Analysis
-
max time kernel
27s -
max time network
25s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-11-2020 14:20
Static task
static1
Behavioral task
behavioral1
Sample
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe
Resource
win10v20201028
General
-
Target
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe
-
Size
58KB
-
MD5
33b80a574c6441baf5409a292aafb1cf
-
SHA1
8048aba11ea6209d1f49fa4e12741050350557df
-
SHA256
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
-
SHA512
52843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Co:binCo.exepid process 1848 Co:bin 1492 Co.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Co.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\MergeCheckpoint.crw.garminwasted Co.exe File created C:\Users\Admin\Pictures\CheckpointComplete.tif.garminwasted_info Co.exe File created C:\Users\Admin\Pictures\DismountCheckpoint.tiff.garminwasted_info Co.exe File opened for modification C:\Users\Admin\Pictures\DismountCheckpoint.tiff.garminwasted Co.exe File created C:\Users\Admin\Pictures\MergeCheckpoint.crw.garminwasted_info Co.exe File renamed C:\Users\Admin\Pictures\MergeCheckpoint.crw => C:\Users\Admin\Pictures\MergeCheckpoint.crw.garminwasted Co.exe File renamed C:\Users\Admin\Pictures\CheckpointComplete.tif => C:\Users\Admin\Pictures\CheckpointComplete.tif.garminwasted Co.exe File opened for modification C:\Users\Admin\Pictures\CheckpointComplete.tif.garminwasted Co.exe File renamed C:\Users\Admin\Pictures\DismountCheckpoint.tiff => C:\Users\Admin\Pictures\DismountCheckpoint.tiff.garminwasted Co.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1768 takeown.exe 1284 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1660 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exepid process 336 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe 336 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1768 takeown.exe 1284 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Co:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Co.exe Co:bin File opened for modification C:\Windows\SysWOW64\Co.exe attrib.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1988 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Co:bin ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1320 vssvc.exe Token: SeRestorePrivilege 1320 vssvc.exe Token: SeAuditPrivilege 1320 vssvc.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exeCo:binCo.execmd.execmd.execmd.exedescription pid process target process PID 336 wrote to memory of 1848 336 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe Co:bin PID 336 wrote to memory of 1848 336 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe Co:bin PID 336 wrote to memory of 1848 336 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe Co:bin PID 336 wrote to memory of 1848 336 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe Co:bin PID 1848 wrote to memory of 1988 1848 Co:bin vssadmin.exe PID 1848 wrote to memory of 1988 1848 Co:bin vssadmin.exe PID 1848 wrote to memory of 1988 1848 Co:bin vssadmin.exe PID 1848 wrote to memory of 1988 1848 Co:bin vssadmin.exe PID 1848 wrote to memory of 1768 1848 Co:bin takeown.exe PID 1848 wrote to memory of 1768 1848 Co:bin takeown.exe PID 1848 wrote to memory of 1768 1848 Co:bin takeown.exe PID 1848 wrote to memory of 1768 1848 Co:bin takeown.exe PID 1848 wrote to memory of 1284 1848 Co:bin icacls.exe PID 1848 wrote to memory of 1284 1848 Co:bin icacls.exe PID 1848 wrote to memory of 1284 1848 Co:bin icacls.exe PID 1848 wrote to memory of 1284 1848 Co:bin icacls.exe PID 1492 wrote to memory of 888 1492 Co.exe cmd.exe PID 1492 wrote to memory of 888 1492 Co.exe cmd.exe PID 1492 wrote to memory of 888 1492 Co.exe cmd.exe PID 1492 wrote to memory of 888 1492 Co.exe cmd.exe PID 888 wrote to memory of 1460 888 cmd.exe choice.exe PID 888 wrote to memory of 1460 888 cmd.exe choice.exe PID 888 wrote to memory of 1460 888 cmd.exe choice.exe PID 888 wrote to memory of 1460 888 cmd.exe choice.exe PID 1848 wrote to memory of 2032 1848 Co:bin cmd.exe PID 1848 wrote to memory of 2032 1848 Co:bin cmd.exe PID 1848 wrote to memory of 2032 1848 Co:bin cmd.exe PID 1848 wrote to memory of 2032 1848 Co:bin cmd.exe PID 336 wrote to memory of 1660 336 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe cmd.exe PID 336 wrote to memory of 1660 336 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe cmd.exe PID 336 wrote to memory of 1660 336 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe cmd.exe PID 336 wrote to memory of 1660 336 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe cmd.exe PID 2032 wrote to memory of 1640 2032 cmd.exe choice.exe PID 2032 wrote to memory of 1640 2032 cmd.exe choice.exe PID 2032 wrote to memory of 1640 2032 cmd.exe choice.exe PID 2032 wrote to memory of 1640 2032 cmd.exe choice.exe PID 1660 wrote to memory of 1628 1660 cmd.exe choice.exe PID 1660 wrote to memory of 1628 1660 cmd.exe choice.exe PID 1660 wrote to memory of 1628 1660 cmd.exe choice.exe PID 1660 wrote to memory of 1628 1660 cmd.exe choice.exe PID 888 wrote to memory of 1468 888 cmd.exe attrib.exe PID 888 wrote to memory of 1468 888 cmd.exe attrib.exe PID 888 wrote to memory of 1468 888 cmd.exe attrib.exe PID 888 wrote to memory of 1468 888 cmd.exe attrib.exe PID 2032 wrote to memory of 1388 2032 cmd.exe attrib.exe PID 2032 wrote to memory of 1388 2032 cmd.exe attrib.exe PID 2032 wrote to memory of 1388 2032 cmd.exe attrib.exe PID 2032 wrote to memory of 1388 2032 cmd.exe attrib.exe PID 1660 wrote to memory of 1692 1660 cmd.exe attrib.exe PID 1660 wrote to memory of 1692 1660 cmd.exe attrib.exe PID 1660 wrote to memory of 1692 1660 cmd.exe attrib.exe PID 1660 wrote to memory of 1692 1660 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1468 attrib.exe 1388 attrib.exe 1692 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe"C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Co:binC:\Users\Admin\AppData\Roaming\Co:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Co.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Co.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Co" & del "C:\Users\Admin\AppData\Roaming\Co"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Co"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Co.exeC:\Windows\SysWOW64\Co.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Co.exe" & del "C:\Windows\SysWOW64\Co.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Co.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Co:binMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
C:\Users\Admin\AppData\Roaming\Co:binMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
C:\Windows\SysWOW64\Co.exeMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
C:\Windows\SysWOW64\Co.exeMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
\Users\Admin\AppData\Roaming\CoMD5
e97878fece6d3910d5298f826f80bbb9
SHA1c2ff2e9829dd2d3a000f29ee3f46e286795a9da2
SHA256b57a9aa49ce48997d172d000855eb2c850c4e42eae9605b0e7f1cd506e9cf09b
SHA512115ae09f27838f2444929f1bb5c5de3fe6a94752566610643918520bfbfb01837a85963897f5f0572e93d66c84a14e6398b13261cf12077147709ef335897636
-
\Users\Admin\AppData\Roaming\CoMD5
e97878fece6d3910d5298f826f80bbb9
SHA1c2ff2e9829dd2d3a000f29ee3f46e286795a9da2
SHA256b57a9aa49ce48997d172d000855eb2c850c4e42eae9605b0e7f1cd506e9cf09b
SHA512115ae09f27838f2444929f1bb5c5de3fe6a94752566610643918520bfbfb01837a85963897f5f0572e93d66c84a14e6398b13261cf12077147709ef335897636
-
memory/888-10-0x0000000000000000-mapping.dmp
-
memory/1284-8-0x0000000000000000-mapping.dmp
-
memory/1388-17-0x0000000000000000-mapping.dmp
-
memory/1460-11-0x0000000000000000-mapping.dmp
-
memory/1468-16-0x0000000000000000-mapping.dmp
-
memory/1628-15-0x0000000000000000-mapping.dmp
-
memory/1640-14-0x0000000000000000-mapping.dmp
-
memory/1660-13-0x0000000000000000-mapping.dmp
-
memory/1692-18-0x0000000000000000-mapping.dmp
-
memory/1768-6-0x0000000000000000-mapping.dmp
-
memory/1848-2-0x0000000000000000-mapping.dmp
-
memory/1988-4-0x0000000000000000-mapping.dmp
-
memory/2032-12-0x0000000000000000-mapping.dmp