wastedlocker | d5b5a063656f2ce6dc50ed24278a2d21f2bb762c8e65c0d2ffc2477986896acf

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7
submitted
02-09-2020 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sample_5f2c5184b9ca450019d4b155.false.exe
Size

1.2MB
MD5

72aa9ab7c9d740aa4e1a554fe2e53d53
SHA1

476741067c0a95bf7b4b4589f30f0046cd3a14be
SHA256

d5b5a063656f2ce6dc50ed24278a2d21f2bb762c8e65c0d2ffc2477986896acf
SHA512

1c5440f5f6ac7cb6a489d32c035924e9446e5808b96a7922c249da15070ef3694001d8c09726d521edba5f41cbb5c1564fe122bf1565a80f290f745f3ac660ab

Score

10^/10

discovery ransomware persistence exploit wastedlocker

Malware Config

Signatures

WastedLocker
Ransomware family seen in the wild since May 2020.
ransomware wastedlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
1056	Video:bin
1636	Video.exe

Modifies extensions of user files 27 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ResizeUnprotect.tif.seccrypt	Video.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveOut.crw.seccrypt	Video.exe
File created	C:\Users\Admin\Pictures\RestoreClose.tiff.howto_seccrypt	Video.exe
File renamed	C:\Users\Admin\Pictures\RestoreClose.tiff => C:\Users\Admin\Pictures\RestoreClose.tiff.seccrypt	Video.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreClose.tiff.seccrypt	Video.exe
File created	C:\Users\Admin\Pictures\DismountDisconnect.crw.howto_seccrypt	Video.exe
File renamed	C:\Users\Admin\Pictures\SetLimit.raw => C:\Users\Admin\Pictures\SetLimit.raw.seccrypt	Video.exe
File created	C:\Users\Admin\Pictures\WriteExport.png.howto_seccrypt	Video.exe
File opened for modification	C:\Users\Admin\Pictures\EnableRequest.tif.seccrypt	Video.exe
File renamed	C:\Users\Admin\Pictures\ResolveOut.crw => C:\Users\Admin\Pictures\ResolveOut.crw.seccrypt	Video.exe
File renamed	C:\Users\Admin\Pictures\ResizeUnprotect.tif => C:\Users\Admin\Pictures\ResizeUnprotect.tif.seccrypt	Video.exe
File opened for modification	C:\Users\Admin\Pictures\SetLimit.raw.seccrypt	Video.exe
File opened for modification	C:\Users\Admin\Pictures\WriteExport.png.seccrypt	Video.exe
File renamed	C:\Users\Admin\Pictures\ClearOpen.tiff => C:\Users\Admin\Pictures\ClearOpen.tiff.seccrypt	Video.exe
File renamed	C:\Users\Admin\Pictures\DismountDisconnect.crw => C:\Users\Admin\Pictures\DismountDisconnect.crw.seccrypt	Video.exe
File opened for modification	C:\Users\Admin\Pictures\MoveLimit.tif.seccrypt	Video.exe
File created	C:\Users\Admin\Pictures\SetLimit.raw.howto_seccrypt	Video.exe
File renamed	C:\Users\Admin\Pictures\WriteExport.png => C:\Users\Admin\Pictures\WriteExport.png.seccrypt	Video.exe
File opened for modification	C:\Users\Admin\Pictures\ClearOpen.tiff.seccrypt	Video.exe
File created	C:\Users\Admin\Pictures\EnableRequest.tif.howto_seccrypt	Video.exe
File renamed	C:\Users\Admin\Pictures\EnableRequest.tif => C:\Users\Admin\Pictures\EnableRequest.tif.seccrypt	Video.exe
File created	C:\Users\Admin\Pictures\ResizeUnprotect.tif.howto_seccrypt	Video.exe
File created	C:\Users\Admin\Pictures\ResolveOut.crw.howto_seccrypt	Video.exe
File created	C:\Users\Admin\Pictures\MoveLimit.tif.howto_seccrypt	Video.exe
File created	C:\Users\Admin\Pictures\ClearOpen.tiff.howto_seccrypt	Video.exe
File opened for modification	C:\Users\Admin\Pictures\DismountDisconnect.crw.seccrypt	Video.exe
File renamed	C:\Users\Admin\Pictures\MoveLimit.tif => C:\Users\Admin\Pictures\MoveLimit.tif.seccrypt	Video.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
1644	icacls.exe
1620	takeown.exe

Deletes itself 1 IoCs

pid	Process
2000	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1164	Sample_5f2c5184b9ca450019d4b155.false.exe
1164	Sample_5f2c5184b9ca450019d4b155.false.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1620	takeown.exe
1644	icacls.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Video.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Video.exe	Video:bin

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1100	vssadmin.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Video:bin	Sample_5f2c5184b9ca450019d4b155.false.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1812	vssvc.exe
Token: SeRestorePrivilege	1812	vssvc.exe
Token: SeAuditPrivilege	1812	vssvc.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1056	1164	Sample_5f2c5184b9ca450019d4b155.false.exe	25
PID 1164 wrote to memory of 1056	1164	Sample_5f2c5184b9ca450019d4b155.false.exe	25
PID 1164 wrote to memory of 1056	1164	Sample_5f2c5184b9ca450019d4b155.false.exe	25
PID 1164 wrote to memory of 1056	1164	Sample_5f2c5184b9ca450019d4b155.false.exe	25
PID 1056 wrote to memory of 1100	1056	Video:bin	26
PID 1056 wrote to memory of 1100	1056	Video:bin	26
PID 1056 wrote to memory of 1100	1056	Video:bin	26
PID 1056 wrote to memory of 1100	1056	Video:bin	26
PID 1056 wrote to memory of 1620	1056	Video:bin	30
PID 1056 wrote to memory of 1620	1056	Video:bin	30
PID 1056 wrote to memory of 1620	1056	Video:bin	30
PID 1056 wrote to memory of 1620	1056	Video:bin	30
PID 1056 wrote to memory of 1644	1056	Video:bin	32
PID 1056 wrote to memory of 1644	1056	Video:bin	32
PID 1056 wrote to memory of 1644	1056	Video:bin	32
PID 1056 wrote to memory of 1644	1056	Video:bin	32
PID 1636 wrote to memory of 1964	1636	Video.exe	36
PID 1636 wrote to memory of 1964	1636	Video.exe	36
PID 1636 wrote to memory of 1964	1636	Video.exe	36
PID 1636 wrote to memory of 1964	1636	Video.exe	36
PID 1964 wrote to memory of 1992	1964	cmd.exe	38
PID 1964 wrote to memory of 1992	1964	cmd.exe	38
PID 1964 wrote to memory of 1992	1964	cmd.exe	38
PID 1964 wrote to memory of 1992	1964	cmd.exe	38
PID 1056 wrote to memory of 828	1056	Video:bin	42
PID 1056 wrote to memory of 828	1056	Video:bin	42
PID 1056 wrote to memory of 828	1056	Video:bin	42
PID 1056 wrote to memory of 828	1056	Video:bin	42
PID 1164 wrote to memory of 2000	1164	Sample_5f2c5184b9ca450019d4b155.false.exe	43
PID 1164 wrote to memory of 2000	1164	Sample_5f2c5184b9ca450019d4b155.false.exe	43
PID 1164 wrote to memory of 2000	1164	Sample_5f2c5184b9ca450019d4b155.false.exe	43
PID 1164 wrote to memory of 2000	1164	Sample_5f2c5184b9ca450019d4b155.false.exe	43
PID 828 wrote to memory of 1396	828	cmd.exe	46
PID 828 wrote to memory of 1396	828	cmd.exe	46
PID 828 wrote to memory of 1396	828	cmd.exe	46
PID 828 wrote to memory of 1396	828	cmd.exe	46
PID 2000 wrote to memory of 868	2000	cmd.exe	47
PID 2000 wrote to memory of 868	2000	cmd.exe	47
PID 2000 wrote to memory of 868	2000	cmd.exe	47
PID 2000 wrote to memory of 868	2000	cmd.exe	47
PID 1964 wrote to memory of 2028	1964	cmd.exe	48
PID 1964 wrote to memory of 2028	1964	cmd.exe	48
PID 1964 wrote to memory of 2028	1964	cmd.exe	48
PID 1964 wrote to memory of 2028	1964	cmd.exe	48
PID 828 wrote to memory of 1572	828	cmd.exe	49
PID 828 wrote to memory of 1572	828	cmd.exe	49
PID 828 wrote to memory of 1572	828	cmd.exe	49
PID 828 wrote to memory of 1572	828	cmd.exe	49
PID 2000 wrote to memory of 1504	2000	cmd.exe	50
PID 2000 wrote to memory of 1504	2000	cmd.exe	50
PID 2000 wrote to memory of 1504	2000	cmd.exe	50
PID 2000 wrote to memory of 1504	2000	cmd.exe	50

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2028	attrib.exe
1572	attrib.exe
1504	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Sample_5f2c5184b9ca450019d4b155.false.exe
"C:\Users\Admin\AppData\Local\Temp\Sample_5f2c5184b9ca450019d4b155.false.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\AppData\Roaming\Video:bin
  C:\Users\Admin\AppData\Roaming\Video:bin -r
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1100
- - C:\Windows\SysWOW64\takeown.exe
    C:\Windows\system32\takeown.exe /F C:\Windows\system32\Video.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1620
- - C:\Windows\SysWOW64\icacls.exe
    C:\Windows\system32\icacls.exe C:\Windows\system32\Video.exe /reset
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Video" & del "C:\Users\Admin\AppData\Roaming\Video"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\choice.exe
      choice /t 10 /d y
      4⤵
      PID:1396
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h "C:\Users\Admin\AppData\Roaming\Video"
      4⤵
      Views/modifies file attributes
      PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\Sample_5f2c5184b9ca450019d4b155.false.exe" & del "C:\Users\Admin\AppData\Local\Temp\Sample_5f2c5184b9ca450019d4b155.false.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\choice.exe
    choice /t 10 /d y
    3⤵
    PID:868
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h "C:\Users\Admin\AppData\Local\Temp\Sample_5f2c5184b9ca450019d4b155.false.exe"
    3⤵
    - Views/modifies file attributes
    PID:1504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\SysWOW64\Video.exe
C:\Windows\SysWOW64\Video.exe -s
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Video.exe" & del "C:\Windows\SysWOW64\Video.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\choice.exe
    choice /t 10 /d y
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h "C:\Windows\SysWOW64\Video.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads