Analysis
-
max time kernel
66s -
max time network
6s -
platform
windows10_x64 -
resource
win10 -
submitted
01-08-2020 09:49
Static task
static1
Behavioral task
behavioral1
Sample
lock.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
lock.exe
Resource
win10
General
-
Target
lock.exe
-
Size
112KB
-
MD5
d01fc079881dc0d33a88e4f8df1ae7ce
-
SHA1
c40c8848808da12ef78c68de1e6477b862161a43
-
SHA256
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821
-
SHA512
83bca79d1f0ac14c6d79685fd192964e7117e8c9c734036abddfdbb068c801ff38027a0812a2499e1d9e528a47af07150cafee27384b5a78b8fc32c23bd21130
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
lock.exeSession:binSession.execmd.execmd.execmd.exedescription pid process target process PID 3536 wrote to memory of 3720 3536 lock.exe Session:bin PID 3536 wrote to memory of 3720 3536 lock.exe Session:bin PID 3536 wrote to memory of 3720 3536 lock.exe Session:bin PID 3720 wrote to memory of 3848 3720 Session:bin vssadmin.exe PID 3720 wrote to memory of 3848 3720 Session:bin vssadmin.exe PID 3720 wrote to memory of 3744 3720 Session:bin takeown.exe PID 3720 wrote to memory of 3744 3720 Session:bin takeown.exe PID 3720 wrote to memory of 3744 3720 Session:bin takeown.exe PID 3720 wrote to memory of 3308 3720 Session:bin icacls.exe PID 3720 wrote to memory of 3308 3720 Session:bin icacls.exe PID 3720 wrote to memory of 3308 3720 Session:bin icacls.exe PID 1664 wrote to memory of 3684 1664 Session.exe cmd.exe PID 1664 wrote to memory of 3684 1664 Session.exe cmd.exe PID 1664 wrote to memory of 3684 1664 Session.exe cmd.exe PID 3684 wrote to memory of 2196 3684 cmd.exe choice.exe PID 3684 wrote to memory of 2196 3684 cmd.exe choice.exe PID 3684 wrote to memory of 2196 3684 cmd.exe choice.exe PID 3720 wrote to memory of 1780 3720 Session:bin cmd.exe PID 3720 wrote to memory of 1780 3720 Session:bin cmd.exe PID 3720 wrote to memory of 1780 3720 Session:bin cmd.exe PID 3536 wrote to memory of 1888 3536 lock.exe cmd.exe PID 3536 wrote to memory of 1888 3536 lock.exe cmd.exe PID 3536 wrote to memory of 1888 3536 lock.exe cmd.exe PID 1780 wrote to memory of 2536 1780 cmd.exe choice.exe PID 1780 wrote to memory of 2536 1780 cmd.exe choice.exe PID 1780 wrote to memory of 2536 1780 cmd.exe choice.exe PID 1888 wrote to memory of 404 1888 cmd.exe choice.exe PID 1888 wrote to memory of 404 1888 cmd.exe choice.exe PID 1888 wrote to memory of 404 1888 cmd.exe choice.exe PID 3684 wrote to memory of 3892 3684 cmd.exe attrib.exe PID 3684 wrote to memory of 3892 3684 cmd.exe attrib.exe PID 3684 wrote to memory of 3892 3684 cmd.exe attrib.exe PID 1780 wrote to memory of 664 1780 cmd.exe attrib.exe PID 1780 wrote to memory of 664 1780 cmd.exe attrib.exe PID 1780 wrote to memory of 664 1780 cmd.exe attrib.exe PID 1888 wrote to memory of 244 1888 cmd.exe attrib.exe PID 1888 wrote to memory of 244 1888 cmd.exe attrib.exe PID 1888 wrote to memory of 244 1888 cmd.exe attrib.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3804 vssvc.exe Token: SeRestorePrivilege 3804 vssvc.exe Token: SeAuditPrivilege 3804 vssvc.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3744 takeown.exe 3308 icacls.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in System32 directory 2 IoCs
Processes:
Session:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Session.exe Session:bin File opened for modification C:\Windows\SysWOW64\Session.exe attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
Session:binSession.exepid process 3720 Session:bin 1664 Session.exe -
Modifies extensions of user files 18 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Session.exedescription ioc process File renamed C:\Users\Admin\Pictures\MoveSearch.tiff => C:\Users\Admin\Pictures\MoveSearch.tiff.tcwwasted Session.exe File created C:\Users\Admin\Pictures\RequestRepair.crw.tcwwasted_info Session.exe File opened for modification C:\Users\Admin\Pictures\RequestRepair.crw.tcwwasted Session.exe File created C:\Users\Admin\Pictures\StartExit.tif.tcwwasted_info Session.exe File renamed C:\Users\Admin\Pictures\DismountEdit.png => C:\Users\Admin\Pictures\DismountEdit.png.tcwwasted Session.exe File opened for modification C:\Users\Admin\Pictures\DismountEdit.png.tcwwasted Session.exe File created C:\Users\Admin\Pictures\MoveSearch.tiff.tcwwasted_info Session.exe File renamed C:\Users\Admin\Pictures\StartExit.tif => C:\Users\Admin\Pictures\StartExit.tif.tcwwasted Session.exe File created C:\Users\Admin\Pictures\WaitCopy.png.tcwwasted_info Session.exe File renamed C:\Users\Admin\Pictures\RequestRepair.crw => C:\Users\Admin\Pictures\RequestRepair.crw.tcwwasted Session.exe File renamed C:\Users\Admin\Pictures\SelectRedo.tif => C:\Users\Admin\Pictures\SelectRedo.tif.tcwwasted Session.exe File opened for modification C:\Users\Admin\Pictures\WaitCopy.png.tcwwasted Session.exe File created C:\Users\Admin\Pictures\DismountEdit.png.tcwwasted_info Session.exe File opened for modification C:\Users\Admin\Pictures\MoveSearch.tiff.tcwwasted Session.exe File created C:\Users\Admin\Pictures\SelectRedo.tif.tcwwasted_info Session.exe File opened for modification C:\Users\Admin\Pictures\SelectRedo.tif.tcwwasted Session.exe File opened for modification C:\Users\Admin\Pictures\StartExit.tif.tcwwasted Session.exe File renamed C:\Users\Admin\Pictures\WaitCopy.png => C:\Users\Admin\Pictures\WaitCopy.png.tcwwasted Session.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3744 takeown.exe 3308 icacls.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 3892 attrib.exe 664 attrib.exe 244 attrib.exe -
NTFS ADS 1 IoCs
Processes:
lock.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Session:bin lock.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3848 vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lock.exe"C:\Users\Admin\AppData\Local\Temp\lock.exe"1⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\Session:binC:\Users\Admin\AppData\Roaming\Session:bin -r2⤵
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
- Executes dropped EXE
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Session.exe3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Session.exe /reset3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Session" & del "C:\Users\Admin\AppData\Roaming\Session"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Session"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\lock.exe" & del "C:\Users\Admin\AppData\Local\Temp\lock.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\lock.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\SysWOW64\Session.exeC:\Windows\SysWOW64\Session.exe -s1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Modifies extensions of user files
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Session.exe" & del "C:\Windows\SysWOW64\Session.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Session.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Session:bin
-
C:\Users\Admin\AppData\Roaming\Session:bin
-
C:\Windows\SysWOW64\Session.exe
-
C:\Windows\SysWOW64\Session.exe
-
memory/244-16-0x0000000000000000-mapping.dmp
-
memory/404-13-0x0000000000000000-mapping.dmp
-
memory/664-15-0x0000000000000000-mapping.dmp
-
memory/1780-10-0x0000000000000000-mapping.dmp
-
memory/1888-11-0x0000000000000000-mapping.dmp
-
memory/2196-9-0x0000000000000000-mapping.dmp
-
memory/2536-12-0x0000000000000000-mapping.dmp
-
memory/3308-6-0x0000000000000000-mapping.dmp
-
memory/3684-8-0x0000000000000000-mapping.dmp
-
memory/3720-0-0x0000000000000000-mapping.dmp
-
memory/3744-4-0x0000000000000000-mapping.dmp
-
memory/3848-3-0x0000000000000000-mapping.dmp
-
memory/3892-14-0x0000000000000000-mapping.dmp