Analysis
-
max time kernel
27s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03/11/2020, 14:20
Static task
static1
Behavioral task
behavioral1
Sample
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe
-
Size
60KB
-
MD5
9b5f5e7d14bd7d73b5adda12d4015ef4
-
SHA1
a41daf00a0193a8d8583801f8cb20405d9678296
-
SHA256
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e
-
SHA512
83042c7a33d27edd86e1d9303fb587c1456017d2a87ab82bba80a9360569432197ecc599b2b810d0f71c91d6f3116e390ea6244fc0630a972a50da8f825e18de
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
pid Process 1796 Co:bin 760 Co.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SetStep.crw => C:\Users\Admin\Pictures\SetStep.crw.garminwasted Co.exe File opened for modification C:\Users\Admin\Pictures\SetStep.crw.garminwasted Co.exe File renamed C:\Users\Admin\Pictures\ImportUnregister.tif => C:\Users\Admin\Pictures\ImportUnregister.tif.garminwasted Co.exe File opened for modification C:\Users\Admin\Pictures\ImportUnregister.tif.garminwasted Co.exe File created C:\Users\Admin\Pictures\MergeApprove.tif.garminwasted_info Co.exe File renamed C:\Users\Admin\Pictures\MergeApprove.tif => C:\Users\Admin\Pictures\MergeApprove.tif.garminwasted Co.exe File opened for modification C:\Users\Admin\Pictures\MergeApprove.tif.garminwasted Co.exe File created C:\Users\Admin\Pictures\SetStep.crw.garminwasted_info Co.exe File created C:\Users\Admin\Pictures\ImportUnregister.tif.garminwasted_info Co.exe -
Possible privilege escalation attempt 2 IoCs
pid Process 784 takeown.exe 840 icacls.exe -
Deletes itself 1 IoCs
pid Process 1600 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 840 icacls.exe 784 takeown.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Co.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Co.exe Co:bin -
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1976 vssadmin.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Co:bin 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2040 vssvc.exe Token: SeRestorePrivilege 2040 vssvc.exe Token: SeAuditPrivilege 2040 vssvc.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 740 wrote to memory of 1796 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe 25 PID 740 wrote to memory of 1796 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe 25 PID 740 wrote to memory of 1796 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe 25 PID 740 wrote to memory of 1796 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe 25 PID 1796 wrote to memory of 1976 1796 Co:bin 26 PID 1796 wrote to memory of 1976 1796 Co:bin 26 PID 1796 wrote to memory of 1976 1796 Co:bin 26 PID 1796 wrote to memory of 1976 1796 Co:bin 26 PID 1796 wrote to memory of 784 1796 Co:bin 34 PID 1796 wrote to memory of 784 1796 Co:bin 34 PID 1796 wrote to memory of 784 1796 Co:bin 34 PID 1796 wrote to memory of 784 1796 Co:bin 34 PID 1796 wrote to memory of 840 1796 Co:bin 36 PID 1796 wrote to memory of 840 1796 Co:bin 36 PID 1796 wrote to memory of 840 1796 Co:bin 36 PID 1796 wrote to memory of 840 1796 Co:bin 36 PID 760 wrote to memory of 1304 760 Co.exe 40 PID 760 wrote to memory of 1304 760 Co.exe 40 PID 760 wrote to memory of 1304 760 Co.exe 40 PID 760 wrote to memory of 1304 760 Co.exe 40 PID 1304 wrote to memory of 1000 1304 cmd.exe 42 PID 1304 wrote to memory of 1000 1304 cmd.exe 42 PID 1304 wrote to memory of 1000 1304 cmd.exe 42 PID 1304 wrote to memory of 1000 1304 cmd.exe 42 PID 1796 wrote to memory of 1324 1796 Co:bin 43 PID 1796 wrote to memory of 1324 1796 Co:bin 43 PID 1796 wrote to memory of 1324 1796 Co:bin 43 PID 1796 wrote to memory of 1324 1796 Co:bin 43 PID 740 wrote to memory of 1600 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe 44 PID 740 wrote to memory of 1600 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe 44 PID 740 wrote to memory of 1600 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe 44 PID 740 wrote to memory of 1600 740 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe 44 PID 1324 wrote to memory of 1620 1324 cmd.exe 47 PID 1324 wrote to memory of 1620 1324 cmd.exe 47 PID 1324 wrote to memory of 1620 1324 cmd.exe 47 PID 1324 wrote to memory of 1620 1324 cmd.exe 47 PID 1600 wrote to memory of 1468 1600 cmd.exe 48 PID 1600 wrote to memory of 1468 1600 cmd.exe 48 PID 1600 wrote to memory of 1468 1600 cmd.exe 48 PID 1600 wrote to memory of 1468 1600 cmd.exe 48 PID 1304 wrote to memory of 464 1304 cmd.exe 49 PID 1304 wrote to memory of 464 1304 cmd.exe 49 PID 1304 wrote to memory of 464 1304 cmd.exe 49 PID 1304 wrote to memory of 464 1304 cmd.exe 49 PID 1324 wrote to memory of 728 1324 cmd.exe 50 PID 1324 wrote to memory of 728 1324 cmd.exe 50 PID 1324 wrote to memory of 728 1324 cmd.exe 50 PID 1324 wrote to memory of 728 1324 cmd.exe 50 PID 1600 wrote to memory of 576 1600 cmd.exe 51 PID 1600 wrote to memory of 576 1600 cmd.exe 51 PID 1600 wrote to memory of 576 1600 cmd.exe 51 PID 1600 wrote to memory of 576 1600 cmd.exe 51 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 464 attrib.exe 728 attrib.exe 576 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe"C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Roaming\Co:binC:\Users\Admin\AppData\Roaming\Co:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1976
-
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Co.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:784
-
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Co.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:840
-
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Co" & del "C:\Users\Admin\AppData\Roaming\Co"3⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵PID:1620
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Co"4⤵
- Views/modifies file attributes
PID:728
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵PID:1468
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe"3⤵
- Views/modifies file attributes
PID:576
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
C:\Windows\SysWOW64\Co.exeC:\Windows\SysWOW64\Co.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Co.exe" & del "C:\Windows\SysWOW64\Co.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵PID:1000
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Co.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:464
-
-