Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
31-08-2020 18:23
Static task
static1
Behavioral task
behavioral1
Sample
wastlock_15.exe
Resource
win7
Behavioral task
behavioral2
Sample
wastlock_15.exe
Resource
win10
General
-
Target
wastlock_15.exe
-
Size
1.1MB
-
MD5
f67ea8e471e827e4b7b65b65647d1d46
-
SHA1
e62d3a4fe0da1b1b8e9bcff3148becd6d02bcb07
-
SHA256
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb
-
SHA512
b6b2cc29a5c5247d4a68ec7e7d0080e2f6e460eee98ece85498fe25b044beea8d3e15139bcdbaad744c6fb3e9caff7a127bd4487ba35c191a57883e2b47aecc4
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Id:binId.exepid process 2640 Id:bin 2072 Id.exe -
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Id.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RequestPush.raw.eswasted Id.exe File opened for modification C:\Users\Admin\Pictures\UnregisterRequest.tif.eswasted Id.exe File created C:\Users\Admin\Pictures\DenyHide.crw.eswasted_info Id.exe File renamed C:\Users\Admin\Pictures\InvokeConvert.png => C:\Users\Admin\Pictures\InvokeConvert.png.eswasted Id.exe File created C:\Users\Admin\Pictures\RestoreDismount.png.eswasted_info Id.exe File renamed C:\Users\Admin\Pictures\UnregisterRequest.tif => C:\Users\Admin\Pictures\UnregisterRequest.tif.eswasted Id.exe File opened for modification C:\Users\Admin\Pictures\DenyHide.crw.eswasted Id.exe File opened for modification C:\Users\Admin\Pictures\InvokeConvert.png.eswasted Id.exe File renamed C:\Users\Admin\Pictures\RestoreDismount.png => C:\Users\Admin\Pictures\RestoreDismount.png.eswasted Id.exe File created C:\Users\Admin\Pictures\UnregisterRequest.tif.eswasted_info Id.exe File renamed C:\Users\Admin\Pictures\DenyHide.crw => C:\Users\Admin\Pictures\DenyHide.crw.eswasted Id.exe File created C:\Users\Admin\Pictures\RequestPush.raw.eswasted_info Id.exe File renamed C:\Users\Admin\Pictures\RequestPush.raw => C:\Users\Admin\Pictures\RequestPush.raw.eswasted Id.exe File opened for modification C:\Users\Admin\Pictures\RestoreDismount.png.eswasted Id.exe File created C:\Users\Admin\Pictures\InvokeConvert.png.eswasted_info Id.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1512 takeown.exe 1888 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1512 takeown.exe 1888 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
attrib.exeId:bindescription ioc process File opened for modification C:\Windows\SysWOW64\Id.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Id.exe Id:bin -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 836 vssadmin.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 94781867c37fd601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
NTFS ADS 1 IoCs
Processes:
wastlock_15.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Id:bin wastlock_15.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svchost.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3012 svchost.exe Token: SeCreatePagefilePrivilege 3012 svchost.exe Token: SeBackupPrivilege 1052 vssvc.exe Token: SeRestorePrivilege 1052 vssvc.exe Token: SeAuditPrivilege 1052 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
wastlock_15.exeId:binId.execmd.execmd.execmd.exedescription pid process target process PID 3060 wrote to memory of 2640 3060 wastlock_15.exe Id:bin PID 3060 wrote to memory of 2640 3060 wastlock_15.exe Id:bin PID 3060 wrote to memory of 2640 3060 wastlock_15.exe Id:bin PID 2640 wrote to memory of 836 2640 Id:bin vssadmin.exe PID 2640 wrote to memory of 836 2640 Id:bin vssadmin.exe PID 2640 wrote to memory of 1512 2640 Id:bin takeown.exe PID 2640 wrote to memory of 1512 2640 Id:bin takeown.exe PID 2640 wrote to memory of 1512 2640 Id:bin takeown.exe PID 2640 wrote to memory of 1888 2640 Id:bin icacls.exe PID 2640 wrote to memory of 1888 2640 Id:bin icacls.exe PID 2640 wrote to memory of 1888 2640 Id:bin icacls.exe PID 2072 wrote to memory of 2540 2072 Id.exe cmd.exe PID 2072 wrote to memory of 2540 2072 Id.exe cmd.exe PID 2072 wrote to memory of 2540 2072 Id.exe cmd.exe PID 2540 wrote to memory of 2800 2540 cmd.exe choice.exe PID 2540 wrote to memory of 2800 2540 cmd.exe choice.exe PID 2540 wrote to memory of 2800 2540 cmd.exe choice.exe PID 2640 wrote to memory of 1284 2640 Id:bin cmd.exe PID 2640 wrote to memory of 1284 2640 Id:bin cmd.exe PID 2640 wrote to memory of 1284 2640 Id:bin cmd.exe PID 3060 wrote to memory of 2620 3060 wastlock_15.exe cmd.exe PID 3060 wrote to memory of 2620 3060 wastlock_15.exe cmd.exe PID 3060 wrote to memory of 2620 3060 wastlock_15.exe cmd.exe PID 1284 wrote to memory of 3144 1284 cmd.exe choice.exe PID 1284 wrote to memory of 3144 1284 cmd.exe choice.exe PID 1284 wrote to memory of 3144 1284 cmd.exe choice.exe PID 2620 wrote to memory of 3808 2620 cmd.exe choice.exe PID 2620 wrote to memory of 3808 2620 cmd.exe choice.exe PID 2620 wrote to memory of 3808 2620 cmd.exe choice.exe PID 2540 wrote to memory of 264 2540 cmd.exe attrib.exe PID 2540 wrote to memory of 264 2540 cmd.exe attrib.exe PID 2540 wrote to memory of 264 2540 cmd.exe attrib.exe PID 1284 wrote to memory of 1056 1284 cmd.exe attrib.exe PID 1284 wrote to memory of 1056 1284 cmd.exe attrib.exe PID 1284 wrote to memory of 1056 1284 cmd.exe attrib.exe PID 2620 wrote to memory of 408 2620 cmd.exe attrib.exe PID 2620 wrote to memory of 408 2620 cmd.exe attrib.exe PID 2620 wrote to memory of 408 2620 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 408 attrib.exe 264 attrib.exe 1056 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\wastlock_15.exe"C:\Users\Admin\AppData\Local\Temp\wastlock_15.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Id:binC:\Users\Admin\AppData\Roaming\Id:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Id.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Id.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Id" & del "C:\Users\Admin\AppData\Roaming\Id"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Id"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\wastlock_15.exe" & del "C:\Users\Admin\AppData\Local\Temp\wastlock_15.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\wastlock_15.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Id.exeC:\Windows\SysWOW64\Id.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Id.exe" & del "C:\Windows\SysWOW64\Id.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Id.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Id:bin
-
C:\Users\Admin\AppData\Roaming\Id:bin
-
C:\Windows\SysWOW64\Id.exe
-
C:\Windows\SysWOW64\Id.exe
-
memory/264-14-0x0000000000000000-mapping.dmp
-
memory/408-16-0x0000000000000000-mapping.dmp
-
memory/836-3-0x0000000000000000-mapping.dmp
-
memory/1056-15-0x0000000000000000-mapping.dmp
-
memory/1284-10-0x0000000000000000-mapping.dmp
-
memory/1512-4-0x0000000000000000-mapping.dmp
-
memory/1888-6-0x0000000000000000-mapping.dmp
-
memory/2540-8-0x0000000000000000-mapping.dmp
-
memory/2620-11-0x0000000000000000-mapping.dmp
-
memory/2640-0-0x0000000000000000-mapping.dmp
-
memory/2800-9-0x0000000000000000-mapping.dmp
-
memory/3144-12-0x0000000000000000-mapping.dmp
-
memory/3808-13-0x0000000000000000-mapping.dmp