Analysis
-
max time kernel
78s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-11-2020 14:19
General
-
Target
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe
-
Size
60KB
-
MD5
2000de399f4c0ad50a26780700ed6cac
-
SHA1
70c0d6b0a8485df01ed893a7919009f099591083
-
SHA256
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
-
SHA512
378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 27 IoCs
Ransomware generally changes the extension on encrypted files.
-
Possible privilege escalation attempt 2 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Modifies service 2 TTPs 5 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe"C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Ci:binC:\Users\Admin\AppData\Roaming\Ci:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Ci.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Ci.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Ci" & del "C:\Users\Admin\AppData\Roaming\Ci"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Ci"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Ci.exeC:\Windows\SysWOW64\Ci.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Ci.exe" & del "C:\Windows\SysWOW64\Ci.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Ci.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Ci:binMD5
2000de399f4c0ad50a26780700ed6cac
SHA170c0d6b0a8485df01ed893a7919009f099591083
SHA2567a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
SHA512378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
-
C:\Users\Admin\AppData\Roaming\Ci:binMD5
2000de399f4c0ad50a26780700ed6cac
SHA170c0d6b0a8485df01ed893a7919009f099591083
SHA2567a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
SHA512378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
-
C:\Windows\SysWOW64\Ci.exeMD5
2000de399f4c0ad50a26780700ed6cac
SHA170c0d6b0a8485df01ed893a7919009f099591083
SHA2567a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
SHA512378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
-
C:\Windows\SysWOW64\Ci.exeMD5
2000de399f4c0ad50a26780700ed6cac
SHA170c0d6b0a8485df01ed893a7919009f099591083
SHA2567a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
SHA512378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
-
memory/980-13-0x0000000000000000-mapping.dmp
-
memory/1020-6-0x0000000000000000-mapping.dmp
-
memory/1280-11-0x0000000000000000-mapping.dmp
-
memory/1940-10-0x0000000000000000-mapping.dmp
-
memory/2264-9-0x0000000000000000-mapping.dmp
-
memory/2792-15-0x0000000000000000-mapping.dmp
-
memory/3292-14-0x0000000000000000-mapping.dmp
-
memory/3460-3-0x0000000000000000-mapping.dmp
-
memory/3744-4-0x0000000000000000-mapping.dmp
-
memory/3864-8-0x0000000000000000-mapping.dmp
-
memory/4004-12-0x0000000000000000-mapping.dmp
-
memory/4028-16-0x0000000000000000-mapping.dmp
-
memory/4032-0-0x0000000000000000-mapping.dmp