Users\Admin\Pictures\RevokeBackup.tiff => C:\Users\Admin\Pictures\RevokeBackup.tiff.garminwasted Locker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe"C:\Users\Admin\AppData\Local\Temp\30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\Locker:binC:\Users\Admin\AppData\Roaming\Locker:bin -r2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Locker.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Locker.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Locker" & del "C:\Users\Admin\AppData\Roaming\Locker"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Locker"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe" & del "C:\Users\Admin\AppData\Local\Temp\30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\SysWOW64\Locker.exeC:\Windows\SysWOW64\Locker.exe -s1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
- Modifies extensions of user files
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Locker.exe" & del "C:\Windows\SysWOW64\Locker.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Locker.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Locker:bin
-
C:\Users\Admin\AppData\Roaming\Locker:bin
-
C:\Windows\SysWOW64\Locker.exe
-
C:\Windows\SysWOW64\Locker.exe
-
memory/344-21-0x0000000000000000-mapping.dmp
-
memory/392-22-0x0000000000000000-mapping.dmp
-
memory/424-1-0x0000000003100000-0x0000000003101000-memory.dmpFilesize
4KB
-
memory/424-0-0x0000000003000000-0x0000000003001000-memory.dmpFilesize
4KB
-
memory/492-20-0x0000000000000000-mapping.dmp
-
memory/672-5-0x0000000002F40000-0x0000000002F41000-memory.dmpFilesize
4KB
-
memory/672-2-0x0000000000000000-mapping.dmp
-
memory/764-14-0x0000000000000000-mapping.dmp
-
memory/912-7-0x0000000000000000-mapping.dmp
-
memory/1488-8-0x0000000000000000-mapping.dmp
-
memory/1796-10-0x0000000000000000-mapping.dmp
-
memory/2324-12-0x0000000001AD0000-0x0000000001AD1000-memory.dmpFilesize
4KB
-
memory/3084-16-0x0000000000000000-mapping.dmp
-
memory/3104-17-0x0000000000000000-mapping.dmp
-
memory/3564-15-0x0000000000000000-mapping.dmp
-
memory/3720-19-0x0000000000000000-mapping.dmp
-
memory/4016-18-0x0000000000000000-mapping.dmp