Analysis
-
max time kernel
21s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-03-2021 08:54
General
-
Target
82d841869e912a772413bb37f30307b0.exe
-
Size
1.2MB
-
MD5
82d841869e912a772413bb37f30307b0
-
SHA1
b75ab0170c1206c345d2fb82506e816098328ee8
-
SHA256
db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
-
SHA512
48078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
CryptOne packer 4 IoCs
Detects CryptOne packer defined in NCC blogpost.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
-
Possible privilege escalation attempt 2 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Scsi:binC:\Users\Admin\AppData\Roaming\Scsi:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Scsi.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Scsi.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Scsi" & del "C:\Users\Admin\AppData\Roaming\Scsi"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Scsi"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe" & del "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Scsi.exeC:\Windows\SysWOW64\Scsi.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Scsi.exe" & del "C:\Windows\SysWOW64\Scsi.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Scsi.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Scsi:binMD5
82d841869e912a772413bb37f30307b0
SHA1b75ab0170c1206c345d2fb82506e816098328ee8
SHA256db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
SHA51248078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
-
C:\Users\Admin\AppData\Roaming\Scsi:binMD5
82d841869e912a772413bb37f30307b0
SHA1b75ab0170c1206c345d2fb82506e816098328ee8
SHA256db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
SHA51248078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
-
C:\Windows\SysWOW64\Scsi.exeMD5
82d841869e912a772413bb37f30307b0
SHA1b75ab0170c1206c345d2fb82506e816098328ee8
SHA256db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
SHA51248078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
-
C:\Windows\SysWOW64\Scsi.exeMD5
82d841869e912a772413bb37f30307b0
SHA1b75ab0170c1206c345d2fb82506e816098328ee8
SHA256db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
SHA51248078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
-
memory/512-2-0x0000000000580000-0x0000000000590000-memory.dmpFilesize
64KB
-
memory/512-3-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/580-17-0x0000000000000000-mapping.dmp
-
memory/1176-24-0x0000000000000000-mapping.dmp
-
memory/1200-19-0x0000000000000000-mapping.dmp
-
memory/1808-22-0x0000000000000000-mapping.dmp
-
memory/1820-23-0x0000000000000000-mapping.dmp
-
memory/2276-20-0x0000000000000000-mapping.dmp
-
memory/2368-4-0x0000000000000000-mapping.dmp
-
memory/2736-21-0x0000000000000000-mapping.dmp
-
memory/2740-7-0x0000000000000000-mapping.dmp
-
memory/3596-10-0x0000000000000000-mapping.dmp
-
memory/3696-16-0x0000000000000000-mapping.dmp
-
memory/3888-18-0x0000000000000000-mapping.dmp
-
memory/3984-12-0x0000000000000000-mapping.dmp