82d841869e912a772413bb37f30307b0.exe

General
Target

82d841869e912a772413bb37f30307b0.exe

Filesize

1MB

Completed

14-03-2021 08:57

Score
10 /10
MD5

82d841869e912a772413bb37f30307b0

SHA1

b75ab0170c1206c345d2fb82506e816098328ee8

SHA256

db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2

Malware Config
Signatures 13

Filter: none

Defense Evasion
Impact
  • WastedLocker

    Description

    Ransomware family seen in the wild since May 2020.

  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000200000001ab57-5.datcryptone
    behavioral2/files/0x000200000001ab57-6.datcryptone
    behavioral2/files/0x0003000000014bbd-11.datcryptone
    behavioral2/files/0x0003000000014bbd-13.datcryptone
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE
    Scsi:binScsi.exe

    Reported IOCs

    pidprocess
    2368Scsi:bin
    2292Scsi.exe
  • Modifies extensions of user files
    Scsi.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\CompressSave.png.seccryptScsi.exe
    File opened for modificationC:\Users\Admin\Pictures\DisableMeasure.tif.seccryptScsi.exe
    File createdC:\Users\Admin\Pictures\SearchReceive.crw.howto_seccryptScsi.exe
    File opened for modificationC:\Users\Admin\Pictures\SearchReceive.crw.seccryptScsi.exe
    File opened for modificationC:\Users\Admin\Pictures\SendRestore.tiff.seccryptScsi.exe
    File createdC:\Users\Admin\Pictures\CompressSave.png.howto_seccryptScsi.exe
    File renamedC:\Users\Admin\Pictures\CompressSave.png => C:\Users\Admin\Pictures\CompressSave.png.seccryptScsi.exe
    File createdC:\Users\Admin\Pictures\DisableMeasure.tif.howto_seccryptScsi.exe
    File renamedC:\Users\Admin\Pictures\DisableMeasure.tif => C:\Users\Admin\Pictures\DisableMeasure.tif.seccryptScsi.exe
    File renamedC:\Users\Admin\Pictures\SearchReceive.crw => C:\Users\Admin\Pictures\SearchReceive.crw.seccryptScsi.exe
    File createdC:\Users\Admin\Pictures\SendRestore.tiff.howto_seccryptScsi.exe
    File renamedC:\Users\Admin\Pictures\SendRestore.tiff => C:\Users\Admin\Pictures\SendRestore.tiff.seccryptScsi.exe
  • Possible privilege escalation attempt
    takeown.exeicacls.exe

    Tags

    Reported IOCs

    pidprocess
    3596takeown.exe
    3984icacls.exe
  • Modifies file permissions
    takeown.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    3596takeown.exe
    3984icacls.exe
  • Drops file in System32 directory
    Scsi:binattrib.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\Scsi.exeScsi:bin
    File opened for modificationC:\Windows\SysWOW64\Scsi.exeattrib.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    2740vssadmin.exe
  • NTFS ADS
    82d841869e912a772413bb37f30307b0.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Scsi:bin82d841869e912a772413bb37f30307b0.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege2916vssvc.exe
    Token: SeRestorePrivilege2916vssvc.exe
    Token: SeAuditPrivilege2916vssvc.exe
  • Suspicious use of WriteProcessMemory
    82d841869e912a772413bb37f30307b0.exeScsi:binScsi.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 512 wrote to memory of 236851282d841869e912a772413bb37f30307b0.exeScsi:bin
    PID 512 wrote to memory of 236851282d841869e912a772413bb37f30307b0.exeScsi:bin
    PID 512 wrote to memory of 236851282d841869e912a772413bb37f30307b0.exeScsi:bin
    PID 2368 wrote to memory of 27402368Scsi:binvssadmin.exe
    PID 2368 wrote to memory of 27402368Scsi:binvssadmin.exe
    PID 2368 wrote to memory of 35962368Scsi:bintakeown.exe
    PID 2368 wrote to memory of 35962368Scsi:bintakeown.exe
    PID 2368 wrote to memory of 35962368Scsi:bintakeown.exe
    PID 2368 wrote to memory of 39842368Scsi:binicacls.exe
    PID 2368 wrote to memory of 39842368Scsi:binicacls.exe
    PID 2368 wrote to memory of 39842368Scsi:binicacls.exe
    PID 2292 wrote to memory of 36962292Scsi.execmd.exe
    PID 2292 wrote to memory of 36962292Scsi.execmd.exe
    PID 2292 wrote to memory of 36962292Scsi.execmd.exe
    PID 3696 wrote to memory of 5803696cmd.exechoice.exe
    PID 3696 wrote to memory of 5803696cmd.exechoice.exe
    PID 3696 wrote to memory of 5803696cmd.exechoice.exe
    PID 2368 wrote to memory of 38882368Scsi:bincmd.exe
    PID 2368 wrote to memory of 38882368Scsi:bincmd.exe
    PID 2368 wrote to memory of 38882368Scsi:bincmd.exe
    PID 512 wrote to memory of 120051282d841869e912a772413bb37f30307b0.execmd.exe
    PID 512 wrote to memory of 120051282d841869e912a772413bb37f30307b0.execmd.exe
    PID 512 wrote to memory of 120051282d841869e912a772413bb37f30307b0.execmd.exe
    PID 3888 wrote to memory of 22763888cmd.exechoice.exe
    PID 3888 wrote to memory of 22763888cmd.exechoice.exe
    PID 3888 wrote to memory of 22763888cmd.exechoice.exe
    PID 1200 wrote to memory of 27361200cmd.exechoice.exe
    PID 1200 wrote to memory of 27361200cmd.exechoice.exe
    PID 1200 wrote to memory of 27361200cmd.exechoice.exe
    PID 3696 wrote to memory of 18083696cmd.exeattrib.exe
    PID 3696 wrote to memory of 18083696cmd.exeattrib.exe
    PID 3696 wrote to memory of 18083696cmd.exeattrib.exe
    PID 3888 wrote to memory of 18203888cmd.exeattrib.exe
    PID 3888 wrote to memory of 18203888cmd.exeattrib.exe
    PID 3888 wrote to memory of 18203888cmd.exeattrib.exe
    PID 1200 wrote to memory of 11761200cmd.exeattrib.exe
    PID 1200 wrote to memory of 11761200cmd.exeattrib.exe
    PID 1200 wrote to memory of 11761200cmd.exeattrib.exe
  • Views/modifies file attributes
    attrib.exeattrib.exeattrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    1808attrib.exe
    1820attrib.exe
    1176attrib.exe
Processes 16
  • C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe
    "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"
    NTFS ADS
    Suspicious use of WriteProcessMemory
    PID:512
    • C:\Users\Admin\AppData\Roaming\Scsi:bin
      C:\Users\Admin\AppData\Roaming\Scsi:bin -r
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
        Interacts with shadow copies
        PID:2740
      • C:\Windows\SysWOW64\takeown.exe
        C:\Windows\system32\takeown.exe /F C:\Windows\system32\Scsi.exe
        Possible privilege escalation attempt
        Modifies file permissions
        PID:3596
      • C:\Windows\SysWOW64\icacls.exe
        C:\Windows\system32\icacls.exe C:\Windows\system32\Scsi.exe /reset
        Possible privilege escalation attempt
        Modifies file permissions
        PID:3984
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Scsi" & del "C:\Users\Admin\AppData\Roaming\Scsi"
        Suspicious use of WriteProcessMemory
        PID:3888
        • C:\Windows\SysWOW64\choice.exe
          choice /t 10 /d y
          PID:2276
        • C:\Windows\SysWOW64\attrib.exe
          attrib -h "C:\Users\Admin\AppData\Roaming\Scsi"
          Views/modifies file attributes
          PID:1820
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe" & del "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"
      Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\SysWOW64\choice.exe
        choice /t 10 /d y
        PID:2736
      • C:\Windows\SysWOW64\attrib.exe
        attrib -h "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"
        Views/modifies file attributes
        PID:1176
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:2916
  • C:\Windows\SysWOW64\Scsi.exe
    C:\Windows\SysWOW64\Scsi.exe -s
    Executes dropped EXE
    Modifies extensions of user files
    Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Scsi.exe" & del "C:\Windows\SysWOW64\Scsi.exe"
      Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Windows\SysWOW64\choice.exe
        choice /t 10 /d y
        PID:580
      • C:\Windows\SysWOW64\attrib.exe
        attrib -h "C:\Windows\SysWOW64\Scsi.exe"
        Drops file in System32 directory
        Views/modifies file attributes
        PID:1808
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Roaming\Scsi:bin

                        MD5

                        82d841869e912a772413bb37f30307b0

                        SHA1

                        b75ab0170c1206c345d2fb82506e816098328ee8

                        SHA256

                        db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2

                        SHA512

                        48078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6

                      • C:\Users\Admin\AppData\Roaming\Scsi:bin

                        MD5

                        82d841869e912a772413bb37f30307b0

                        SHA1

                        b75ab0170c1206c345d2fb82506e816098328ee8

                        SHA256

                        db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2

                        SHA512

                        48078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6

                      • C:\Windows\SysWOW64\Scsi.exe

                        MD5

                        82d841869e912a772413bb37f30307b0

                        SHA1

                        b75ab0170c1206c345d2fb82506e816098328ee8

                        SHA256

                        db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2

                        SHA512

                        48078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6

                      • C:\Windows\SysWOW64\Scsi.exe

                        MD5

                        82d841869e912a772413bb37f30307b0

                        SHA1

                        b75ab0170c1206c345d2fb82506e816098328ee8

                        SHA256

                        db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2

                        SHA512

                        48078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6

                      • memory/512-3-0x0000000000400000-0x0000000000411000-memory.dmp

                      • memory/512-2-0x0000000000580000-0x0000000000590000-memory.dmp

                      • memory/580-17-0x0000000000000000-mapping.dmp

                      • memory/1176-24-0x0000000000000000-mapping.dmp

                      • memory/1200-19-0x0000000000000000-mapping.dmp

                      • memory/1808-22-0x0000000000000000-mapping.dmp

                      • memory/1820-23-0x0000000000000000-mapping.dmp

                      • memory/2276-20-0x0000000000000000-mapping.dmp

                      • memory/2368-4-0x0000000000000000-mapping.dmp

                      • memory/2736-21-0x0000000000000000-mapping.dmp

                      • memory/2740-7-0x0000000000000000-mapping.dmp

                      • memory/3596-10-0x0000000000000000-mapping.dmp

                      • memory/3696-16-0x0000000000000000-mapping.dmp

                      • memory/3888-18-0x0000000000000000-mapping.dmp

                      • memory/3984-12-0x0000000000000000-mapping.dmp