82d841869e912a772413bb37f30307b0.exe

General
Target

82d841869e912a772413bb37f30307b0.exe

Filesize

1MB

Completed

14-03-2021 08:57

Score
10 /10
MD5

82d841869e912a772413bb37f30307b0

SHA1

b75ab0170c1206c345d2fb82506e816098328ee8

SHA256

db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2

Malware Config
Signatures 16

Filter: none

Defense Evasion
Impact
  • WastedLocker

    Description

    Ransomware family seen in the wild since May 2020.

  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00040000000130f1-6.datcryptone
    behavioral1/files/0x00040000000130f1-13.datcryptone
    behavioral1/files/0x0005000000005668-15.datcryptone
    behavioral1/files/0x0005000000005668-17.datcryptone
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE
    Nsi:binNsi.exe

    Reported IOCs

    pidprocess
    2036Nsi:bin
    1180Nsi.exe
  • Modifies extensions of user files
    Nsi.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\Pictures\RemoveMount.png.howto_seccryptNsi.exe
    File renamedC:\Users\Admin\Pictures\RequestGet.raw => C:\Users\Admin\Pictures\RequestGet.raw.seccryptNsi.exe
    File opened for modificationC:\Users\Admin\Pictures\RequestGet.raw.seccryptNsi.exe
    File renamedC:\Users\Admin\Pictures\ConnectUninstall.tif => C:\Users\Admin\Pictures\ConnectUninstall.tif.seccryptNsi.exe
    File createdC:\Users\Admin\Pictures\ReceiveRedo.tif.howto_seccryptNsi.exe
    File createdC:\Users\Admin\Pictures\ConnectUninstall.tif.howto_seccryptNsi.exe
    File opened for modificationC:\Users\Admin\Pictures\DebugTest.tiff.seccryptNsi.exe
    File renamedC:\Users\Admin\Pictures\UnlockResolve.tif => C:\Users\Admin\Pictures\UnlockResolve.tif.seccryptNsi.exe
    File opened for modificationC:\Users\Admin\Pictures\MergeEnable.raw.seccryptNsi.exe
    File createdC:\Users\Admin\Pictures\StartReset.crw.howto_seccryptNsi.exe
    File opened for modificationC:\Users\Admin\Pictures\UnlockResolve.tif.seccryptNsi.exe
    File opened for modificationC:\Users\Admin\Pictures\ConnectUninstall.tif.seccryptNsi.exe
    File createdC:\Users\Admin\Pictures\MergeEnable.raw.howto_seccryptNsi.exe
    File opened for modificationC:\Users\Admin\Pictures\RemoveMount.png.seccryptNsi.exe
    File createdC:\Users\Admin\Pictures\UnlockResolve.tif.howto_seccryptNsi.exe
    File renamedC:\Users\Admin\Pictures\HideNew.png => C:\Users\Admin\Pictures\HideNew.png.seccryptNsi.exe
    File renamedC:\Users\Admin\Pictures\MergeEnable.raw => C:\Users\Admin\Pictures\MergeEnable.raw.seccryptNsi.exe
    File createdC:\Users\Admin\Pictures\RequestGet.raw.howto_seccryptNsi.exe
    File renamedC:\Users\Admin\Pictures\RemoveMount.png => C:\Users\Admin\Pictures\RemoveMount.png.seccryptNsi.exe
    File renamedC:\Users\Admin\Pictures\DebugTest.tiff => C:\Users\Admin\Pictures\DebugTest.tiff.seccryptNsi.exe
    File opened for modificationC:\Users\Admin\Pictures\ReceiveRedo.tif.seccryptNsi.exe
    File createdC:\Users\Admin\Pictures\DebugTest.tiff.howto_seccryptNsi.exe
    File opened for modificationC:\Users\Admin\Pictures\HideNew.png.seccryptNsi.exe
    File renamedC:\Users\Admin\Pictures\ReceiveRedo.tif => C:\Users\Admin\Pictures\ReceiveRedo.tif.seccryptNsi.exe
    File renamedC:\Users\Admin\Pictures\StartReset.crw => C:\Users\Admin\Pictures\StartReset.crw.seccryptNsi.exe
    File opened for modificationC:\Users\Admin\Pictures\StartReset.crw.seccryptNsi.exe
    File createdC:\Users\Admin\Pictures\HideNew.png.howto_seccryptNsi.exe
  • Possible privilege escalation attempt
    icacls.exetakeown.exe

    Tags

    Reported IOCs

    pidprocess
    1748icacls.exe
    1496takeown.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    664cmd.exe
  • Loads dropped DLL
    82d841869e912a772413bb37f30307b0.exe

    Reported IOCs

    pidprocess
    84482d841869e912a772413bb37f30307b0.exe
    84482d841869e912a772413bb37f30307b0.exe
  • Modifies file permissions
    takeown.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    1496takeown.exe
    1748icacls.exe
  • Drops file in System32 directory
    Nsi:binattrib.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\Nsi.exeNsi:bin
    File opened for modificationC:\Windows\SysWOW64\Nsi.exeattrib.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1996vssadmin.exe
  • NTFS ADS
    82d841869e912a772413bb37f30307b0.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Nsi:bin82d841869e912a772413bb37f30307b0.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege1732vssvc.exe
    Token: SeRestorePrivilege1732vssvc.exe
    Token: SeAuditPrivilege1732vssvc.exe
  • Suspicious use of FindShellTrayWindow
    notepad.exe

    Reported IOCs

    pidprocess
    2028notepad.exe
  • Suspicious use of WriteProcessMemory
    82d841869e912a772413bb37f30307b0.exeNsi:binNsi.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 844 wrote to memory of 203684482d841869e912a772413bb37f30307b0.exeNsi:bin
    PID 844 wrote to memory of 203684482d841869e912a772413bb37f30307b0.exeNsi:bin
    PID 844 wrote to memory of 203684482d841869e912a772413bb37f30307b0.exeNsi:bin
    PID 844 wrote to memory of 203684482d841869e912a772413bb37f30307b0.exeNsi:bin
    PID 2036 wrote to memory of 19962036Nsi:binvssadmin.exe
    PID 2036 wrote to memory of 19962036Nsi:binvssadmin.exe
    PID 2036 wrote to memory of 19962036Nsi:binvssadmin.exe
    PID 2036 wrote to memory of 19962036Nsi:binvssadmin.exe
    PID 2036 wrote to memory of 14962036Nsi:bintakeown.exe
    PID 2036 wrote to memory of 14962036Nsi:bintakeown.exe
    PID 2036 wrote to memory of 14962036Nsi:bintakeown.exe
    PID 2036 wrote to memory of 14962036Nsi:bintakeown.exe
    PID 2036 wrote to memory of 17482036Nsi:binicacls.exe
    PID 2036 wrote to memory of 17482036Nsi:binicacls.exe
    PID 2036 wrote to memory of 17482036Nsi:binicacls.exe
    PID 2036 wrote to memory of 17482036Nsi:binicacls.exe
    PID 1180 wrote to memory of 5681180Nsi.execmd.exe
    PID 1180 wrote to memory of 5681180Nsi.execmd.exe
    PID 1180 wrote to memory of 5681180Nsi.execmd.exe
    PID 1180 wrote to memory of 5681180Nsi.execmd.exe
    PID 568 wrote to memory of 1176568cmd.exechoice.exe
    PID 568 wrote to memory of 1176568cmd.exechoice.exe
    PID 568 wrote to memory of 1176568cmd.exechoice.exe
    PID 568 wrote to memory of 1176568cmd.exechoice.exe
    PID 2036 wrote to memory of 14042036Nsi:bincmd.exe
    PID 2036 wrote to memory of 14042036Nsi:bincmd.exe
    PID 2036 wrote to memory of 14042036Nsi:bincmd.exe
    PID 2036 wrote to memory of 14042036Nsi:bincmd.exe
    PID 844 wrote to memory of 66484482d841869e912a772413bb37f30307b0.execmd.exe
    PID 844 wrote to memory of 66484482d841869e912a772413bb37f30307b0.execmd.exe
    PID 844 wrote to memory of 66484482d841869e912a772413bb37f30307b0.execmd.exe
    PID 844 wrote to memory of 66484482d841869e912a772413bb37f30307b0.execmd.exe
    PID 1404 wrote to memory of 17161404cmd.exechoice.exe
    PID 1404 wrote to memory of 17161404cmd.exechoice.exe
    PID 1404 wrote to memory of 17161404cmd.exechoice.exe
    PID 1404 wrote to memory of 17161404cmd.exechoice.exe
    PID 664 wrote to memory of 1684664cmd.exechoice.exe
    PID 664 wrote to memory of 1684664cmd.exechoice.exe
    PID 664 wrote to memory of 1684664cmd.exechoice.exe
    PID 664 wrote to memory of 1684664cmd.exechoice.exe
    PID 568 wrote to memory of 1480568cmd.exeattrib.exe
    PID 568 wrote to memory of 1480568cmd.exeattrib.exe
    PID 568 wrote to memory of 1480568cmd.exeattrib.exe
    PID 568 wrote to memory of 1480568cmd.exeattrib.exe
    PID 1404 wrote to memory of 16641404cmd.exeattrib.exe
    PID 1404 wrote to memory of 16641404cmd.exeattrib.exe
    PID 1404 wrote to memory of 16641404cmd.exeattrib.exe
    PID 1404 wrote to memory of 16641404cmd.exeattrib.exe
    PID 664 wrote to memory of 900664cmd.exeattrib.exe
    PID 664 wrote to memory of 900664cmd.exeattrib.exe
    PID 664 wrote to memory of 900664cmd.exeattrib.exe
    PID 664 wrote to memory of 900664cmd.exeattrib.exe
  • Views/modifies file attributes
    attrib.exeattrib.exeattrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    900attrib.exe
    1480attrib.exe
    1664attrib.exe
Processes 18
  • C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe
    "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"
    Loads dropped DLL
    NTFS ADS
    Suspicious use of WriteProcessMemory
    PID:844
    • C:\Users\Admin\AppData\Roaming\Nsi:bin
      C:\Users\Admin\AppData\Roaming\Nsi:bin -r
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
        Interacts with shadow copies
        PID:1996
      • C:\Windows\SysWOW64\takeown.exe
        C:\Windows\system32\takeown.exe /F C:\Windows\system32\Nsi.exe
        Possible privilege escalation attempt
        Modifies file permissions
        PID:1496
      • C:\Windows\SysWOW64\icacls.exe
        C:\Windows\system32\icacls.exe C:\Windows\system32\Nsi.exe /reset
        Possible privilege escalation attempt
        Modifies file permissions
        PID:1748
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Nsi" & del "C:\Users\Admin\AppData\Roaming\Nsi"
        Suspicious use of WriteProcessMemory
        PID:1404
        • C:\Windows\SysWOW64\choice.exe
          choice /t 10 /d y
          PID:1716
        • C:\Windows\SysWOW64\attrib.exe
          attrib -h "C:\Users\Admin\AppData\Roaming\Nsi"
          Views/modifies file attributes
          PID:1664
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe" & del "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:664
      • C:\Windows\SysWOW64\choice.exe
        choice /t 10 /d y
        PID:1684
      • C:\Windows\SysWOW64\attrib.exe
        attrib -h "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"
        Views/modifies file attributes
        PID:900
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1732
  • C:\Windows\SysWOW64\Nsi.exe
    C:\Windows\SysWOW64\Nsi.exe -s
    Executes dropped EXE
    Modifies extensions of user files
    Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Nsi.exe" & del "C:\Windows\SysWOW64\Nsi.exe"
      Suspicious use of WriteProcessMemory
      PID:568
      • C:\Windows\SysWOW64\choice.exe
        choice /t 10 /d y
        PID:1176
      • C:\Windows\SysWOW64\attrib.exe
        attrib -h "C:\Windows\SysWOW64\Nsi.exe"
        Drops file in System32 directory
        Views/modifies file attributes
        PID:1480
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    PID:1348
  • C:\Windows\system32\notepad.exe
    "C:\Windows\system32\notepad.exe"
    Suspicious use of FindShellTrayWindow
    PID:2028
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Roaming\Nsi:bin

                        MD5

                        82d841869e912a772413bb37f30307b0

                        SHA1

                        b75ab0170c1206c345d2fb82506e816098328ee8

                        SHA256

                        db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2

                        SHA512

                        48078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6

                      • C:\Users\Admin\AppData\Roaming\Nsi:bin

                        MD5

                        82d841869e912a772413bb37f30307b0

                        SHA1

                        b75ab0170c1206c345d2fb82506e816098328ee8

                        SHA256

                        db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2

                        SHA512

                        48078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6

                      • C:\Users\Admin\Desktop\UseTrace.mpeg.howto_seccrypt

                        MD5

                        15e4ceb2fb41ab33a702198247d0ed2f

                        SHA1

                        efe796de0013e4aaa3477b0596982bc38acaf021

                        SHA256

                        2f71e32f54eba464e2a371bce73033dacb1e11e15a8c09856ee9953a04bd374f

                        SHA512

                        0dbc1be78bf66a23d3bc2a47b317768e5ededd025696c8f506b47d63123a85faaab30e868b4f7ee72a7ccb60014078e3e5cbb06708331da49865fed4bbb76327

                      • C:\Windows\SysWOW64\Nsi.exe

                        MD5

                        82d841869e912a772413bb37f30307b0

                        SHA1

                        b75ab0170c1206c345d2fb82506e816098328ee8

                        SHA256

                        db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2

                        SHA512

                        48078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6

                      • C:\Windows\SysWOW64\Nsi.exe

                        MD5

                        82d841869e912a772413bb37f30307b0

                        SHA1

                        b75ab0170c1206c345d2fb82506e816098328ee8

                        SHA256

                        db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2

                        SHA512

                        48078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6

                      • \Users\Admin\AppData\Roaming\Nsi

                        MD5

                        50bb4fbc720d23497eeb5c9dac497405

                        SHA1

                        ced58bdd090665cac9ce5238852aa82dca86f7cf

                        SHA256

                        8a995be77f41f8fad0d8e32b9d90ce0d83b794c9f54ac04a5e69b31c39fbdaa0

                        SHA512

                        76bf1bfe5de6dcb59c01527f9999b3b3d2569b55613480a81d82a3c95f7689a4a06fe0b47b968be30cc55f2ebeab3b1bba13db2b49931b738312ec503bf176b5

                      • \Users\Admin\AppData\Roaming\Nsi

                        MD5

                        50bb4fbc720d23497eeb5c9dac497405

                        SHA1

                        ced58bdd090665cac9ce5238852aa82dca86f7cf

                        SHA256

                        8a995be77f41f8fad0d8e32b9d90ce0d83b794c9f54ac04a5e69b31c39fbdaa0

                        SHA512

                        76bf1bfe5de6dcb59c01527f9999b3b3d2569b55613480a81d82a3c95f7689a4a06fe0b47b968be30cc55f2ebeab3b1bba13db2b49931b738312ec503bf176b5

                      • memory/324-33-0x000007FEF6790000-0x000007FEF6A0A000-memory.dmp

                      • memory/568-21-0x0000000000000000-mapping.dmp

                      • memory/664-24-0x0000000000000000-mapping.dmp

                      • memory/844-9-0x0000000000220000-0x0000000000230000-memory.dmp

                      • memory/844-10-0x0000000000400000-0x0000000000411000-memory.dmp

                      • memory/844-2-0x0000000076881000-0x0000000076883000-memory.dmp

                      • memory/900-30-0x0000000000000000-mapping.dmp

                      • memory/1176-22-0x0000000000000000-mapping.dmp

                      • memory/1348-27-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmp

                      • memory/1404-23-0x0000000000000000-mapping.dmp

                      • memory/1480-28-0x0000000000000000-mapping.dmp

                      • memory/1496-14-0x0000000000000000-mapping.dmp

                      • memory/1664-29-0x0000000000000000-mapping.dmp

                      • memory/1684-26-0x0000000000000000-mapping.dmp

                      • memory/1716-25-0x0000000000000000-mapping.dmp

                      • memory/1748-16-0x0000000000000000-mapping.dmp

                      • memory/1996-8-0x0000000000000000-mapping.dmp

                      • memory/2036-5-0x0000000000000000-mapping.dmp