Analysis
-
max time kernel
146s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
01-08-2020 09:49
Static task
static1
Behavioral task
behavioral1
Sample
lock.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
lock.exe
Resource
win10
General
-
Target
lock.exe
-
Size
112KB
-
MD5
d01fc079881dc0d33a88e4f8df1ae7ce
-
SHA1
c40c8848808da12ef78c68de1e6477b862161a43
-
SHA256
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821
-
SHA512
83bca79d1f0ac14c6d79685fd192964e7117e8c9c734036abddfdbb068c801ff38027a0812a2499e1d9e528a47af07150cafee27384b5a78b8fc32c23bd21130
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1820 takeown.exe 1832 icacls.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1912 attrib.exe 1892 attrib.exe 1932 attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 836 vssadmin.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Query.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\UnlockRead.png.tcwwasted Query.exe File created C:\Users\Admin\Pictures\EditConvertTo.raw.tcwwasted_info Query.exe File renamed C:\Users\Admin\Pictures\EditConvertTo.raw => C:\Users\Admin\Pictures\EditConvertTo.raw.tcwwasted Query.exe File opened for modification C:\Users\Admin\Pictures\EditConvertTo.raw.tcwwasted Query.exe File created C:\Users\Admin\Pictures\UnlockRead.png.tcwwasted_info Query.exe File renamed C:\Users\Admin\Pictures\UnlockRead.png => C:\Users\Admin\Pictures\UnlockRead.png.tcwwasted Query.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
lock.exeQuery:binQuery.execmd.execmd.execmd.exedescription pid process target process PID 1424 wrote to memory of 1464 1424 lock.exe Query:bin PID 1424 wrote to memory of 1464 1424 lock.exe Query:bin PID 1424 wrote to memory of 1464 1424 lock.exe Query:bin PID 1424 wrote to memory of 1464 1424 lock.exe Query:bin PID 1464 wrote to memory of 836 1464 Query:bin vssadmin.exe PID 1464 wrote to memory of 836 1464 Query:bin vssadmin.exe PID 1464 wrote to memory of 836 1464 Query:bin vssadmin.exe PID 1464 wrote to memory of 836 1464 Query:bin vssadmin.exe PID 1464 wrote to memory of 1820 1464 Query:bin takeown.exe PID 1464 wrote to memory of 1820 1464 Query:bin takeown.exe PID 1464 wrote to memory of 1820 1464 Query:bin takeown.exe PID 1464 wrote to memory of 1820 1464 Query:bin takeown.exe PID 1464 wrote to memory of 1832 1464 Query:bin icacls.exe PID 1464 wrote to memory of 1832 1464 Query:bin icacls.exe PID 1464 wrote to memory of 1832 1464 Query:bin icacls.exe PID 1464 wrote to memory of 1832 1464 Query:bin icacls.exe PID 1784 wrote to memory of 984 1784 Query.exe cmd.exe PID 1784 wrote to memory of 984 1784 Query.exe cmd.exe PID 1784 wrote to memory of 984 1784 Query.exe cmd.exe PID 1784 wrote to memory of 984 1784 Query.exe cmd.exe PID 984 wrote to memory of 1316 984 cmd.exe choice.exe PID 984 wrote to memory of 1316 984 cmd.exe choice.exe PID 984 wrote to memory of 1316 984 cmd.exe choice.exe PID 984 wrote to memory of 1316 984 cmd.exe choice.exe PID 1464 wrote to memory of 876 1464 Query:bin cmd.exe PID 1464 wrote to memory of 876 1464 Query:bin cmd.exe PID 1464 wrote to memory of 876 1464 Query:bin cmd.exe PID 1464 wrote to memory of 876 1464 Query:bin cmd.exe PID 1424 wrote to memory of 1516 1424 lock.exe cmd.exe PID 1424 wrote to memory of 1516 1424 lock.exe cmd.exe PID 1424 wrote to memory of 1516 1424 lock.exe cmd.exe PID 1424 wrote to memory of 1516 1424 lock.exe cmd.exe PID 876 wrote to memory of 1580 876 cmd.exe choice.exe PID 876 wrote to memory of 1580 876 cmd.exe choice.exe PID 876 wrote to memory of 1580 876 cmd.exe choice.exe PID 876 wrote to memory of 1580 876 cmd.exe choice.exe PID 1516 wrote to memory of 1584 1516 cmd.exe choice.exe PID 1516 wrote to memory of 1584 1516 cmd.exe choice.exe PID 1516 wrote to memory of 1584 1516 cmd.exe choice.exe PID 1516 wrote to memory of 1584 1516 cmd.exe choice.exe PID 876 wrote to memory of 1892 876 cmd.exe attrib.exe PID 876 wrote to memory of 1892 876 cmd.exe attrib.exe PID 876 wrote to memory of 1892 876 cmd.exe attrib.exe PID 876 wrote to memory of 1892 876 cmd.exe attrib.exe PID 1516 wrote to memory of 1932 1516 cmd.exe attrib.exe PID 1516 wrote to memory of 1932 1516 cmd.exe attrib.exe PID 1516 wrote to memory of 1932 1516 cmd.exe attrib.exe PID 1516 wrote to memory of 1932 1516 cmd.exe attrib.exe PID 984 wrote to memory of 1912 984 cmd.exe attrib.exe PID 984 wrote to memory of 1912 984 cmd.exe attrib.exe PID 984 wrote to memory of 1912 984 cmd.exe attrib.exe PID 984 wrote to memory of 1912 984 cmd.exe attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
Query:binQuery.exepid process 1464 Query:bin 1784 Query.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in System32 directory 2 IoCs
Processes:
Query:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Query.exe Query:bin File opened for modification C:\Windows\SysWOW64\Query.exe attrib.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1820 takeown.exe 1832 icacls.exe -
Loads dropped DLL 2 IoCs
Processes:
lock.exepid process 1424 lock.exe 1424 lock.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1008 vssvc.exe Token: SeRestorePrivilege 1008 vssvc.exe Token: SeAuditPrivilege 1008 vssvc.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1516 cmd.exe -
NTFS ADS 1 IoCs
Processes:
lock.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Query:bin lock.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lock.exe"C:\Users\Admin\AppData\Local\Temp\lock.exe"1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\Query:binC:\Users\Admin\AppData\Roaming\Query:bin -r2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Query.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Query.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Query" & del "C:\Users\Admin\AppData\Roaming\Query"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Query"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\lock.exe" & del "C:\Users\Admin\AppData\Local\Temp\lock.exe"2⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\lock.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Query.exeC:\Windows\SysWOW64\Query.exe -s1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Query.exe" & del "C:\Windows\SysWOW64\Query.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Query.exe"3⤵
- Views/modifies file attributes
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Query:bin
-
C:\Users\Admin\AppData\Roaming\Query:bin
-
C:\Windows\SysWOW64\Query.exe
-
C:\Windows\SysWOW64\Query.exe
-
\Users\Admin\AppData\Roaming\Query
-
\Users\Admin\AppData\Roaming\Query
-
memory/836-4-0x0000000000000000-mapping.dmp
-
memory/876-12-0x0000000000000000-mapping.dmp
-
memory/984-10-0x0000000000000000-mapping.dmp
-
memory/1316-11-0x0000000000000000-mapping.dmp
-
memory/1464-2-0x0000000000000000-mapping.dmp
-
memory/1516-13-0x0000000000000000-mapping.dmp
-
memory/1580-14-0x0000000000000000-mapping.dmp
-
memory/1584-15-0x0000000000000000-mapping.dmp
-
memory/1820-6-0x0000000000000000-mapping.dmp
-
memory/1832-8-0x0000000000000000-mapping.dmp
-
memory/1892-16-0x0000000000000000-mapping.dmp
-
memory/1912-18-0x0000000000000000-mapping.dmp
-
memory/1932-17-0x0000000000000000-mapping.dmp