Analysis
-
max time kernel
21s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-11-2020 14:20
Static task
static1
Behavioral task
behavioral1
Sample
7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe
Resource
win10v20201028
General
-
Target
7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe
-
Size
58KB
-
MD5
432a1dd2d40e5b0f6385096847efd3b2
-
SHA1
f5735932baf8b04a8e1ca622ff06d37a9db29d9f
-
SHA256
7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559
-
SHA512
0d713fa5ca52322ea2295d305adbcecc83aaf6b46024987a483112fbbc4c47db6695d0e019b7e68f1a8fe53ff4cbbb4010a981a3fa91eb9be42ebccc75118c1e
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Initial:binInitial.exepid process 3008 Initial:bin 1800 Initial.exe -
Modifies extensions of user files 24 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Initial.exedescription ioc process File created C:\Users\Admin\Pictures\GetStop.png.garminwasted_info Initial.exe File created C:\Users\Admin\Pictures\RemoveInitialize.raw.garminwasted_info Initial.exe File created C:\Users\Admin\Pictures\RestartClose.tiff.garminwasted_info Initial.exe File opened for modification C:\Users\Admin\Pictures\RestartClose.tiff.garminwasted Initial.exe File renamed C:\Users\Admin\Pictures\UseRegister.crw => C:\Users\Admin\Pictures\UseRegister.crw.garminwasted Initial.exe File renamed C:\Users\Admin\Pictures\ConfirmSync.tiff => C:\Users\Admin\Pictures\ConfirmSync.tiff.garminwasted Initial.exe File created C:\Users\Admin\Pictures\SendConvertFrom.png.garminwasted_info Initial.exe File renamed C:\Users\Admin\Pictures\RemoveInitialize.raw => C:\Users\Admin\Pictures\RemoveInitialize.raw.garminwasted Initial.exe File renamed C:\Users\Admin\Pictures\GetPop.tiff => C:\Users\Admin\Pictures\GetPop.tiff.garminwasted Initial.exe File renamed C:\Users\Admin\Pictures\GetStop.png => C:\Users\Admin\Pictures\GetStop.png.garminwasted Initial.exe File opened for modification C:\Users\Admin\Pictures\GetStop.png.garminwasted Initial.exe File opened for modification C:\Users\Admin\Pictures\RemoveInitialize.raw.garminwasted Initial.exe File renamed C:\Users\Admin\Pictures\RestartClose.tiff => C:\Users\Admin\Pictures\RestartClose.tiff.garminwasted Initial.exe File renamed C:\Users\Admin\Pictures\SendConvertFrom.png => C:\Users\Admin\Pictures\SendConvertFrom.png.garminwasted Initial.exe File created C:\Users\Admin\Pictures\UseRegister.crw.garminwasted_info Initial.exe File renamed C:\Users\Admin\Pictures\CompareEnter.raw => C:\Users\Admin\Pictures\CompareEnter.raw.garminwasted Initial.exe File opened for modification C:\Users\Admin\Pictures\UseRegister.crw.garminwasted Initial.exe File created C:\Users\Admin\Pictures\ConfirmSync.tiff.garminwasted_info Initial.exe File opened for modification C:\Users\Admin\Pictures\CompareEnter.raw.garminwasted Initial.exe File opened for modification C:\Users\Admin\Pictures\ConfirmSync.tiff.garminwasted Initial.exe File created C:\Users\Admin\Pictures\GetPop.tiff.garminwasted_info Initial.exe File opened for modification C:\Users\Admin\Pictures\GetPop.tiff.garminwasted Initial.exe File opened for modification C:\Users\Admin\Pictures\SendConvertFrom.png.garminwasted Initial.exe File created C:\Users\Admin\Pictures\CompareEnter.raw.garminwasted_info Initial.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4020 takeown.exe 1444 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4020 takeown.exe 1444 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Initial:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Initial.exe Initial:bin File opened for modification C:\Windows\SysWOW64\Initial.exe attrib.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3524 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Initial:bin 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3132 vssvc.exe Token: SeRestorePrivilege 3132 vssvc.exe Token: SeAuditPrivilege 3132 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exeInitial:binInitial.execmd.execmd.execmd.exedescription pid process target process PID 508 wrote to memory of 3008 508 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe Initial:bin PID 508 wrote to memory of 3008 508 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe Initial:bin PID 508 wrote to memory of 3008 508 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe Initial:bin PID 3008 wrote to memory of 3524 3008 Initial:bin vssadmin.exe PID 3008 wrote to memory of 3524 3008 Initial:bin vssadmin.exe PID 3008 wrote to memory of 4020 3008 Initial:bin takeown.exe PID 3008 wrote to memory of 4020 3008 Initial:bin takeown.exe PID 3008 wrote to memory of 4020 3008 Initial:bin takeown.exe PID 3008 wrote to memory of 1444 3008 Initial:bin icacls.exe PID 3008 wrote to memory of 1444 3008 Initial:bin icacls.exe PID 3008 wrote to memory of 1444 3008 Initial:bin icacls.exe PID 1800 wrote to memory of 3000 1800 Initial.exe cmd.exe PID 1800 wrote to memory of 3000 1800 Initial.exe cmd.exe PID 1800 wrote to memory of 3000 1800 Initial.exe cmd.exe PID 3008 wrote to memory of 2388 3008 Initial:bin cmd.exe PID 3008 wrote to memory of 2388 3008 Initial:bin cmd.exe PID 3008 wrote to memory of 2388 3008 Initial:bin cmd.exe PID 508 wrote to memory of 2080 508 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe cmd.exe PID 508 wrote to memory of 2080 508 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe cmd.exe PID 508 wrote to memory of 2080 508 7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe cmd.exe PID 3000 wrote to memory of 2872 3000 cmd.exe choice.exe PID 3000 wrote to memory of 2872 3000 cmd.exe choice.exe PID 3000 wrote to memory of 2872 3000 cmd.exe choice.exe PID 2388 wrote to memory of 3944 2388 cmd.exe choice.exe PID 2388 wrote to memory of 3944 2388 cmd.exe choice.exe PID 2388 wrote to memory of 3944 2388 cmd.exe choice.exe PID 2080 wrote to memory of 3812 2080 cmd.exe choice.exe PID 2080 wrote to memory of 3812 2080 cmd.exe choice.exe PID 2080 wrote to memory of 3812 2080 cmd.exe choice.exe PID 3000 wrote to memory of 184 3000 cmd.exe attrib.exe PID 3000 wrote to memory of 184 3000 cmd.exe attrib.exe PID 3000 wrote to memory of 184 3000 cmd.exe attrib.exe PID 2388 wrote to memory of 204 2388 cmd.exe attrib.exe PID 2388 wrote to memory of 204 2388 cmd.exe attrib.exe PID 2388 wrote to memory of 204 2388 cmd.exe attrib.exe PID 2080 wrote to memory of 1724 2080 cmd.exe attrib.exe PID 2080 wrote to memory of 1724 2080 cmd.exe attrib.exe PID 2080 wrote to memory of 1724 2080 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 184 attrib.exe 204 attrib.exe 1724 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe"C:\Users\Admin\AppData\Local\Temp\7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Initial:binC:\Users\Admin\AppData\Roaming\Initial:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Initial.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Initial.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Initial" & del "C:\Users\Admin\AppData\Roaming\Initial"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Initial"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\7de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559.bin.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Initial.exeC:\Windows\SysWOW64\Initial.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Initial.exe" & del "C:\Windows\SysWOW64\Initial.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Initial.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Initial:binMD5
432a1dd2d40e5b0f6385096847efd3b2
SHA1f5735932baf8b04a8e1ca622ff06d37a9db29d9f
SHA2567de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559
SHA5120d713fa5ca52322ea2295d305adbcecc83aaf6b46024987a483112fbbc4c47db6695d0e019b7e68f1a8fe53ff4cbbb4010a981a3fa91eb9be42ebccc75118c1e
-
C:\Users\Admin\AppData\Roaming\Initial:binMD5
432a1dd2d40e5b0f6385096847efd3b2
SHA1f5735932baf8b04a8e1ca622ff06d37a9db29d9f
SHA2567de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559
SHA5120d713fa5ca52322ea2295d305adbcecc83aaf6b46024987a483112fbbc4c47db6695d0e019b7e68f1a8fe53ff4cbbb4010a981a3fa91eb9be42ebccc75118c1e
-
C:\Windows\SysWOW64\Initial.exeMD5
432a1dd2d40e5b0f6385096847efd3b2
SHA1f5735932baf8b04a8e1ca622ff06d37a9db29d9f
SHA2567de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559
SHA5120d713fa5ca52322ea2295d305adbcecc83aaf6b46024987a483112fbbc4c47db6695d0e019b7e68f1a8fe53ff4cbbb4010a981a3fa91eb9be42ebccc75118c1e
-
C:\Windows\SysWOW64\Initial.exeMD5
432a1dd2d40e5b0f6385096847efd3b2
SHA1f5735932baf8b04a8e1ca622ff06d37a9db29d9f
SHA2567de425238719622bf2b2150591631b0a71d6a5dade419a4e67b9bdbfa272b559
SHA5120d713fa5ca52322ea2295d305adbcecc83aaf6b46024987a483112fbbc4c47db6695d0e019b7e68f1a8fe53ff4cbbb4010a981a3fa91eb9be42ebccc75118c1e
-
memory/184-14-0x0000000000000000-mapping.dmp
-
memory/204-15-0x0000000000000000-mapping.dmp
-
memory/1444-6-0x0000000000000000-mapping.dmp
-
memory/1724-16-0x0000000000000000-mapping.dmp
-
memory/2080-10-0x0000000000000000-mapping.dmp
-
memory/2388-9-0x0000000000000000-mapping.dmp
-
memory/2872-11-0x0000000000000000-mapping.dmp
-
memory/3000-8-0x0000000000000000-mapping.dmp
-
memory/3008-0-0x0000000000000000-mapping.dmp
-
memory/3524-3-0x0000000000000000-mapping.dmp
-
memory/3812-13-0x0000000000000000-mapping.dmp
-
memory/3944-12-0x0000000000000000-mapping.dmp
-
memory/4020-4-0x0000000000000000-mapping.dmp