Analysis
-
max time kernel
15s -
max time network
104s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-11-2020 14:20
Static task
static1
Behavioral task
behavioral1
Sample
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe
Resource
win10v20201028
General
-
Target
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe
-
Size
58KB
-
MD5
33b80a574c6441baf5409a292aafb1cf
-
SHA1
8048aba11ea6209d1f49fa4e12741050350557df
-
SHA256
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
-
SHA512
52843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Server:binServer.exepid process 3880 Server:bin 1416 Server.exe -
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Server.exedescription ioc process File renamed C:\Users\Admin\Pictures\RenameApprove.crw => C:\Users\Admin\Pictures\RenameApprove.crw.garminwasted Server.exe File created C:\Users\Admin\Pictures\SkipUnpublish.tif.garminwasted_info Server.exe File opened for modification C:\Users\Admin\Pictures\RepairFind.png.garminwasted Server.exe File renamed C:\Users\Admin\Pictures\SkipUnpublish.tif => C:\Users\Admin\Pictures\SkipUnpublish.tif.garminwasted Server.exe File created C:\Users\Admin\Pictures\DenyClose.tiff.garminwasted_info Server.exe File opened for modification C:\Users\Admin\Pictures\ExportInvoke.crw.garminwasted Server.exe File opened for modification C:\Users\Admin\Pictures\RenameApprove.crw.garminwasted Server.exe File renamed C:\Users\Admin\Pictures\ExportInvoke.crw => C:\Users\Admin\Pictures\ExportInvoke.crw.garminwasted Server.exe File created C:\Users\Admin\Pictures\RepairFind.png.garminwasted_info Server.exe File renamed C:\Users\Admin\Pictures\RepairFind.png => C:\Users\Admin\Pictures\RepairFind.png.garminwasted Server.exe File renamed C:\Users\Admin\Pictures\DenyClose.tiff => C:\Users\Admin\Pictures\DenyClose.tiff.garminwasted Server.exe File opened for modification C:\Users\Admin\Pictures\DenyClose.tiff.garminwasted Server.exe File created C:\Users\Admin\Pictures\ExportInvoke.crw.garminwasted_info Server.exe File created C:\Users\Admin\Pictures\RenameApprove.crw.garminwasted_info Server.exe File opened for modification C:\Users\Admin\Pictures\SkipUnpublish.tif.garminwasted Server.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 196 takeown.exe 2872 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 196 takeown.exe 2872 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Server:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Server.exe Server:bin File opened for modification C:\Windows\SysWOW64\Server.exe attrib.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2976 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Server:bin ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2972 vssvc.exe Token: SeRestorePrivilege 2972 vssvc.exe Token: SeAuditPrivilege 2972 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exeServer:binServer.execmd.execmd.execmd.exedescription pid process target process PID 1160 wrote to memory of 3880 1160 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe Server:bin PID 1160 wrote to memory of 3880 1160 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe Server:bin PID 1160 wrote to memory of 3880 1160 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe Server:bin PID 3880 wrote to memory of 2976 3880 Server:bin vssadmin.exe PID 3880 wrote to memory of 2976 3880 Server:bin vssadmin.exe PID 3880 wrote to memory of 196 3880 Server:bin takeown.exe PID 3880 wrote to memory of 196 3880 Server:bin takeown.exe PID 3880 wrote to memory of 196 3880 Server:bin takeown.exe PID 3880 wrote to memory of 2872 3880 Server:bin icacls.exe PID 3880 wrote to memory of 2872 3880 Server:bin icacls.exe PID 3880 wrote to memory of 2872 3880 Server:bin icacls.exe PID 1416 wrote to memory of 3408 1416 Server.exe cmd.exe PID 1416 wrote to memory of 3408 1416 Server.exe cmd.exe PID 1416 wrote to memory of 3408 1416 Server.exe cmd.exe PID 3408 wrote to memory of 1120 3408 cmd.exe choice.exe PID 3408 wrote to memory of 1120 3408 cmd.exe choice.exe PID 3408 wrote to memory of 1120 3408 cmd.exe choice.exe PID 3880 wrote to memory of 2076 3880 Server:bin cmd.exe PID 3880 wrote to memory of 2076 3880 Server:bin cmd.exe PID 3880 wrote to memory of 2076 3880 Server:bin cmd.exe PID 1160 wrote to memory of 1296 1160 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe cmd.exe PID 1160 wrote to memory of 1296 1160 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe cmd.exe PID 1160 wrote to memory of 1296 1160 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe cmd.exe PID 2076 wrote to memory of 3948 2076 cmd.exe choice.exe PID 2076 wrote to memory of 3948 2076 cmd.exe choice.exe PID 2076 wrote to memory of 3948 2076 cmd.exe choice.exe PID 1296 wrote to memory of 1796 1296 cmd.exe choice.exe PID 1296 wrote to memory of 1796 1296 cmd.exe choice.exe PID 1296 wrote to memory of 1796 1296 cmd.exe choice.exe PID 3408 wrote to memory of 3660 3408 cmd.exe attrib.exe PID 3408 wrote to memory of 3660 3408 cmd.exe attrib.exe PID 3408 wrote to memory of 3660 3408 cmd.exe attrib.exe PID 1296 wrote to memory of 3680 1296 cmd.exe attrib.exe PID 1296 wrote to memory of 3680 1296 cmd.exe attrib.exe PID 1296 wrote to memory of 3680 1296 cmd.exe attrib.exe PID 2076 wrote to memory of 1016 2076 cmd.exe attrib.exe PID 2076 wrote to memory of 1016 2076 cmd.exe attrib.exe PID 2076 wrote to memory of 1016 2076 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 3660 attrib.exe 3680 attrib.exe 1016 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe"C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Server:binC:\Users\Admin\AppData\Roaming\Server:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Server.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Server.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Server" & del "C:\Users\Admin\AppData\Roaming\Server"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Server"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.bin.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Server.exeC:\Windows\SysWOW64\Server.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Server.exe" & del "C:\Windows\SysWOW64\Server.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Server.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Server:binMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
C:\Users\Admin\AppData\Roaming\Server:binMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
C:\Windows\SysWOW64\Server.exeMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
C:\Windows\SysWOW64\Server.exeMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
memory/196-4-0x0000000000000000-mapping.dmp
-
memory/1016-16-0x0000000000000000-mapping.dmp
-
memory/1120-9-0x0000000000000000-mapping.dmp
-
memory/1296-11-0x0000000000000000-mapping.dmp
-
memory/1796-13-0x0000000000000000-mapping.dmp
-
memory/2076-10-0x0000000000000000-mapping.dmp
-
memory/2872-6-0x0000000000000000-mapping.dmp
-
memory/2976-3-0x0000000000000000-mapping.dmp
-
memory/3408-8-0x0000000000000000-mapping.dmp
-
memory/3660-14-0x0000000000000000-mapping.dmp
-
memory/3680-15-0x0000000000000000-mapping.dmp
-
memory/3880-0-0x0000000000000000-mapping.dmp
-
memory/3948-12-0x0000000000000000-mapping.dmp