Analysis
-
max time kernel
74s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-11-2020 14:20
Static task
static1
Behavioral task
behavioral1
Sample
37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe
Resource
win10v20201028
General
-
Target
37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe
-
Size
58KB
-
MD5
6d9ad19726c79c0f7b4bf91475452e2d
-
SHA1
e6d92f05926c01ed146dbfdf02500c234ccf0888
-
SHA256
37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e
-
SHA512
87923aeb9b0d409975dd0d364a6c12b57afffde944ccb6707cff134d456f6b8e9c1753b63ff7ffcbc0d389c37a1cff1cadc5075e4ecb503ebcabeb3f631b5eb3
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Server:binServer.exepid process 4128 Server:bin 3116 Server.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Server.exedescription ioc process File created C:\Users\Admin\Pictures\RegisterWrite.raw.garminwasted_info Server.exe File renamed C:\Users\Admin\Pictures\RegisterWrite.raw => C:\Users\Admin\Pictures\RegisterWrite.raw.garminwasted Server.exe File opened for modification C:\Users\Admin\Pictures\RegisterWrite.raw.garminwasted Server.exe File created C:\Users\Admin\Pictures\PingWrite.tiff.garminwasted_info Server.exe File renamed C:\Users\Admin\Pictures\PingWrite.tiff => C:\Users\Admin\Pictures\PingWrite.tiff.garminwasted Server.exe File opened for modification C:\Users\Admin\Pictures\PingWrite.tiff.garminwasted Server.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 776 takeown.exe 4192 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 776 takeown.exe 4192 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Server:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Server.exe Server:bin File opened for modification C:\Windows\SysWOW64\Server.exe attrib.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1872 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Server:bin 37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3544 vssvc.exe Token: SeRestorePrivilege 3544 vssvc.exe Token: SeAuditPrivilege 3544 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exeServer:binServer.execmd.execmd.execmd.exedescription pid process target process PID 4704 wrote to memory of 4128 4704 37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe Server:bin PID 4704 wrote to memory of 4128 4704 37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe Server:bin PID 4704 wrote to memory of 4128 4704 37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe Server:bin PID 4128 wrote to memory of 1872 4128 Server:bin vssadmin.exe PID 4128 wrote to memory of 1872 4128 Server:bin vssadmin.exe PID 4128 wrote to memory of 776 4128 Server:bin takeown.exe PID 4128 wrote to memory of 776 4128 Server:bin takeown.exe PID 4128 wrote to memory of 776 4128 Server:bin takeown.exe PID 4128 wrote to memory of 4192 4128 Server:bin icacls.exe PID 4128 wrote to memory of 4192 4128 Server:bin icacls.exe PID 4128 wrote to memory of 4192 4128 Server:bin icacls.exe PID 3116 wrote to memory of 2096 3116 Server.exe cmd.exe PID 3116 wrote to memory of 2096 3116 Server.exe cmd.exe PID 3116 wrote to memory of 2096 3116 Server.exe cmd.exe PID 2096 wrote to memory of 4056 2096 cmd.exe choice.exe PID 2096 wrote to memory of 4056 2096 cmd.exe choice.exe PID 2096 wrote to memory of 4056 2096 cmd.exe choice.exe PID 4128 wrote to memory of 3504 4128 Server:bin cmd.exe PID 4128 wrote to memory of 3504 4128 Server:bin cmd.exe PID 4128 wrote to memory of 3504 4128 Server:bin cmd.exe PID 4704 wrote to memory of 2056 4704 37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe cmd.exe PID 4704 wrote to memory of 2056 4704 37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe cmd.exe PID 4704 wrote to memory of 2056 4704 37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe cmd.exe PID 3504 wrote to memory of 4440 3504 cmd.exe choice.exe PID 3504 wrote to memory of 4440 3504 cmd.exe choice.exe PID 3504 wrote to memory of 4440 3504 cmd.exe choice.exe PID 2056 wrote to memory of 4404 2056 cmd.exe choice.exe PID 2056 wrote to memory of 4404 2056 cmd.exe choice.exe PID 2056 wrote to memory of 4404 2056 cmd.exe choice.exe PID 2096 wrote to memory of 672 2096 cmd.exe attrib.exe PID 2096 wrote to memory of 672 2096 cmd.exe attrib.exe PID 2096 wrote to memory of 672 2096 cmd.exe attrib.exe PID 3504 wrote to memory of 884 3504 cmd.exe attrib.exe PID 3504 wrote to memory of 884 3504 cmd.exe attrib.exe PID 3504 wrote to memory of 884 3504 cmd.exe attrib.exe PID 2056 wrote to memory of 1000 2056 cmd.exe attrib.exe PID 2056 wrote to memory of 1000 2056 cmd.exe attrib.exe PID 2056 wrote to memory of 1000 2056 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 884 attrib.exe 1000 attrib.exe 672 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe"C:\Users\Admin\AppData\Local\Temp\37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Server:binC:\Users\Admin\AppData\Roaming\Server:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Server.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Server.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Server" & del "C:\Users\Admin\AppData\Roaming\Server"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Server"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\37a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e.bin.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Server.exeC:\Windows\SysWOW64\Server.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Server.exe" & del "C:\Windows\SysWOW64\Server.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Server.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Server:binMD5
6d9ad19726c79c0f7b4bf91475452e2d
SHA1e6d92f05926c01ed146dbfdf02500c234ccf0888
SHA25637a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e
SHA51287923aeb9b0d409975dd0d364a6c12b57afffde944ccb6707cff134d456f6b8e9c1753b63ff7ffcbc0d389c37a1cff1cadc5075e4ecb503ebcabeb3f631b5eb3
-
C:\Users\Admin\AppData\Roaming\Server:binMD5
6d9ad19726c79c0f7b4bf91475452e2d
SHA1e6d92f05926c01ed146dbfdf02500c234ccf0888
SHA25637a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e
SHA51287923aeb9b0d409975dd0d364a6c12b57afffde944ccb6707cff134d456f6b8e9c1753b63ff7ffcbc0d389c37a1cff1cadc5075e4ecb503ebcabeb3f631b5eb3
-
C:\Windows\SysWOW64\Server.exeMD5
6d9ad19726c79c0f7b4bf91475452e2d
SHA1e6d92f05926c01ed146dbfdf02500c234ccf0888
SHA25637a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e
SHA51287923aeb9b0d409975dd0d364a6c12b57afffde944ccb6707cff134d456f6b8e9c1753b63ff7ffcbc0d389c37a1cff1cadc5075e4ecb503ebcabeb3f631b5eb3
-
C:\Windows\SysWOW64\Server.exeMD5
6d9ad19726c79c0f7b4bf91475452e2d
SHA1e6d92f05926c01ed146dbfdf02500c234ccf0888
SHA25637a30621364d3083424b24b0255fc8f5752d88c381600d840574e551c284fb6e
SHA51287923aeb9b0d409975dd0d364a6c12b57afffde944ccb6707cff134d456f6b8e9c1753b63ff7ffcbc0d389c37a1cff1cadc5075e4ecb503ebcabeb3f631b5eb3
-
memory/672-14-0x0000000000000000-mapping.dmp
-
memory/776-4-0x0000000000000000-mapping.dmp
-
memory/884-15-0x0000000000000000-mapping.dmp
-
memory/1000-16-0x0000000000000000-mapping.dmp
-
memory/1872-3-0x0000000000000000-mapping.dmp
-
memory/2056-11-0x0000000000000000-mapping.dmp
-
memory/2096-8-0x0000000000000000-mapping.dmp
-
memory/3504-10-0x0000000000000000-mapping.dmp
-
memory/4056-9-0x0000000000000000-mapping.dmp
-
memory/4128-0-0x0000000000000000-mapping.dmp
-
memory/4192-6-0x0000000000000000-mapping.dmp
-
memory/4404-13-0x0000000000000000-mapping.dmp
-
memory/4440-12-0x0000000000000000-mapping.dmp