Analysis
-
max time kernel
22s -
max time network
18s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-11-2020 14:20
Static task
static1
Behavioral task
behavioral1
Sample
7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe
Resource
win10v20201028
General
-
Target
7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe
-
Size
58KB
-
MD5
432a1dd2d40e5b0f6385096847efd3b2
-
SHA1
f5735932baf8b04a8e1ca622ff06d37a9db29d9f
-
SHA256
7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559
-
SHA512
0d713fa5ca52322ea2295d305adbcecc83aaf6b46024987a483112fbbc4c47db6695d0e019b7e68f1a8fe53ff4cbbb4010a981a3fa91eb9be42ebccc75118c1e
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Snmp:binSnmp.exepid process 1344 Snmp:bin 1724 Snmp.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Snmp.exedescription ioc process File renamed C:\Users\Admin\Pictures\UpdateGrant.crw => C:\Users\Admin\Pictures\UpdateGrant.crw.garminwasted Snmp.exe File opened for modification C:\Users\Admin\Pictures\UpdateGrant.crw.garminwasted Snmp.exe File created C:\Users\Admin\Pictures\MergeFormat.raw.garminwasted_info Snmp.exe File renamed C:\Users\Admin\Pictures\MergeFormat.raw => C:\Users\Admin\Pictures\MergeFormat.raw.garminwasted Snmp.exe File opened for modification C:\Users\Admin\Pictures\MergeFormat.raw.garminwasted Snmp.exe File created C:\Users\Admin\Pictures\UpdateGrant.crw.garminwasted_info Snmp.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1632 takeown.exe 644 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 616 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exepid process 1892 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe 1892 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1632 takeown.exe 644 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Snmp:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Snmp.exe Snmp:bin File opened for modification C:\Windows\SysWOW64\Snmp.exe attrib.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1448 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Snmp:bin 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1144 vssvc.exe Token: SeRestorePrivilege 1144 vssvc.exe Token: SeAuditPrivilege 1144 vssvc.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exeSnmp:binSnmp.execmd.execmd.execmd.exedescription pid process target process PID 1892 wrote to memory of 1344 1892 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe Snmp:bin PID 1892 wrote to memory of 1344 1892 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe Snmp:bin PID 1892 wrote to memory of 1344 1892 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe Snmp:bin PID 1892 wrote to memory of 1344 1892 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe Snmp:bin PID 1344 wrote to memory of 1448 1344 Snmp:bin vssadmin.exe PID 1344 wrote to memory of 1448 1344 Snmp:bin vssadmin.exe PID 1344 wrote to memory of 1448 1344 Snmp:bin vssadmin.exe PID 1344 wrote to memory of 1448 1344 Snmp:bin vssadmin.exe PID 1344 wrote to memory of 1632 1344 Snmp:bin takeown.exe PID 1344 wrote to memory of 1632 1344 Snmp:bin takeown.exe PID 1344 wrote to memory of 1632 1344 Snmp:bin takeown.exe PID 1344 wrote to memory of 1632 1344 Snmp:bin takeown.exe PID 1344 wrote to memory of 644 1344 Snmp:bin icacls.exe PID 1344 wrote to memory of 644 1344 Snmp:bin icacls.exe PID 1344 wrote to memory of 644 1344 Snmp:bin icacls.exe PID 1344 wrote to memory of 644 1344 Snmp:bin icacls.exe PID 1724 wrote to memory of 396 1724 Snmp.exe cmd.exe PID 1724 wrote to memory of 396 1724 Snmp.exe cmd.exe PID 1724 wrote to memory of 396 1724 Snmp.exe cmd.exe PID 1724 wrote to memory of 396 1724 Snmp.exe cmd.exe PID 396 wrote to memory of 576 396 cmd.exe choice.exe PID 396 wrote to memory of 576 396 cmd.exe choice.exe PID 396 wrote to memory of 576 396 cmd.exe choice.exe PID 396 wrote to memory of 576 396 cmd.exe choice.exe PID 1344 wrote to memory of 852 1344 Snmp:bin cmd.exe PID 1344 wrote to memory of 852 1344 Snmp:bin cmd.exe PID 1344 wrote to memory of 852 1344 Snmp:bin cmd.exe PID 1344 wrote to memory of 852 1344 Snmp:bin cmd.exe PID 1892 wrote to memory of 616 1892 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe cmd.exe PID 1892 wrote to memory of 616 1892 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe cmd.exe PID 1892 wrote to memory of 616 1892 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe cmd.exe PID 1892 wrote to memory of 616 1892 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe cmd.exe PID 852 wrote to memory of 848 852 cmd.exe choice.exe PID 852 wrote to memory of 848 852 cmd.exe choice.exe PID 852 wrote to memory of 848 852 cmd.exe choice.exe PID 852 wrote to memory of 848 852 cmd.exe choice.exe PID 616 wrote to memory of 1548 616 cmd.exe choice.exe PID 616 wrote to memory of 1548 616 cmd.exe choice.exe PID 616 wrote to memory of 1548 616 cmd.exe choice.exe PID 616 wrote to memory of 1548 616 cmd.exe choice.exe PID 396 wrote to memory of 1848 396 cmd.exe attrib.exe PID 396 wrote to memory of 1848 396 cmd.exe attrib.exe PID 396 wrote to memory of 1848 396 cmd.exe attrib.exe PID 396 wrote to memory of 1848 396 cmd.exe attrib.exe PID 852 wrote to memory of 1844 852 cmd.exe attrib.exe PID 852 wrote to memory of 1844 852 cmd.exe attrib.exe PID 852 wrote to memory of 1844 852 cmd.exe attrib.exe PID 852 wrote to memory of 1844 852 cmd.exe attrib.exe PID 616 wrote to memory of 1780 616 cmd.exe attrib.exe PID 616 wrote to memory of 1780 616 cmd.exe attrib.exe PID 616 wrote to memory of 1780 616 cmd.exe attrib.exe PID 616 wrote to memory of 1780 616 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1844 attrib.exe 1780 attrib.exe 1848 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe"C:\Users\Admin\AppData\Local\Temp\7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Snmp:binC:\Users\Admin\AppData\Roaming\Snmp:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Snmp.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Snmp.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Snmp" & del "C:\Users\Admin\AppData\Roaming\Snmp"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Snmp"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Snmp.exeC:\Windows\SysWOW64\Snmp.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Snmp.exe" & del "C:\Windows\SysWOW64\Snmp.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Snmp.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Snmp:binMD5
432a1dd2d40e5b0f6385096847efd3b2
SHA1f5735932baf8b04a8e1ca622ff06d37a9db29d9f
SHA2567de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559
SHA5120d713fa5ca52322ea2295d305adbcecc83aaf6b46024987a483112fbbc4c47db6695d0e019b7e68f1a8fe53ff4cbbb4010a981a3fa91eb9be42ebccc75118c1e
-
C:\Users\Admin\AppData\Roaming\Snmp:binMD5
432a1dd2d40e5b0f6385096847efd3b2
SHA1f5735932baf8b04a8e1ca622ff06d37a9db29d9f
SHA2567de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559
SHA5120d713fa5ca52322ea2295d305adbcecc83aaf6b46024987a483112fbbc4c47db6695d0e019b7e68f1a8fe53ff4cbbb4010a981a3fa91eb9be42ebccc75118c1e
-
C:\Windows\SysWOW64\Snmp.exeMD5
432a1dd2d40e5b0f6385096847efd3b2
SHA1f5735932baf8b04a8e1ca622ff06d37a9db29d9f
SHA2567de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559
SHA5120d713fa5ca52322ea2295d305adbcecc83aaf6b46024987a483112fbbc4c47db6695d0e019b7e68f1a8fe53ff4cbbb4010a981a3fa91eb9be42ebccc75118c1e
-
C:\Windows\SysWOW64\Snmp.exeMD5
432a1dd2d40e5b0f6385096847efd3b2
SHA1f5735932baf8b04a8e1ca622ff06d37a9db29d9f
SHA2567de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559
SHA5120d713fa5ca52322ea2295d305adbcecc83aaf6b46024987a483112fbbc4c47db6695d0e019b7e68f1a8fe53ff4cbbb4010a981a3fa91eb9be42ebccc75118c1e
-
\Users\Admin\AppData\Roaming\SnmpMD5
f4e13e8fc9d1ce7623ddd120f9eb8ad1
SHA17808c7f02275773c9c0667adedaeb3b8a7bca48f
SHA25668f3f085d6e42ae2c8e7db3f9821128a44f77fd81ef19e6cb884d8d8f71cf8ca
SHA512bedfb8b8a994bf9def221e9f51edf9b9c3ea7865656479b9382b77cff9f6556f1a15311a38c9f0d6704774f882ad13f836379d28de2091f3ed05032548146690
-
\Users\Admin\AppData\Roaming\SnmpMD5
f4e13e8fc9d1ce7623ddd120f9eb8ad1
SHA17808c7f02275773c9c0667adedaeb3b8a7bca48f
SHA25668f3f085d6e42ae2c8e7db3f9821128a44f77fd81ef19e6cb884d8d8f71cf8ca
SHA512bedfb8b8a994bf9def221e9f51edf9b9c3ea7865656479b9382b77cff9f6556f1a15311a38c9f0d6704774f882ad13f836379d28de2091f3ed05032548146690
-
memory/396-10-0x0000000000000000-mapping.dmp
-
memory/576-11-0x0000000000000000-mapping.dmp
-
memory/616-13-0x0000000000000000-mapping.dmp
-
memory/644-8-0x0000000000000000-mapping.dmp
-
memory/848-14-0x0000000000000000-mapping.dmp
-
memory/852-12-0x0000000000000000-mapping.dmp
-
memory/1344-2-0x0000000000000000-mapping.dmp
-
memory/1448-4-0x0000000000000000-mapping.dmp
-
memory/1548-15-0x0000000000000000-mapping.dmp
-
memory/1632-6-0x0000000000000000-mapping.dmp
-
memory/1780-18-0x0000000000000000-mapping.dmp
-
memory/1844-17-0x0000000000000000-mapping.dmp
-
memory/1848-16-0x0000000000000000-mapping.dmp