Analysis
-
max time kernel
78s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-11-2020 14:19
Static task
static1
Behavioral task
behavioral1
Sample
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe
Resource
win10v20201028
General
-
Target
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe
-
Size
60KB
-
MD5
2000de399f4c0ad50a26780700ed6cac
-
SHA1
70c0d6b0a8485df01ed893a7919009f099591083
-
SHA256
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
-
SHA512
378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Ci:binCi.exepid process 4032 Ci:bin 2580 Ci.exe -
Modifies extensions of user files 27 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Ci.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ClearReceive.raw.rlhwasted Ci.exe File created C:\Users\Admin\Pictures\CompressInstall.tiff.rlhwasted_info Ci.exe File renamed C:\Users\Admin\Pictures\CompressInstall.tiff => C:\Users\Admin\Pictures\CompressInstall.tiff.rlhwasted Ci.exe File opened for modification C:\Users\Admin\Pictures\ImportRevoke.crw.rlhwasted Ci.exe File created C:\Users\Admin\Pictures\ImportUnlock.tif.rlhwasted_info Ci.exe File created C:\Users\Admin\Pictures\ShowTrace.png.rlhwasted_info Ci.exe File opened for modification C:\Users\Admin\Pictures\UnblockFormat.tiff.rlhwasted Ci.exe File created C:\Users\Admin\Pictures\ApproveMount.png.rlhwasted_info Ci.exe File renamed C:\Users\Admin\Pictures\ApproveMount.png => C:\Users\Admin\Pictures\ApproveMount.png.rlhwasted Ci.exe File created C:\Users\Admin\Pictures\ImportRevoke.crw.rlhwasted_info Ci.exe File renamed C:\Users\Admin\Pictures\ImportRevoke.crw => C:\Users\Admin\Pictures\ImportRevoke.crw.rlhwasted Ci.exe File created C:\Users\Admin\Pictures\InstallStep.crw.rlhwasted_info Ci.exe File renamed C:\Users\Admin\Pictures\InstallStep.crw => C:\Users\Admin\Pictures\InstallStep.crw.rlhwasted Ci.exe File created C:\Users\Admin\Pictures\UnblockFormat.tiff.rlhwasted_info Ci.exe File opened for modification C:\Users\Admin\Pictures\CompressInstall.tiff.rlhwasted Ci.exe File renamed C:\Users\Admin\Pictures\DisableUnpublish.raw => C:\Users\Admin\Pictures\DisableUnpublish.raw.rlhwasted Ci.exe File opened for modification C:\Users\Admin\Pictures\ImportUnlock.tif.rlhwasted Ci.exe File created C:\Users\Admin\Pictures\ClearReceive.raw.rlhwasted_info Ci.exe File renamed C:\Users\Admin\Pictures\ClearReceive.raw => C:\Users\Admin\Pictures\ClearReceive.raw.rlhwasted Ci.exe File opened for modification C:\Users\Admin\Pictures\DisableUnpublish.raw.rlhwasted Ci.exe File renamed C:\Users\Admin\Pictures\ShowTrace.png => C:\Users\Admin\Pictures\ShowTrace.png.rlhwasted Ci.exe File opened for modification C:\Users\Admin\Pictures\ShowTrace.png.rlhwasted Ci.exe File renamed C:\Users\Admin\Pictures\UnblockFormat.tiff => C:\Users\Admin\Pictures\UnblockFormat.tiff.rlhwasted Ci.exe File opened for modification C:\Users\Admin\Pictures\ApproveMount.png.rlhwasted Ci.exe File created C:\Users\Admin\Pictures\DisableUnpublish.raw.rlhwasted_info Ci.exe File renamed C:\Users\Admin\Pictures\ImportUnlock.tif => C:\Users\Admin\Pictures\ImportUnlock.tif.rlhwasted Ci.exe File opened for modification C:\Users\Admin\Pictures\InstallStep.crw.rlhwasted Ci.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3744 takeown.exe 1020 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3744 takeown.exe 1020 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Ci:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ci.exe Ci:bin File opened for modification C:\Windows\SysWOW64\Ci.exe attrib.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3460 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Ci:bin 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3856 vssvc.exe Token: SeRestorePrivilege 3856 vssvc.exe Token: SeAuditPrivilege 3856 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exeCi:binCi.execmd.execmd.execmd.exedescription pid process target process PID 3304 wrote to memory of 4032 3304 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe Ci:bin PID 3304 wrote to memory of 4032 3304 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe Ci:bin PID 3304 wrote to memory of 4032 3304 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe Ci:bin PID 4032 wrote to memory of 3460 4032 Ci:bin vssadmin.exe PID 4032 wrote to memory of 3460 4032 Ci:bin vssadmin.exe PID 4032 wrote to memory of 3744 4032 Ci:bin takeown.exe PID 4032 wrote to memory of 3744 4032 Ci:bin takeown.exe PID 4032 wrote to memory of 3744 4032 Ci:bin takeown.exe PID 4032 wrote to memory of 1020 4032 Ci:bin icacls.exe PID 4032 wrote to memory of 1020 4032 Ci:bin icacls.exe PID 4032 wrote to memory of 1020 4032 Ci:bin icacls.exe PID 2580 wrote to memory of 3864 2580 Ci.exe cmd.exe PID 2580 wrote to memory of 3864 2580 Ci.exe cmd.exe PID 2580 wrote to memory of 3864 2580 Ci.exe cmd.exe PID 3864 wrote to memory of 2264 3864 cmd.exe choice.exe PID 3864 wrote to memory of 2264 3864 cmd.exe choice.exe PID 3864 wrote to memory of 2264 3864 cmd.exe choice.exe PID 4032 wrote to memory of 1940 4032 Ci:bin cmd.exe PID 4032 wrote to memory of 1940 4032 Ci:bin cmd.exe PID 4032 wrote to memory of 1940 4032 Ci:bin cmd.exe PID 3304 wrote to memory of 1280 3304 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe cmd.exe PID 3304 wrote to memory of 1280 3304 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe cmd.exe PID 3304 wrote to memory of 1280 3304 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe cmd.exe PID 1940 wrote to memory of 4004 1940 cmd.exe choice.exe PID 1940 wrote to memory of 4004 1940 cmd.exe choice.exe PID 1940 wrote to memory of 4004 1940 cmd.exe choice.exe PID 1280 wrote to memory of 980 1280 cmd.exe choice.exe PID 1280 wrote to memory of 980 1280 cmd.exe choice.exe PID 1280 wrote to memory of 980 1280 cmd.exe choice.exe PID 3864 wrote to memory of 3292 3864 cmd.exe attrib.exe PID 3864 wrote to memory of 3292 3864 cmd.exe attrib.exe PID 3864 wrote to memory of 3292 3864 cmd.exe attrib.exe PID 1940 wrote to memory of 2792 1940 cmd.exe attrib.exe PID 1940 wrote to memory of 2792 1940 cmd.exe attrib.exe PID 1940 wrote to memory of 2792 1940 cmd.exe attrib.exe PID 1280 wrote to memory of 4028 1280 cmd.exe attrib.exe PID 1280 wrote to memory of 4028 1280 cmd.exe attrib.exe PID 1280 wrote to memory of 4028 1280 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 2792 attrib.exe 4028 attrib.exe 3292 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe"C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Ci:binC:\Users\Admin\AppData\Roaming\Ci:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Ci.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Ci.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Ci" & del "C:\Users\Admin\AppData\Roaming\Ci"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Ci"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a.bin.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Ci.exeC:\Windows\SysWOW64\Ci.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Ci.exe" & del "C:\Windows\SysWOW64\Ci.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Ci.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Ci:binMD5
2000de399f4c0ad50a26780700ed6cac
SHA170c0d6b0a8485df01ed893a7919009f099591083
SHA2567a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
SHA512378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
-
C:\Users\Admin\AppData\Roaming\Ci:binMD5
2000de399f4c0ad50a26780700ed6cac
SHA170c0d6b0a8485df01ed893a7919009f099591083
SHA2567a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
SHA512378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
-
C:\Windows\SysWOW64\Ci.exeMD5
2000de399f4c0ad50a26780700ed6cac
SHA170c0d6b0a8485df01ed893a7919009f099591083
SHA2567a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
SHA512378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
-
C:\Windows\SysWOW64\Ci.exeMD5
2000de399f4c0ad50a26780700ed6cac
SHA170c0d6b0a8485df01ed893a7919009f099591083
SHA2567a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
SHA512378cfc46bb17be59975c29e19cb08d5c899eb088639b3446470e286c831ef4f71179316e0c8cbfad8bcc6d77c6dc5cb3ec96690a9a0a0646e69edcd3648e340b
-
memory/980-13-0x0000000000000000-mapping.dmp
-
memory/1020-6-0x0000000000000000-mapping.dmp
-
memory/1280-11-0x0000000000000000-mapping.dmp
-
memory/1940-10-0x0000000000000000-mapping.dmp
-
memory/2264-9-0x0000000000000000-mapping.dmp
-
memory/2792-15-0x0000000000000000-mapping.dmp
-
memory/3292-14-0x0000000000000000-mapping.dmp
-
memory/3460-3-0x0000000000000000-mapping.dmp
-
memory/3744-4-0x0000000000000000-mapping.dmp
-
memory/3864-8-0x0000000000000000-mapping.dmp
-
memory/4004-12-0x0000000000000000-mapping.dmp
-
memory/4028-16-0x0000000000000000-mapping.dmp
-
memory/4032-0-0x0000000000000000-mapping.dmp