Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-11-2020 14:20
Static task
static1
Behavioral task
behavioral1
Sample
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe
Resource
win10v20201028
General
-
Target
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe
-
Size
60KB
-
MD5
9b5f5e7d14bd7d73b5adda12d4015ef4
-
SHA1
a41daf00a0193a8d8583801f8cb20405d9678296
-
SHA256
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e
-
SHA512
83042c7a33d27edd86e1d9303fb587c1456017d2a87ab82bba80a9360569432197ecc599b2b810d0f71c91d6f3116e390ea6244fc0630a972a50da8f825e18de
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Server:binServer.exepid process 2412 Server:bin 3636 Server.exe -
Modifies extensions of user files 24 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Server.exedescription ioc process File renamed C:\Users\Admin\Pictures\SkipResume.png => C:\Users\Admin\Pictures\SkipResume.png.garminwasted Server.exe File opened for modification C:\Users\Admin\Pictures\UnpublishExpand.crw.garminwasted Server.exe File renamed C:\Users\Admin\Pictures\HideCompare.tif => C:\Users\Admin\Pictures\HideCompare.tif.garminwasted Server.exe File created C:\Users\Admin\Pictures\OptimizeOut.crw.garminwasted_info Server.exe File opened for modification C:\Users\Admin\Pictures\CompareEnter.raw.garminwasted Server.exe File opened for modification C:\Users\Admin\Pictures\DisableCheckpoint.raw.garminwasted Server.exe File created C:\Users\Admin\Pictures\FormatWait.png.garminwasted_info Server.exe File opened for modification C:\Users\Admin\Pictures\FormatWait.png.garminwasted Server.exe File opened for modification C:\Users\Admin\Pictures\HideCompare.tif.garminwasted Server.exe File renamed C:\Users\Admin\Pictures\OptimizeOut.crw => C:\Users\Admin\Pictures\OptimizeOut.crw.garminwasted Server.exe File created C:\Users\Admin\Pictures\CompareEnter.raw.garminwasted_info Server.exe File renamed C:\Users\Admin\Pictures\CompareEnter.raw => C:\Users\Admin\Pictures\CompareEnter.raw.garminwasted Server.exe File created C:\Users\Admin\Pictures\SkipResume.png.garminwasted_info Server.exe File created C:\Users\Admin\Pictures\UnpublishExpand.crw.garminwasted_info Server.exe File renamed C:\Users\Admin\Pictures\DisableCheckpoint.raw => C:\Users\Admin\Pictures\DisableCheckpoint.raw.garminwasted Server.exe File created C:\Users\Admin\Pictures\HideCompare.tif.garminwasted_info Server.exe File opened for modification C:\Users\Admin\Pictures\OptimizeOut.crw.garminwasted Server.exe File opened for modification C:\Users\Admin\Pictures\SkipResume.png.garminwasted Server.exe File renamed C:\Users\Admin\Pictures\UnpublishExpand.crw => C:\Users\Admin\Pictures\UnpublishExpand.crw.garminwasted Server.exe File created C:\Users\Admin\Pictures\CompleteRegister.crw.garminwasted_info Server.exe File renamed C:\Users\Admin\Pictures\CompleteRegister.crw => C:\Users\Admin\Pictures\CompleteRegister.crw.garminwasted Server.exe File renamed C:\Users\Admin\Pictures\FormatWait.png => C:\Users\Admin\Pictures\FormatWait.png.garminwasted Server.exe File opened for modification C:\Users\Admin\Pictures\CompleteRegister.crw.garminwasted Server.exe File created C:\Users\Admin\Pictures\DisableCheckpoint.raw.garminwasted_info Server.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 2332 icacls.exe 184 takeown.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 184 takeown.exe 2332 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Server:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Server.exe Server:bin File opened for modification C:\Windows\SysWOW64\Server.exe attrib.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2452 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Server:bin 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 4072 vssvc.exe Token: SeRestorePrivilege 4072 vssvc.exe Token: SeAuditPrivilege 4072 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exeServer:binServer.execmd.execmd.execmd.exedescription pid process target process PID 1148 wrote to memory of 2412 1148 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe Server:bin PID 1148 wrote to memory of 2412 1148 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe Server:bin PID 1148 wrote to memory of 2412 1148 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe Server:bin PID 2412 wrote to memory of 2452 2412 Server:bin vssadmin.exe PID 2412 wrote to memory of 2452 2412 Server:bin vssadmin.exe PID 2412 wrote to memory of 184 2412 Server:bin takeown.exe PID 2412 wrote to memory of 184 2412 Server:bin takeown.exe PID 2412 wrote to memory of 184 2412 Server:bin takeown.exe PID 2412 wrote to memory of 2332 2412 Server:bin icacls.exe PID 2412 wrote to memory of 2332 2412 Server:bin icacls.exe PID 2412 wrote to memory of 2332 2412 Server:bin icacls.exe PID 3636 wrote to memory of 2240 3636 Server.exe cmd.exe PID 3636 wrote to memory of 2240 3636 Server.exe cmd.exe PID 3636 wrote to memory of 2240 3636 Server.exe cmd.exe PID 2240 wrote to memory of 900 2240 cmd.exe choice.exe PID 2240 wrote to memory of 900 2240 cmd.exe choice.exe PID 2240 wrote to memory of 900 2240 cmd.exe choice.exe PID 2412 wrote to memory of 640 2412 Server:bin cmd.exe PID 2412 wrote to memory of 640 2412 Server:bin cmd.exe PID 2412 wrote to memory of 640 2412 Server:bin cmd.exe PID 1148 wrote to memory of 2296 1148 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe cmd.exe PID 1148 wrote to memory of 2296 1148 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe cmd.exe PID 1148 wrote to memory of 2296 1148 6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe cmd.exe PID 640 wrote to memory of 1364 640 cmd.exe choice.exe PID 640 wrote to memory of 1364 640 cmd.exe choice.exe PID 640 wrote to memory of 1364 640 cmd.exe choice.exe PID 2296 wrote to memory of 3780 2296 cmd.exe choice.exe PID 2296 wrote to memory of 3780 2296 cmd.exe choice.exe PID 2296 wrote to memory of 3780 2296 cmd.exe choice.exe PID 2240 wrote to memory of 2768 2240 cmd.exe attrib.exe PID 2240 wrote to memory of 2768 2240 cmd.exe attrib.exe PID 2240 wrote to memory of 2768 2240 cmd.exe attrib.exe PID 640 wrote to memory of 3768 640 cmd.exe attrib.exe PID 640 wrote to memory of 3768 640 cmd.exe attrib.exe PID 640 wrote to memory of 3768 640 cmd.exe attrib.exe PID 2296 wrote to memory of 2992 2296 cmd.exe attrib.exe PID 2296 wrote to memory of 2992 2296 cmd.exe attrib.exe PID 2296 wrote to memory of 2992 2296 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 2768 attrib.exe 3768 attrib.exe 2992 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe"C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Server:binC:\Users\Admin\AppData\Roaming\Server:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Server.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Server.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Server" & del "C:\Users\Admin\AppData\Roaming\Server"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Server"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\6d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e.bin.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Server.exeC:\Windows\SysWOW64\Server.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Server.exe" & del "C:\Windows\SysWOW64\Server.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Server.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Server:binMD5
9b5f5e7d14bd7d73b5adda12d4015ef4
SHA1a41daf00a0193a8d8583801f8cb20405d9678296
SHA2566d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e
SHA51283042c7a33d27edd86e1d9303fb587c1456017d2a87ab82bba80a9360569432197ecc599b2b810d0f71c91d6f3116e390ea6244fc0630a972a50da8f825e18de
-
C:\Users\Admin\AppData\Roaming\Server:binMD5
9b5f5e7d14bd7d73b5adda12d4015ef4
SHA1a41daf00a0193a8d8583801f8cb20405d9678296
SHA2566d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e
SHA51283042c7a33d27edd86e1d9303fb587c1456017d2a87ab82bba80a9360569432197ecc599b2b810d0f71c91d6f3116e390ea6244fc0630a972a50da8f825e18de
-
C:\Windows\SysWOW64\Server.exeMD5
9b5f5e7d14bd7d73b5adda12d4015ef4
SHA1a41daf00a0193a8d8583801f8cb20405d9678296
SHA2566d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e
SHA51283042c7a33d27edd86e1d9303fb587c1456017d2a87ab82bba80a9360569432197ecc599b2b810d0f71c91d6f3116e390ea6244fc0630a972a50da8f825e18de
-
C:\Windows\SysWOW64\Server.exeMD5
9b5f5e7d14bd7d73b5adda12d4015ef4
SHA1a41daf00a0193a8d8583801f8cb20405d9678296
SHA2566d35b01dbe014c6efc18d587c2be5e12617e1681cc670ba5c49fe7ead9de780e
SHA51283042c7a33d27edd86e1d9303fb587c1456017d2a87ab82bba80a9360569432197ecc599b2b810d0f71c91d6f3116e390ea6244fc0630a972a50da8f825e18de
-
memory/184-4-0x0000000000000000-mapping.dmp
-
memory/640-10-0x0000000000000000-mapping.dmp
-
memory/900-9-0x0000000000000000-mapping.dmp
-
memory/1364-12-0x0000000000000000-mapping.dmp
-
memory/2240-8-0x0000000000000000-mapping.dmp
-
memory/2296-11-0x0000000000000000-mapping.dmp
-
memory/2332-6-0x0000000000000000-mapping.dmp
-
memory/2412-0-0x0000000000000000-mapping.dmp
-
memory/2452-3-0x0000000000000000-mapping.dmp
-
memory/2768-14-0x0000000000000000-mapping.dmp
-
memory/2992-16-0x0000000000000000-mapping.dmp
-
memory/3768-15-0x0000000000000000-mapping.dmp
-
memory/3780-13-0x0000000000000000-mapping.dmp