Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7 -
submitted
10-08-2020 12:16
Static task
static1
Behavioral task
behavioral1
Sample
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe
Resource
win7
Behavioral task
behavioral2
Sample
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe
Resource
win10
General
-
Target
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe
-
Size
112KB
-
MD5
d01fc079881dc0d33a88e4f8df1ae7ce
-
SHA1
c40c8848808da12ef78c68de1e6477b862161a43
-
SHA256
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821
-
SHA512
83bca79d1f0ac14c6d79685fd192964e7117e8c9c734036abddfdbb068c801ff38027a0812a2499e1d9e528a47af07150cafee27384b5a78b8fc32c23bd21130
Malware Config
Signatures
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1056 takeown.exe 1544 icacls.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Device.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SkipUpdate.png.tcwwasted Device.exe File created C:\Users\Admin\Pictures\ConfirmResume.tif.tcwwasted_info Device.exe File renamed C:\Users\Admin\Pictures\ConfirmResume.tif => C:\Users\Admin\Pictures\ConfirmResume.tif.tcwwasted Device.exe File opened for modification C:\Users\Admin\Pictures\ConfirmResume.tif.tcwwasted Device.exe File created C:\Users\Admin\Pictures\SkipUpdate.png.tcwwasted_info Device.exe File renamed C:\Users\Admin\Pictures\SkipUpdate.png => C:\Users\Admin\Pictures\SkipUpdate.png.tcwwasted Device.exe -
Loads dropped DLL 2 IoCs
Processes:
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exepid process 2040 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe 2040 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1420 vssvc.exe Token: SeRestorePrivilege 1420 vssvc.exe Token: SeAuditPrivilege 1420 vssvc.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1056 takeown.exe 1544 icacls.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
NTFS ADS 1 IoCs
Processes:
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Device:bin 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1232 vssadmin.exe -
Drops file in System32 directory 2 IoCs
Processes:
Device:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Device.exe Device:bin File opened for modification C:\Windows\SysWOW64\Device.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1888 attrib.exe 1904 attrib.exe 1868 attrib.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exeDevice:binDevice.execmd.execmd.execmd.exedescription pid process target process PID 2040 wrote to memory of 1096 2040 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe Device:bin PID 2040 wrote to memory of 1096 2040 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe Device:bin PID 2040 wrote to memory of 1096 2040 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe Device:bin PID 2040 wrote to memory of 1096 2040 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe Device:bin PID 1096 wrote to memory of 1232 1096 Device:bin vssadmin.exe PID 1096 wrote to memory of 1232 1096 Device:bin vssadmin.exe PID 1096 wrote to memory of 1232 1096 Device:bin vssadmin.exe PID 1096 wrote to memory of 1232 1096 Device:bin vssadmin.exe PID 1096 wrote to memory of 1056 1096 Device:bin takeown.exe PID 1096 wrote to memory of 1056 1096 Device:bin takeown.exe PID 1096 wrote to memory of 1056 1096 Device:bin takeown.exe PID 1096 wrote to memory of 1056 1096 Device:bin takeown.exe PID 1096 wrote to memory of 1544 1096 Device:bin icacls.exe PID 1096 wrote to memory of 1544 1096 Device:bin icacls.exe PID 1096 wrote to memory of 1544 1096 Device:bin icacls.exe PID 1096 wrote to memory of 1544 1096 Device:bin icacls.exe PID 1676 wrote to memory of 1780 1676 Device.exe cmd.exe PID 1676 wrote to memory of 1780 1676 Device.exe cmd.exe PID 1676 wrote to memory of 1780 1676 Device.exe cmd.exe PID 1676 wrote to memory of 1780 1676 Device.exe cmd.exe PID 1780 wrote to memory of 1748 1780 cmd.exe choice.exe PID 1780 wrote to memory of 1748 1780 cmd.exe choice.exe PID 1780 wrote to memory of 1748 1780 cmd.exe choice.exe PID 1780 wrote to memory of 1748 1780 cmd.exe choice.exe PID 1096 wrote to memory of 1840 1096 Device:bin cmd.exe PID 1096 wrote to memory of 1840 1096 Device:bin cmd.exe PID 1096 wrote to memory of 1840 1096 Device:bin cmd.exe PID 1096 wrote to memory of 1840 1096 Device:bin cmd.exe PID 2040 wrote to memory of 1600 2040 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe cmd.exe PID 2040 wrote to memory of 1600 2040 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe cmd.exe PID 2040 wrote to memory of 1600 2040 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe cmd.exe PID 2040 wrote to memory of 1600 2040 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe cmd.exe PID 1840 wrote to memory of 1564 1840 cmd.exe choice.exe PID 1840 wrote to memory of 1564 1840 cmd.exe choice.exe PID 1840 wrote to memory of 1564 1840 cmd.exe choice.exe PID 1840 wrote to memory of 1564 1840 cmd.exe choice.exe PID 1600 wrote to memory of 1560 1600 cmd.exe choice.exe PID 1600 wrote to memory of 1560 1600 cmd.exe choice.exe PID 1600 wrote to memory of 1560 1600 cmd.exe choice.exe PID 1600 wrote to memory of 1560 1600 cmd.exe choice.exe PID 1780 wrote to memory of 1904 1780 cmd.exe attrib.exe PID 1780 wrote to memory of 1904 1780 cmd.exe attrib.exe PID 1780 wrote to memory of 1904 1780 cmd.exe attrib.exe PID 1780 wrote to memory of 1904 1780 cmd.exe attrib.exe PID 1840 wrote to memory of 1868 1840 cmd.exe attrib.exe PID 1840 wrote to memory of 1868 1840 cmd.exe attrib.exe PID 1840 wrote to memory of 1868 1840 cmd.exe attrib.exe PID 1840 wrote to memory of 1868 1840 cmd.exe attrib.exe PID 1600 wrote to memory of 1888 1600 cmd.exe attrib.exe PID 1600 wrote to memory of 1888 1600 cmd.exe attrib.exe PID 1600 wrote to memory of 1888 1600 cmd.exe attrib.exe PID 1600 wrote to memory of 1888 1600 cmd.exe attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
Device:binDevice.exepid process 1096 Device:bin 1676 Device.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1600 cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe"C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Device:binC:\Users\Admin\AppData\Roaming\Device:bin -r2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Device.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Device.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Device" & del "C:\Users\Admin\AppData\Roaming\Device"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Device"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe" & del "C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe"2⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Device.exeC:\Windows\SysWOW64\Device.exe -s1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Device.exe" & del "C:\Windows\SysWOW64\Device.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Device.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Device:bin
-
C:\Users\Admin\AppData\Roaming\Device:bin
-
C:\Windows\SysWOW64\Device.exe
-
C:\Windows\SysWOW64\Device.exe
-
\Users\Admin\AppData\Roaming\Device
-
\Users\Admin\AppData\Roaming\Device
-
memory/1056-6-0x0000000000000000-mapping.dmp
-
memory/1096-2-0x0000000000000000-mapping.dmp
-
memory/1232-4-0x0000000000000000-mapping.dmp
-
memory/1544-8-0x0000000000000000-mapping.dmp
-
memory/1560-15-0x0000000000000000-mapping.dmp
-
memory/1564-14-0x0000000000000000-mapping.dmp
-
memory/1600-13-0x0000000000000000-mapping.dmp
-
memory/1748-11-0x0000000000000000-mapping.dmp
-
memory/1780-10-0x0000000000000000-mapping.dmp
-
memory/1840-12-0x0000000000000000-mapping.dmp
-
memory/1868-17-0x0000000000000000-mapping.dmp
-
memory/1888-18-0x0000000000000000-mapping.dmp
-
memory/1904-16-0x0000000000000000-mapping.dmp