Analysis
-
max time kernel
21s -
max time network
21s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-11-2020 14:19
Static task
static1
Behavioral task
behavioral1
Sample
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe
Resource
win10v20201028
General
-
Target
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe
-
Size
60KB
-
MD5
2000de399f4c0ad50a26780700ed6cac
-
SHA1
70c0d6b0a8485df01ed893a7919009f099591083
-
SHA256
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
-
SHA512
378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Rtl:binRtl.exepid process 2020 Rtl:bin 1536 Rtl.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Rtl.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ConvertToClear.crw.rlhwasted Rtl.exe File created C:\Users\Admin\Pictures\ConvertToClear.crw.rlhwasted_info Rtl.exe File renamed C:\Users\Admin\Pictures\ConvertToClear.crw => C:\Users\Admin\Pictures\ConvertToClear.crw.rlhwasted Rtl.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1448 takeown.exe 904 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 616 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exepid process 292 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe 292 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1448 takeown.exe 904 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
attrib.exeRtl:bindescription ioc process File opened for modification C:\Windows\SysWOW64\Rtl.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Rtl.exe Rtl:bin -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1968 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Rtl:bin 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1832 vssvc.exe Token: SeRestorePrivilege 1832 vssvc.exe Token: SeAuditPrivilege 1832 vssvc.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exeRtl:binRtl.execmd.execmd.execmd.exedescription pid process target process PID 292 wrote to memory of 2020 292 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe Rtl:bin PID 292 wrote to memory of 2020 292 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe Rtl:bin PID 292 wrote to memory of 2020 292 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe Rtl:bin PID 292 wrote to memory of 2020 292 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe Rtl:bin PID 2020 wrote to memory of 1968 2020 Rtl:bin vssadmin.exe PID 2020 wrote to memory of 1968 2020 Rtl:bin vssadmin.exe PID 2020 wrote to memory of 1968 2020 Rtl:bin vssadmin.exe PID 2020 wrote to memory of 1968 2020 Rtl:bin vssadmin.exe PID 2020 wrote to memory of 1448 2020 Rtl:bin takeown.exe PID 2020 wrote to memory of 1448 2020 Rtl:bin takeown.exe PID 2020 wrote to memory of 1448 2020 Rtl:bin takeown.exe PID 2020 wrote to memory of 1448 2020 Rtl:bin takeown.exe PID 2020 wrote to memory of 904 2020 Rtl:bin icacls.exe PID 2020 wrote to memory of 904 2020 Rtl:bin icacls.exe PID 2020 wrote to memory of 904 2020 Rtl:bin icacls.exe PID 2020 wrote to memory of 904 2020 Rtl:bin icacls.exe PID 1536 wrote to memory of 1112 1536 Rtl.exe cmd.exe PID 1536 wrote to memory of 1112 1536 Rtl.exe cmd.exe PID 1536 wrote to memory of 1112 1536 Rtl.exe cmd.exe PID 1536 wrote to memory of 1112 1536 Rtl.exe cmd.exe PID 1112 wrote to memory of 844 1112 cmd.exe choice.exe PID 1112 wrote to memory of 844 1112 cmd.exe choice.exe PID 1112 wrote to memory of 844 1112 cmd.exe choice.exe PID 1112 wrote to memory of 844 1112 cmd.exe choice.exe PID 2020 wrote to memory of 816 2020 Rtl:bin cmd.exe PID 2020 wrote to memory of 816 2020 Rtl:bin cmd.exe PID 2020 wrote to memory of 816 2020 Rtl:bin cmd.exe PID 2020 wrote to memory of 816 2020 Rtl:bin cmd.exe PID 292 wrote to memory of 616 292 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe cmd.exe PID 292 wrote to memory of 616 292 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe cmd.exe PID 292 wrote to memory of 616 292 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe cmd.exe PID 292 wrote to memory of 616 292 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe cmd.exe PID 816 wrote to memory of 948 816 cmd.exe choice.exe PID 816 wrote to memory of 948 816 cmd.exe choice.exe PID 816 wrote to memory of 948 816 cmd.exe choice.exe PID 816 wrote to memory of 948 816 cmd.exe choice.exe PID 616 wrote to memory of 1560 616 cmd.exe choice.exe PID 616 wrote to memory of 1560 616 cmd.exe choice.exe PID 616 wrote to memory of 1560 616 cmd.exe choice.exe PID 616 wrote to memory of 1560 616 cmd.exe choice.exe PID 1112 wrote to memory of 1336 1112 cmd.exe attrib.exe PID 1112 wrote to memory of 1336 1112 cmd.exe attrib.exe PID 1112 wrote to memory of 1336 1112 cmd.exe attrib.exe PID 1112 wrote to memory of 1336 1112 cmd.exe attrib.exe PID 616 wrote to memory of 1232 616 cmd.exe attrib.exe PID 616 wrote to memory of 1232 616 cmd.exe attrib.exe PID 616 wrote to memory of 1232 616 cmd.exe attrib.exe PID 616 wrote to memory of 1232 616 cmd.exe attrib.exe PID 816 wrote to memory of 1212 816 cmd.exe attrib.exe PID 816 wrote to memory of 1212 816 cmd.exe attrib.exe PID 816 wrote to memory of 1212 816 cmd.exe attrib.exe PID 816 wrote to memory of 1212 816 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1232 attrib.exe 1212 attrib.exe 1336 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe"C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Rtl:binC:\Users\Admin\AppData\Roaming\Rtl:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Rtl.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Rtl.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Rtl" & del "C:\Users\Admin\AppData\Roaming\Rtl"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Rtl"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Rtl.exeC:\Windows\SysWOW64\Rtl.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Rtl.exe" & del "C:\Windows\SysWOW64\Rtl.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Rtl.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Rtl:binMD5
2000de399f4c0ad50a26780700ed6cac
SHA170c0d6b0a8485df01ed893a7919009f099591083
SHA2567a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
SHA512378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
-
C:\Users\Admin\AppData\Roaming\Rtl:binMD5
2000de399f4c0ad50a26780700ed6cac
SHA170c0d6b0a8485df01ed893a7919009f099591083
SHA2567a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
SHA512378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
-
C:\Windows\SysWOW64\Rtl.exeMD5
2000de399f4c0ad50a26780700ed6cac
SHA170c0d6b0a8485df01ed893a7919009f099591083
SHA2567a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
SHA512378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
-
C:\Windows\SysWOW64\Rtl.exeMD5
2000de399f4c0ad50a26780700ed6cac
SHA170c0d6b0a8485df01ed893a7919009f099591083
SHA2567a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
SHA512378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
-
\Users\Admin\AppData\Roaming\RtlMD5
ff09f17c0d285ccd601ed1f04d96e7af
SHA1ca9054160372b801e2b710a3d4a038839fa5c278
SHA2562b2634c0100cbf43078ad2a4b4846901cde80694f8a0a76d12243b3a9436b0ba
SHA5120082e6275fd57e57ed40335d7f046eb300c6cac586fa9c1df868584533a7b3edc47527dc2763ab4ff3e8e018ba42d8d7aa28060b999650f20f442417e3da7f83
-
\Users\Admin\AppData\Roaming\RtlMD5
ff09f17c0d285ccd601ed1f04d96e7af
SHA1ca9054160372b801e2b710a3d4a038839fa5c278
SHA2562b2634c0100cbf43078ad2a4b4846901cde80694f8a0a76d12243b3a9436b0ba
SHA5120082e6275fd57e57ed40335d7f046eb300c6cac586fa9c1df868584533a7b3edc47527dc2763ab4ff3e8e018ba42d8d7aa28060b999650f20f442417e3da7f83
-
memory/616-13-0x0000000000000000-mapping.dmp
-
memory/816-12-0x0000000000000000-mapping.dmp
-
memory/844-11-0x0000000000000000-mapping.dmp
-
memory/904-8-0x0000000000000000-mapping.dmp
-
memory/948-14-0x0000000000000000-mapping.dmp
-
memory/1112-10-0x0000000000000000-mapping.dmp
-
memory/1212-18-0x0000000000000000-mapping.dmp
-
memory/1232-17-0x0000000000000000-mapping.dmp
-
memory/1336-16-0x0000000000000000-mapping.dmp
-
memory/1448-6-0x0000000000000000-mapping.dmp
-
memory/1560-15-0x0000000000000000-mapping.dmp
-
memory/1968-4-0x0000000000000000-mapping.dmp
-
memory/2020-2-0x0000000000000000-mapping.dmp