Analysis
-
max time kernel
66s -
max time network
25s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-03-2021 08:54
Behavioral task
behavioral1
Sample
82d841869e912a772413bb37f30307b0.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
82d841869e912a772413bb37f30307b0.exe
Resource
win10v20201028
General
-
Target
82d841869e912a772413bb37f30307b0.exe
-
Size
1.2MB
-
MD5
82d841869e912a772413bb37f30307b0
-
SHA1
b75ab0170c1206c345d2fb82506e816098328ee8
-
SHA256
db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
-
SHA512
48078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Nsi:bin cryptone C:\Users\Admin\AppData\Roaming\Nsi:bin cryptone C:\Windows\SysWOW64\Nsi.exe cryptone C:\Windows\SysWOW64\Nsi.exe cryptone -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Nsi:binNsi.exepid process 2036 Nsi:bin 1180 Nsi.exe -
Modifies extensions of user files 27 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Nsi.exedescription ioc process File created C:\Users\Admin\Pictures\RemoveMount.png.howto_seccrypt Nsi.exe File renamed C:\Users\Admin\Pictures\RequestGet.raw => C:\Users\Admin\Pictures\RequestGet.raw.seccrypt Nsi.exe File opened for modification C:\Users\Admin\Pictures\RequestGet.raw.seccrypt Nsi.exe File renamed C:\Users\Admin\Pictures\ConnectUninstall.tif => C:\Users\Admin\Pictures\ConnectUninstall.tif.seccrypt Nsi.exe File created C:\Users\Admin\Pictures\ReceiveRedo.tif.howto_seccrypt Nsi.exe File created C:\Users\Admin\Pictures\ConnectUninstall.tif.howto_seccrypt Nsi.exe File opened for modification C:\Users\Admin\Pictures\DebugTest.tiff.seccrypt Nsi.exe File renamed C:\Users\Admin\Pictures\UnlockResolve.tif => C:\Users\Admin\Pictures\UnlockResolve.tif.seccrypt Nsi.exe File opened for modification C:\Users\Admin\Pictures\MergeEnable.raw.seccrypt Nsi.exe File created C:\Users\Admin\Pictures\StartReset.crw.howto_seccrypt Nsi.exe File opened for modification C:\Users\Admin\Pictures\UnlockResolve.tif.seccrypt Nsi.exe File opened for modification C:\Users\Admin\Pictures\ConnectUninstall.tif.seccrypt Nsi.exe File created C:\Users\Admin\Pictures\MergeEnable.raw.howto_seccrypt Nsi.exe File opened for modification C:\Users\Admin\Pictures\RemoveMount.png.seccrypt Nsi.exe File created C:\Users\Admin\Pictures\UnlockResolve.tif.howto_seccrypt Nsi.exe File renamed C:\Users\Admin\Pictures\HideNew.png => C:\Users\Admin\Pictures\HideNew.png.seccrypt Nsi.exe File renamed C:\Users\Admin\Pictures\MergeEnable.raw => C:\Users\Admin\Pictures\MergeEnable.raw.seccrypt Nsi.exe File created C:\Users\Admin\Pictures\RequestGet.raw.howto_seccrypt Nsi.exe File renamed C:\Users\Admin\Pictures\RemoveMount.png => C:\Users\Admin\Pictures\RemoveMount.png.seccrypt Nsi.exe File renamed C:\Users\Admin\Pictures\DebugTest.tiff => C:\Users\Admin\Pictures\DebugTest.tiff.seccrypt Nsi.exe File opened for modification C:\Users\Admin\Pictures\ReceiveRedo.tif.seccrypt Nsi.exe File created C:\Users\Admin\Pictures\DebugTest.tiff.howto_seccrypt Nsi.exe File opened for modification C:\Users\Admin\Pictures\HideNew.png.seccrypt Nsi.exe File renamed C:\Users\Admin\Pictures\ReceiveRedo.tif => C:\Users\Admin\Pictures\ReceiveRedo.tif.seccrypt Nsi.exe File renamed C:\Users\Admin\Pictures\StartReset.crw => C:\Users\Admin\Pictures\StartReset.crw.seccrypt Nsi.exe File opened for modification C:\Users\Admin\Pictures\StartReset.crw.seccrypt Nsi.exe File created C:\Users\Admin\Pictures\HideNew.png.howto_seccrypt Nsi.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 1748 icacls.exe 1496 takeown.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 664 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
82d841869e912a772413bb37f30307b0.exepid process 844 82d841869e912a772413bb37f30307b0.exe 844 82d841869e912a772413bb37f30307b0.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1496 takeown.exe 1748 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Nsi:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Nsi.exe Nsi:bin File opened for modification C:\Windows\SysWOW64\Nsi.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1996 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
82d841869e912a772413bb37f30307b0.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Nsi:bin 82d841869e912a772413bb37f30307b0.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1732 vssvc.exe Token: SeRestorePrivilege 1732 vssvc.exe Token: SeAuditPrivilege 1732 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
notepad.exepid process 2028 notepad.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
82d841869e912a772413bb37f30307b0.exeNsi:binNsi.execmd.execmd.execmd.exedescription pid process target process PID 844 wrote to memory of 2036 844 82d841869e912a772413bb37f30307b0.exe Nsi:bin PID 844 wrote to memory of 2036 844 82d841869e912a772413bb37f30307b0.exe Nsi:bin PID 844 wrote to memory of 2036 844 82d841869e912a772413bb37f30307b0.exe Nsi:bin PID 844 wrote to memory of 2036 844 82d841869e912a772413bb37f30307b0.exe Nsi:bin PID 2036 wrote to memory of 1996 2036 Nsi:bin vssadmin.exe PID 2036 wrote to memory of 1996 2036 Nsi:bin vssadmin.exe PID 2036 wrote to memory of 1996 2036 Nsi:bin vssadmin.exe PID 2036 wrote to memory of 1996 2036 Nsi:bin vssadmin.exe PID 2036 wrote to memory of 1496 2036 Nsi:bin takeown.exe PID 2036 wrote to memory of 1496 2036 Nsi:bin takeown.exe PID 2036 wrote to memory of 1496 2036 Nsi:bin takeown.exe PID 2036 wrote to memory of 1496 2036 Nsi:bin takeown.exe PID 2036 wrote to memory of 1748 2036 Nsi:bin icacls.exe PID 2036 wrote to memory of 1748 2036 Nsi:bin icacls.exe PID 2036 wrote to memory of 1748 2036 Nsi:bin icacls.exe PID 2036 wrote to memory of 1748 2036 Nsi:bin icacls.exe PID 1180 wrote to memory of 568 1180 Nsi.exe cmd.exe PID 1180 wrote to memory of 568 1180 Nsi.exe cmd.exe PID 1180 wrote to memory of 568 1180 Nsi.exe cmd.exe PID 1180 wrote to memory of 568 1180 Nsi.exe cmd.exe PID 568 wrote to memory of 1176 568 cmd.exe choice.exe PID 568 wrote to memory of 1176 568 cmd.exe choice.exe PID 568 wrote to memory of 1176 568 cmd.exe choice.exe PID 568 wrote to memory of 1176 568 cmd.exe choice.exe PID 2036 wrote to memory of 1404 2036 Nsi:bin cmd.exe PID 2036 wrote to memory of 1404 2036 Nsi:bin cmd.exe PID 2036 wrote to memory of 1404 2036 Nsi:bin cmd.exe PID 2036 wrote to memory of 1404 2036 Nsi:bin cmd.exe PID 844 wrote to memory of 664 844 82d841869e912a772413bb37f30307b0.exe cmd.exe PID 844 wrote to memory of 664 844 82d841869e912a772413bb37f30307b0.exe cmd.exe PID 844 wrote to memory of 664 844 82d841869e912a772413bb37f30307b0.exe cmd.exe PID 844 wrote to memory of 664 844 82d841869e912a772413bb37f30307b0.exe cmd.exe PID 1404 wrote to memory of 1716 1404 cmd.exe choice.exe PID 1404 wrote to memory of 1716 1404 cmd.exe choice.exe PID 1404 wrote to memory of 1716 1404 cmd.exe choice.exe PID 1404 wrote to memory of 1716 1404 cmd.exe choice.exe PID 664 wrote to memory of 1684 664 cmd.exe choice.exe PID 664 wrote to memory of 1684 664 cmd.exe choice.exe PID 664 wrote to memory of 1684 664 cmd.exe choice.exe PID 664 wrote to memory of 1684 664 cmd.exe choice.exe PID 568 wrote to memory of 1480 568 cmd.exe attrib.exe PID 568 wrote to memory of 1480 568 cmd.exe attrib.exe PID 568 wrote to memory of 1480 568 cmd.exe attrib.exe PID 568 wrote to memory of 1480 568 cmd.exe attrib.exe PID 1404 wrote to memory of 1664 1404 cmd.exe attrib.exe PID 1404 wrote to memory of 1664 1404 cmd.exe attrib.exe PID 1404 wrote to memory of 1664 1404 cmd.exe attrib.exe PID 1404 wrote to memory of 1664 1404 cmd.exe attrib.exe PID 664 wrote to memory of 900 664 cmd.exe attrib.exe PID 664 wrote to memory of 900 664 cmd.exe attrib.exe PID 664 wrote to memory of 900 664 cmd.exe attrib.exe PID 664 wrote to memory of 900 664 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 900 attrib.exe 1480 attrib.exe 1664 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Nsi:binC:\Users\Admin\AppData\Roaming\Nsi:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Nsi.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Nsi.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Nsi" & del "C:\Users\Admin\AppData\Roaming\Nsi"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Nsi"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe" & del "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Nsi.exeC:\Windows\SysWOW64\Nsi.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Nsi.exe" & del "C:\Windows\SysWOW64\Nsi.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Nsi.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Nsi:binMD5
82d841869e912a772413bb37f30307b0
SHA1b75ab0170c1206c345d2fb82506e816098328ee8
SHA256db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
SHA51248078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
-
C:\Users\Admin\AppData\Roaming\Nsi:binMD5
82d841869e912a772413bb37f30307b0
SHA1b75ab0170c1206c345d2fb82506e816098328ee8
SHA256db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
SHA51248078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
-
C:\Users\Admin\Desktop\UseTrace.mpeg.howto_seccryptMD5
15e4ceb2fb41ab33a702198247d0ed2f
SHA1efe796de0013e4aaa3477b0596982bc38acaf021
SHA2562f71e32f54eba464e2a371bce73033dacb1e11e15a8c09856ee9953a04bd374f
SHA5120dbc1be78bf66a23d3bc2a47b317768e5ededd025696c8f506b47d63123a85faaab30e868b4f7ee72a7ccb60014078e3e5cbb06708331da49865fed4bbb76327
-
C:\Windows\SysWOW64\Nsi.exeMD5
82d841869e912a772413bb37f30307b0
SHA1b75ab0170c1206c345d2fb82506e816098328ee8
SHA256db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
SHA51248078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
-
C:\Windows\SysWOW64\Nsi.exeMD5
82d841869e912a772413bb37f30307b0
SHA1b75ab0170c1206c345d2fb82506e816098328ee8
SHA256db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
SHA51248078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
-
\Users\Admin\AppData\Roaming\NsiMD5
50bb4fbc720d23497eeb5c9dac497405
SHA1ced58bdd090665cac9ce5238852aa82dca86f7cf
SHA2568a995be77f41f8fad0d8e32b9d90ce0d83b794c9f54ac04a5e69b31c39fbdaa0
SHA51276bf1bfe5de6dcb59c01527f9999b3b3d2569b55613480a81d82a3c95f7689a4a06fe0b47b968be30cc55f2ebeab3b1bba13db2b49931b738312ec503bf176b5
-
\Users\Admin\AppData\Roaming\NsiMD5
50bb4fbc720d23497eeb5c9dac497405
SHA1ced58bdd090665cac9ce5238852aa82dca86f7cf
SHA2568a995be77f41f8fad0d8e32b9d90ce0d83b794c9f54ac04a5e69b31c39fbdaa0
SHA51276bf1bfe5de6dcb59c01527f9999b3b3d2569b55613480a81d82a3c95f7689a4a06fe0b47b968be30cc55f2ebeab3b1bba13db2b49931b738312ec503bf176b5
-
memory/324-33-0x000007FEF6790000-0x000007FEF6A0A000-memory.dmpFilesize
2.5MB
-
memory/568-21-0x0000000000000000-mapping.dmp
-
memory/664-24-0x0000000000000000-mapping.dmp
-
memory/844-9-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB
-
memory/844-10-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/844-2-0x0000000076881000-0x0000000076883000-memory.dmpFilesize
8KB
-
memory/900-30-0x0000000000000000-mapping.dmp
-
memory/1176-22-0x0000000000000000-mapping.dmp
-
memory/1348-27-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmpFilesize
8KB
-
memory/1404-23-0x0000000000000000-mapping.dmp
-
memory/1480-28-0x0000000000000000-mapping.dmp
-
memory/1496-14-0x0000000000000000-mapping.dmp
-
memory/1664-29-0x0000000000000000-mapping.dmp
-
memory/1684-26-0x0000000000000000-mapping.dmp
-
memory/1716-25-0x0000000000000000-mapping.dmp
-
memory/1748-16-0x0000000000000000-mapping.dmp
-
memory/1996-8-0x0000000000000000-mapping.dmp
-
memory/2036-5-0x0000000000000000-mapping.dmp