Analysis
-
max time kernel
27s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-11-2020 14:20
Static task
static1
Behavioral task
behavioral1
Sample
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe
Resource
win10v20201028
General
-
Target
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe
-
Size
60KB
-
MD5
9b5f5e7d14bd7d73b5adda12d4015ef4
-
SHA1
a41daf00a0193a8d8583801f8cb20405d9678296
-
SHA256
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e
-
SHA512
83042c7a33d27edd86e1d9303fb587c1456017d2a87ab82bba80a9360569432197ecc599b2b810d0f71c91d6f3116e390ea6244fc0630a972a50da8f825e18de
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Co:binCo.exepid process 1796 Co:bin 760 Co.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Co.exedescription ioc process File renamed C:\Users\Admin\Pictures\SetStep.crw => C:\Users\Admin\Pictures\SetStep.crw.garminwasted Co.exe File opened for modification C:\Users\Admin\Pictures\SetStep.crw.garminwasted Co.exe File renamed C:\Users\Admin\Pictures\ImportUnregister.tif => C:\Users\Admin\Pictures\ImportUnregister.tif.garminwasted Co.exe File opened for modification C:\Users\Admin\Pictures\ImportUnregister.tif.garminwasted Co.exe File created C:\Users\Admin\Pictures\MergeApprove.tif.garminwasted_info Co.exe File renamed C:\Users\Admin\Pictures\MergeApprove.tif => C:\Users\Admin\Pictures\MergeApprove.tif.garminwasted Co.exe File opened for modification C:\Users\Admin\Pictures\MergeApprove.tif.garminwasted Co.exe File created C:\Users\Admin\Pictures\SetStep.crw.garminwasted_info Co.exe File created C:\Users\Admin\Pictures\ImportUnregister.tif.garminwasted_info Co.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 784 takeown.exe 840 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1600 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exepid process 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 840 icacls.exe 784 takeown.exe -
Drops file in System32 directory 2 IoCs
Processes:
attrib.exeCo:bindescription ioc process File opened for modification C:\Windows\SysWOW64\Co.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Co.exe Co:bin -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1976 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Co:bin 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2040 vssvc.exe Token: SeRestorePrivilege 2040 vssvc.exe Token: SeAuditPrivilege 2040 vssvc.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exeCo:binCo.execmd.execmd.execmd.exedescription pid process target process PID 740 wrote to memory of 1796 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe Co:bin PID 740 wrote to memory of 1796 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe Co:bin PID 740 wrote to memory of 1796 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe Co:bin PID 740 wrote to memory of 1796 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe Co:bin PID 1796 wrote to memory of 1976 1796 Co:bin vssadmin.exe PID 1796 wrote to memory of 1976 1796 Co:bin vssadmin.exe PID 1796 wrote to memory of 1976 1796 Co:bin vssadmin.exe PID 1796 wrote to memory of 1976 1796 Co:bin vssadmin.exe PID 1796 wrote to memory of 784 1796 Co:bin takeown.exe PID 1796 wrote to memory of 784 1796 Co:bin takeown.exe PID 1796 wrote to memory of 784 1796 Co:bin takeown.exe PID 1796 wrote to memory of 784 1796 Co:bin takeown.exe PID 1796 wrote to memory of 840 1796 Co:bin icacls.exe PID 1796 wrote to memory of 840 1796 Co:bin icacls.exe PID 1796 wrote to memory of 840 1796 Co:bin icacls.exe PID 1796 wrote to memory of 840 1796 Co:bin icacls.exe PID 760 wrote to memory of 1304 760 Co.exe cmd.exe PID 760 wrote to memory of 1304 760 Co.exe cmd.exe PID 760 wrote to memory of 1304 760 Co.exe cmd.exe PID 760 wrote to memory of 1304 760 Co.exe cmd.exe PID 1304 wrote to memory of 1000 1304 cmd.exe choice.exe PID 1304 wrote to memory of 1000 1304 cmd.exe choice.exe PID 1304 wrote to memory of 1000 1304 cmd.exe choice.exe PID 1304 wrote to memory of 1000 1304 cmd.exe choice.exe PID 1796 wrote to memory of 1324 1796 Co:bin cmd.exe PID 1796 wrote to memory of 1324 1796 Co:bin cmd.exe PID 1796 wrote to memory of 1324 1796 Co:bin cmd.exe PID 1796 wrote to memory of 1324 1796 Co:bin cmd.exe PID 740 wrote to memory of 1600 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe cmd.exe PID 740 wrote to memory of 1600 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe cmd.exe PID 740 wrote to memory of 1600 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe cmd.exe PID 740 wrote to memory of 1600 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe cmd.exe PID 1324 wrote to memory of 1620 1324 cmd.exe choice.exe PID 1324 wrote to memory of 1620 1324 cmd.exe choice.exe PID 1324 wrote to memory of 1620 1324 cmd.exe choice.exe PID 1324 wrote to memory of 1620 1324 cmd.exe choice.exe PID 1600 wrote to memory of 1468 1600 cmd.exe choice.exe PID 1600 wrote to memory of 1468 1600 cmd.exe choice.exe PID 1600 wrote to memory of 1468 1600 cmd.exe choice.exe PID 1600 wrote to memory of 1468 1600 cmd.exe choice.exe PID 1304 wrote to memory of 464 1304 cmd.exe attrib.exe PID 1304 wrote to memory of 464 1304 cmd.exe attrib.exe PID 1304 wrote to memory of 464 1304 cmd.exe attrib.exe PID 1304 wrote to memory of 464 1304 cmd.exe attrib.exe PID 1324 wrote to memory of 728 1324 cmd.exe attrib.exe PID 1324 wrote to memory of 728 1324 cmd.exe attrib.exe PID 1324 wrote to memory of 728 1324 cmd.exe attrib.exe PID 1324 wrote to memory of 728 1324 cmd.exe attrib.exe PID 1600 wrote to memory of 576 1600 cmd.exe attrib.exe PID 1600 wrote to memory of 576 1600 cmd.exe attrib.exe PID 1600 wrote to memory of 576 1600 cmd.exe attrib.exe PID 1600 wrote to memory of 576 1600 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 464 attrib.exe 728 attrib.exe 576 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe"C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Co:binC:\Users\Admin\AppData\Roaming\Co:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Co.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Co.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Co" & del "C:\Users\Admin\AppData\Roaming\Co"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Co"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Co.exeC:\Windows\SysWOW64\Co.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Co.exe" & del "C:\Windows\SysWOW64\Co.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Co.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Co:binMD5
9b5f5e7d14bd7d73b5adda12d4015ef4
SHA1a41daf00a0193a8d8583801f8cb20405d9678296
SHA2566d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e
SHA51283042c7a33d27edd86e1d9303fb587c1456017d2a87ab82bba80a9360569432197ecc599b2b810d0f71c91d6f3116e390ea6244fc0630a972a50da8f825e18de
-
C:\Users\Admin\AppData\Roaming\Co:binMD5
9b5f5e7d14bd7d73b5adda12d4015ef4
SHA1a41daf00a0193a8d8583801f8cb20405d9678296
SHA2566d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e
SHA51283042c7a33d27edd86e1d9303fb587c1456017d2a87ab82bba80a9360569432197ecc599b2b810d0f71c91d6f3116e390ea6244fc0630a972a50da8f825e18de
-
C:\Windows\SysWOW64\Co.exeMD5
9b5f5e7d14bd7d73b5adda12d4015ef4
SHA1a41daf00a0193a8d8583801f8cb20405d9678296
SHA2566d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e
SHA51283042c7a33d27edd86e1d9303fb587c1456017d2a87ab82bba80a9360569432197ecc599b2b810d0f71c91d6f3116e390ea6244fc0630a972a50da8f825e18de
-
C:\Windows\SysWOW64\Co.exeMD5
9b5f5e7d14bd7d73b5adda12d4015ef4
SHA1a41daf00a0193a8d8583801f8cb20405d9678296
SHA2566d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e
SHA51283042c7a33d27edd86e1d9303fb587c1456017d2a87ab82bba80a9360569432197ecc599b2b810d0f71c91d6f3116e390ea6244fc0630a972a50da8f825e18de
-
\Users\Admin\AppData\Roaming\CoMD5
87aac2cccef1ddb850cf8d0cfab76f5a
SHA1a7bbb49dd4d3883f86779d007ae76bde9292da1a
SHA256748b95a7287caf019f962d230b3e59577d1aa149100f42a3a02dc48c98f15e64
SHA512cbdb3621746bcce9342e594c6c5e557649eb184808e770ab36f578d2433e04862e9e41375ce9a5e1ed06400b849917aeb9875bd86959652b1d79f0ae28ed74b7
-
\Users\Admin\AppData\Roaming\CoMD5
87aac2cccef1ddb850cf8d0cfab76f5a
SHA1a7bbb49dd4d3883f86779d007ae76bde9292da1a
SHA256748b95a7287caf019f962d230b3e59577d1aa149100f42a3a02dc48c98f15e64
SHA512cbdb3621746bcce9342e594c6c5e557649eb184808e770ab36f578d2433e04862e9e41375ce9a5e1ed06400b849917aeb9875bd86959652b1d79f0ae28ed74b7
-
memory/464-16-0x0000000000000000-mapping.dmp
-
memory/576-18-0x0000000000000000-mapping.dmp
-
memory/728-17-0x0000000000000000-mapping.dmp
-
memory/784-6-0x0000000000000000-mapping.dmp
-
memory/840-8-0x0000000000000000-mapping.dmp
-
memory/1000-11-0x0000000000000000-mapping.dmp
-
memory/1304-10-0x0000000000000000-mapping.dmp
-
memory/1324-12-0x0000000000000000-mapping.dmp
-
memory/1468-15-0x0000000000000000-mapping.dmp
-
memory/1600-13-0x0000000000000000-mapping.dmp
-
memory/1620-14-0x0000000000000000-mapping.dmp
-
memory/1796-2-0x0000000000000000-mapping.dmp
-
memory/1976-4-0x0000000000000000-mapping.dmp