Analysis
-
max time kernel
21s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-03-2021 08:54
Behavioral task
behavioral1
Sample
82d841869e912a772413bb37f30307b0.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
82d841869e912a772413bb37f30307b0.exe
Resource
win10v20201028
General
-
Target
82d841869e912a772413bb37f30307b0.exe
-
Size
1.2MB
-
MD5
82d841869e912a772413bb37f30307b0
-
SHA1
b75ab0170c1206c345d2fb82506e816098328ee8
-
SHA256
db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
-
SHA512
48078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Scsi:bin cryptone C:\Users\Admin\AppData\Roaming\Scsi:bin cryptone C:\Windows\SysWOW64\Scsi.exe cryptone C:\Windows\SysWOW64\Scsi.exe cryptone -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Scsi:binScsi.exepid process 2368 Scsi:bin 2292 Scsi.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Scsi.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CompressSave.png.seccrypt Scsi.exe File opened for modification C:\Users\Admin\Pictures\DisableMeasure.tif.seccrypt Scsi.exe File created C:\Users\Admin\Pictures\SearchReceive.crw.howto_seccrypt Scsi.exe File opened for modification C:\Users\Admin\Pictures\SearchReceive.crw.seccrypt Scsi.exe File opened for modification C:\Users\Admin\Pictures\SendRestore.tiff.seccrypt Scsi.exe File created C:\Users\Admin\Pictures\CompressSave.png.howto_seccrypt Scsi.exe File renamed C:\Users\Admin\Pictures\CompressSave.png => C:\Users\Admin\Pictures\CompressSave.png.seccrypt Scsi.exe File created C:\Users\Admin\Pictures\DisableMeasure.tif.howto_seccrypt Scsi.exe File renamed C:\Users\Admin\Pictures\DisableMeasure.tif => C:\Users\Admin\Pictures\DisableMeasure.tif.seccrypt Scsi.exe File renamed C:\Users\Admin\Pictures\SearchReceive.crw => C:\Users\Admin\Pictures\SearchReceive.crw.seccrypt Scsi.exe File created C:\Users\Admin\Pictures\SendRestore.tiff.howto_seccrypt Scsi.exe File renamed C:\Users\Admin\Pictures\SendRestore.tiff => C:\Users\Admin\Pictures\SendRestore.tiff.seccrypt Scsi.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3596 takeown.exe 3984 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3596 takeown.exe 3984 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Scsi:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Scsi.exe Scsi:bin File opened for modification C:\Windows\SysWOW64\Scsi.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2740 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
82d841869e912a772413bb37f30307b0.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Scsi:bin 82d841869e912a772413bb37f30307b0.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2916 vssvc.exe Token: SeRestorePrivilege 2916 vssvc.exe Token: SeAuditPrivilege 2916 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
82d841869e912a772413bb37f30307b0.exeScsi:binScsi.execmd.execmd.execmd.exedescription pid process target process PID 512 wrote to memory of 2368 512 82d841869e912a772413bb37f30307b0.exe Scsi:bin PID 512 wrote to memory of 2368 512 82d841869e912a772413bb37f30307b0.exe Scsi:bin PID 512 wrote to memory of 2368 512 82d841869e912a772413bb37f30307b0.exe Scsi:bin PID 2368 wrote to memory of 2740 2368 Scsi:bin vssadmin.exe PID 2368 wrote to memory of 2740 2368 Scsi:bin vssadmin.exe PID 2368 wrote to memory of 3596 2368 Scsi:bin takeown.exe PID 2368 wrote to memory of 3596 2368 Scsi:bin takeown.exe PID 2368 wrote to memory of 3596 2368 Scsi:bin takeown.exe PID 2368 wrote to memory of 3984 2368 Scsi:bin icacls.exe PID 2368 wrote to memory of 3984 2368 Scsi:bin icacls.exe PID 2368 wrote to memory of 3984 2368 Scsi:bin icacls.exe PID 2292 wrote to memory of 3696 2292 Scsi.exe cmd.exe PID 2292 wrote to memory of 3696 2292 Scsi.exe cmd.exe PID 2292 wrote to memory of 3696 2292 Scsi.exe cmd.exe PID 3696 wrote to memory of 580 3696 cmd.exe choice.exe PID 3696 wrote to memory of 580 3696 cmd.exe choice.exe PID 3696 wrote to memory of 580 3696 cmd.exe choice.exe PID 2368 wrote to memory of 3888 2368 Scsi:bin cmd.exe PID 2368 wrote to memory of 3888 2368 Scsi:bin cmd.exe PID 2368 wrote to memory of 3888 2368 Scsi:bin cmd.exe PID 512 wrote to memory of 1200 512 82d841869e912a772413bb37f30307b0.exe cmd.exe PID 512 wrote to memory of 1200 512 82d841869e912a772413bb37f30307b0.exe cmd.exe PID 512 wrote to memory of 1200 512 82d841869e912a772413bb37f30307b0.exe cmd.exe PID 3888 wrote to memory of 2276 3888 cmd.exe choice.exe PID 3888 wrote to memory of 2276 3888 cmd.exe choice.exe PID 3888 wrote to memory of 2276 3888 cmd.exe choice.exe PID 1200 wrote to memory of 2736 1200 cmd.exe choice.exe PID 1200 wrote to memory of 2736 1200 cmd.exe choice.exe PID 1200 wrote to memory of 2736 1200 cmd.exe choice.exe PID 3696 wrote to memory of 1808 3696 cmd.exe attrib.exe PID 3696 wrote to memory of 1808 3696 cmd.exe attrib.exe PID 3696 wrote to memory of 1808 3696 cmd.exe attrib.exe PID 3888 wrote to memory of 1820 3888 cmd.exe attrib.exe PID 3888 wrote to memory of 1820 3888 cmd.exe attrib.exe PID 3888 wrote to memory of 1820 3888 cmd.exe attrib.exe PID 1200 wrote to memory of 1176 1200 cmd.exe attrib.exe PID 1200 wrote to memory of 1176 1200 cmd.exe attrib.exe PID 1200 wrote to memory of 1176 1200 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1808 attrib.exe 1820 attrib.exe 1176 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Scsi:binC:\Users\Admin\AppData\Roaming\Scsi:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Scsi.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Scsi.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Scsi" & del "C:\Users\Admin\AppData\Roaming\Scsi"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Scsi"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe" & del "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\82d841869e912a772413bb37f30307b0.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Scsi.exeC:\Windows\SysWOW64\Scsi.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Scsi.exe" & del "C:\Windows\SysWOW64\Scsi.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Scsi.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Scsi:binMD5
82d841869e912a772413bb37f30307b0
SHA1b75ab0170c1206c345d2fb82506e816098328ee8
SHA256db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
SHA51248078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
-
C:\Users\Admin\AppData\Roaming\Scsi:binMD5
82d841869e912a772413bb37f30307b0
SHA1b75ab0170c1206c345d2fb82506e816098328ee8
SHA256db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
SHA51248078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
-
C:\Windows\SysWOW64\Scsi.exeMD5
82d841869e912a772413bb37f30307b0
SHA1b75ab0170c1206c345d2fb82506e816098328ee8
SHA256db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
SHA51248078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
-
C:\Windows\SysWOW64\Scsi.exeMD5
82d841869e912a772413bb37f30307b0
SHA1b75ab0170c1206c345d2fb82506e816098328ee8
SHA256db665f26dbc4ca92d326f2cb98faafb9e84d404346b201cd88bec91ce4206bb2
SHA51248078796a9aa03e685bebd14539586c099f30c3a1e18639d4acb810dc3bbb0dc14b09066797e79c34dcd91a120b08537aadf228585e226101384ade3fe2252c6
-
memory/512-2-0x0000000000580000-0x0000000000590000-memory.dmpFilesize
64KB
-
memory/512-3-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/580-17-0x0000000000000000-mapping.dmp
-
memory/1176-24-0x0000000000000000-mapping.dmp
-
memory/1200-19-0x0000000000000000-mapping.dmp
-
memory/1808-22-0x0000000000000000-mapping.dmp
-
memory/1820-23-0x0000000000000000-mapping.dmp
-
memory/2276-20-0x0000000000000000-mapping.dmp
-
memory/2368-4-0x0000000000000000-mapping.dmp
-
memory/2736-21-0x0000000000000000-mapping.dmp
-
memory/2740-7-0x0000000000000000-mapping.dmp
-
memory/3596-10-0x0000000000000000-mapping.dmp
-
memory/3696-16-0x0000000000000000-mapping.dmp
-
memory/3888-18-0x0000000000000000-mapping.dmp
-
memory/3984-12-0x0000000000000000-mapping.dmp