Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7 -
submitted
31-08-2020 18:23
Static task
static1
Behavioral task
behavioral1
Sample
wastlock_1.exe
Resource
win7
Behavioral task
behavioral2
Sample
wastlock_1.exe
Resource
win10v200722
General
-
Target
wastlock_1.exe
-
Size
1.0MB
-
MD5
572fea5f025df78f2d316216fbeee52e
-
SHA1
91b2bf44b1f9282c09f07f16631deaa3ad9d956d
-
SHA256
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
-
SHA512
eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Net:binName.exepid process 1376 Net:bin 864 Name.exe -
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Name.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ConvertFromStop.raw.rlhwasted Name.exe File created C:\Users\Admin\Pictures\InstallDisable.raw.rlhwasted_info Name.exe File opened for modification C:\Users\Admin\Pictures\InstallDisable.raw.rlhwasted Name.exe File renamed C:\Users\Admin\Pictures\RevokeSubmit.crw => C:\Users\Admin\Pictures\RevokeSubmit.crw.rlhwasted Name.exe File opened for modification C:\Users\Admin\Pictures\SkipRemove.png.rlhwasted Name.exe File created C:\Users\Admin\Pictures\UnprotectSwitch.tiff.rlhwasted_info Name.exe File created C:\Users\Admin\Pictures\ConvertFromStop.raw.rlhwasted_info Name.exe File renamed C:\Users\Admin\Pictures\ConvertFromStop.raw => C:\Users\Admin\Pictures\ConvertFromStop.raw.rlhwasted Name.exe File renamed C:\Users\Admin\Pictures\InstallDisable.raw => C:\Users\Admin\Pictures\InstallDisable.raw.rlhwasted Name.exe File created C:\Users\Admin\Pictures\RevokeSubmit.crw.rlhwasted_info Name.exe File opened for modification C:\Users\Admin\Pictures\RevokeSubmit.crw.rlhwasted Name.exe File created C:\Users\Admin\Pictures\SkipRemove.png.rlhwasted_info Name.exe File renamed C:\Users\Admin\Pictures\SkipRemove.png => C:\Users\Admin\Pictures\SkipRemove.png.rlhwasted Name.exe File renamed C:\Users\Admin\Pictures\UnprotectSwitch.tiff => C:\Users\Admin\Pictures\UnprotectSwitch.tiff.rlhwasted Name.exe File opened for modification C:\Users\Admin\Pictures\UnprotectSwitch.tiff.rlhwasted Name.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1760 takeown.exe 1168 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1532 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
wastlock_1.exepid process 1152 wastlock_1.exe 1152 wastlock_1.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1760 takeown.exe 1168 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
attrib.exeNet:bindescription ioc process File opened for modification C:\Windows\SysWOW64\Name.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Name.exe Net:bin -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1944 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
wastlock_1.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Net:bin wastlock_1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1980 vssvc.exe Token: SeRestorePrivilege 1980 vssvc.exe Token: SeAuditPrivilege 1980 vssvc.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
wastlock_1.exeNet:binName.execmd.execmd.execmd.exedescription pid process target process PID 1152 wrote to memory of 1376 1152 wastlock_1.exe Net:bin PID 1152 wrote to memory of 1376 1152 wastlock_1.exe Net:bin PID 1152 wrote to memory of 1376 1152 wastlock_1.exe Net:bin PID 1152 wrote to memory of 1376 1152 wastlock_1.exe Net:bin PID 1376 wrote to memory of 1944 1376 Net:bin vssadmin.exe PID 1376 wrote to memory of 1944 1376 Net:bin vssadmin.exe PID 1376 wrote to memory of 1944 1376 Net:bin vssadmin.exe PID 1376 wrote to memory of 1944 1376 Net:bin vssadmin.exe PID 1376 wrote to memory of 1760 1376 Net:bin takeown.exe PID 1376 wrote to memory of 1760 1376 Net:bin takeown.exe PID 1376 wrote to memory of 1760 1376 Net:bin takeown.exe PID 1376 wrote to memory of 1760 1376 Net:bin takeown.exe PID 1376 wrote to memory of 1168 1376 Net:bin icacls.exe PID 1376 wrote to memory of 1168 1376 Net:bin icacls.exe PID 1376 wrote to memory of 1168 1376 Net:bin icacls.exe PID 1376 wrote to memory of 1168 1376 Net:bin icacls.exe PID 864 wrote to memory of 1496 864 Name.exe cmd.exe PID 864 wrote to memory of 1496 864 Name.exe cmd.exe PID 864 wrote to memory of 1496 864 Name.exe cmd.exe PID 864 wrote to memory of 1496 864 Name.exe cmd.exe PID 1496 wrote to memory of 816 1496 cmd.exe choice.exe PID 1496 wrote to memory of 816 1496 cmd.exe choice.exe PID 1496 wrote to memory of 816 1496 cmd.exe choice.exe PID 1496 wrote to memory of 816 1496 cmd.exe choice.exe PID 1376 wrote to memory of 524 1376 Net:bin cmd.exe PID 1376 wrote to memory of 524 1376 Net:bin cmd.exe PID 1376 wrote to memory of 524 1376 Net:bin cmd.exe PID 1376 wrote to memory of 524 1376 Net:bin cmd.exe PID 1152 wrote to memory of 1532 1152 wastlock_1.exe cmd.exe PID 1152 wrote to memory of 1532 1152 wastlock_1.exe cmd.exe PID 1152 wrote to memory of 1532 1152 wastlock_1.exe cmd.exe PID 1152 wrote to memory of 1532 1152 wastlock_1.exe cmd.exe PID 524 wrote to memory of 1084 524 cmd.exe choice.exe PID 524 wrote to memory of 1084 524 cmd.exe choice.exe PID 524 wrote to memory of 1084 524 cmd.exe choice.exe PID 524 wrote to memory of 1084 524 cmd.exe choice.exe PID 1532 wrote to memory of 884 1532 cmd.exe choice.exe PID 1532 wrote to memory of 884 1532 cmd.exe choice.exe PID 1532 wrote to memory of 884 1532 cmd.exe choice.exe PID 1532 wrote to memory of 884 1532 cmd.exe choice.exe PID 1496 wrote to memory of 276 1496 cmd.exe attrib.exe PID 1496 wrote to memory of 276 1496 cmd.exe attrib.exe PID 1496 wrote to memory of 276 1496 cmd.exe attrib.exe PID 1496 wrote to memory of 276 1496 cmd.exe attrib.exe PID 1532 wrote to memory of 1476 1532 cmd.exe attrib.exe PID 1532 wrote to memory of 1476 1532 cmd.exe attrib.exe PID 1532 wrote to memory of 1476 1532 cmd.exe attrib.exe PID 1532 wrote to memory of 1476 1532 cmd.exe attrib.exe PID 524 wrote to memory of 1564 524 cmd.exe attrib.exe PID 524 wrote to memory of 1564 524 cmd.exe attrib.exe PID 524 wrote to memory of 1564 524 cmd.exe attrib.exe PID 524 wrote to memory of 1564 524 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1476 attrib.exe 1564 attrib.exe 276 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\wastlock_1.exe"C:\Users\Admin\AppData\Local\Temp\wastlock_1.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Net:binC:\Users\Admin\AppData\Roaming\Net:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Name.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Name.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Net" & del "C:\Users\Admin\AppData\Roaming\Net"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Net"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\wastlock_1.exe" & del "C:\Users\Admin\AppData\Local\Temp\wastlock_1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\wastlock_1.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Name.exeC:\Windows\SysWOW64\Name.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Name.exe" & del "C:\Windows\SysWOW64\Name.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Name.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Net:bin
-
C:\Users\Admin\AppData\Roaming\Net:bin
-
C:\Windows\SysWOW64\Name.exe
-
C:\Windows\SysWOW64\Name.exe
-
\Users\Admin\AppData\Roaming\Net
-
\Users\Admin\AppData\Roaming\Net
-
memory/276-16-0x0000000000000000-mapping.dmp
-
memory/524-12-0x0000000000000000-mapping.dmp
-
memory/816-11-0x0000000000000000-mapping.dmp
-
memory/884-15-0x0000000000000000-mapping.dmp
-
memory/1084-14-0x0000000000000000-mapping.dmp
-
memory/1168-8-0x0000000000000000-mapping.dmp
-
memory/1376-2-0x0000000000000000-mapping.dmp
-
memory/1476-17-0x0000000000000000-mapping.dmp
-
memory/1496-10-0x0000000000000000-mapping.dmp
-
memory/1532-13-0x0000000000000000-mapping.dmp
-
memory/1564-18-0x0000000000000000-mapping.dmp
-
memory/1760-6-0x0000000000000000-mapping.dmp
-
memory/1944-4-0x0000000000000000-mapping.dmp