General

  • Target

    ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe

  • Size

    113KB

  • Sample

    210504-pcbjbfxd4n

  • MD5

    0332ce73221dc1b6d26b5f5fa0f06318

  • SHA1

    872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7

  • SHA256

    ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518

  • SHA512

    71482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702

Malware Config

Targets

    • Target

      ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe

    • Size

      113KB

    • MD5

      0332ce73221dc1b6d26b5f5fa0f06318

    • SHA1

      872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7

    • SHA256

      ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518

    • SHA512

      71482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702

    • WastedLocker

      Ransomware family seen in the wild since May 2020.

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Possible privilege escalation attempt

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

1
T1158

Defense Evasion

File Deletion

2
T1107

File Permissions Modification

1
T1222

Hidden Files and Directories

1
T1158

Impact

Inhibit System Recovery

2
T1490

Tasks