Analysis
-
max time kernel
32s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 23:44
Behavioral task
behavioral1
Sample
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe
Resource
win10v20210410
General
-
Target
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe
-
Size
113KB
-
MD5
0332ce73221dc1b6d26b5f5fa0f06318
-
SHA1
872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
-
SHA256
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
-
SHA512
71482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\File:bin cryptone C:\Users\Admin\AppData\Roaming\File:bin cryptone C:\Windows\SysWOW64\File.exe cryptone C:\Windows\SysWOW64\File.exe cryptone -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
File:binFile.exepid process 1796 File:bin 2016 File.exe -
Modifies extensions of user files 24 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
File.exedescription ioc process File created C:\Users\Admin\Pictures\BackupTrace.tif.saverswasted_info File.exe File opened for modification C:\Users\Admin\Pictures\BackupTrace.tif.saverswasted File.exe File created C:\Users\Admin\Pictures\MergeApprove.tiff.saverswasted_info File.exe File created C:\Users\Admin\Pictures\UnprotectBackup.crw.saverswasted_info File.exe File opened for modification C:\Users\Admin\Pictures\UnprotectBackup.crw.saverswasted File.exe File opened for modification C:\Users\Admin\Pictures\RevokeEdit.crw.saverswasted File.exe File opened for modification C:\Users\Admin\Pictures\WatchPing.tiff.saverswasted File.exe File opened for modification C:\Users\Admin\Pictures\AddGroup.png.saverswasted File.exe File renamed C:\Users\Admin\Pictures\BackupTrace.tif => C:\Users\Admin\Pictures\BackupTrace.tif.saverswasted File.exe File renamed C:\Users\Admin\Pictures\ConfirmSet.tif => C:\Users\Admin\Pictures\ConfirmSet.tif.saverswasted File.exe File opened for modification C:\Users\Admin\Pictures\ConfirmSet.tif.saverswasted File.exe File renamed C:\Users\Admin\Pictures\MergeApprove.tiff => C:\Users\Admin\Pictures\MergeApprove.tiff.saverswasted File.exe File renamed C:\Users\Admin\Pictures\PopShow.crw => C:\Users\Admin\Pictures\PopShow.crw.saverswasted File.exe File created C:\Users\Admin\Pictures\RevokeEdit.crw.saverswasted_info File.exe File created C:\Users\Admin\Pictures\ConfirmSet.tif.saverswasted_info File.exe File created C:\Users\Admin\Pictures\PopShow.crw.saverswasted_info File.exe File renamed C:\Users\Admin\Pictures\UnprotectBackup.crw => C:\Users\Admin\Pictures\UnprotectBackup.crw.saverswasted File.exe File created C:\Users\Admin\Pictures\WatchPing.tiff.saverswasted_info File.exe File created C:\Users\Admin\Pictures\AddGroup.png.saverswasted_info File.exe File renamed C:\Users\Admin\Pictures\AddGroup.png => C:\Users\Admin\Pictures\AddGroup.png.saverswasted File.exe File opened for modification C:\Users\Admin\Pictures\MergeApprove.tiff.saverswasted File.exe File opened for modification C:\Users\Admin\Pictures\PopShow.crw.saverswasted File.exe File renamed C:\Users\Admin\Pictures\RevokeEdit.crw => C:\Users\Admin\Pictures\RevokeEdit.crw.saverswasted File.exe File renamed C:\Users\Admin\Pictures\WatchPing.tiff => C:\Users\Admin\Pictures\WatchPing.tiff.saverswasted File.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 428 takeown.exe 916 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1468 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exepid process 792 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe 792 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 428 takeown.exe 916 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
File:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\File.exe File:bin File opened for modification C:\Windows\SysWOW64\File.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1168 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\File:bin ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1628 vssvc.exe Token: SeRestorePrivilege 1628 vssvc.exe Token: SeAuditPrivilege 1628 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
notepad.exepid process 948 notepad.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exeFile:binFile.execmd.execmd.execmd.exedescription pid process target process PID 792 wrote to memory of 1796 792 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe File:bin PID 792 wrote to memory of 1796 792 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe File:bin PID 792 wrote to memory of 1796 792 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe File:bin PID 792 wrote to memory of 1796 792 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe File:bin PID 1796 wrote to memory of 1168 1796 File:bin vssadmin.exe PID 1796 wrote to memory of 1168 1796 File:bin vssadmin.exe PID 1796 wrote to memory of 1168 1796 File:bin vssadmin.exe PID 1796 wrote to memory of 1168 1796 File:bin vssadmin.exe PID 1796 wrote to memory of 428 1796 File:bin takeown.exe PID 1796 wrote to memory of 428 1796 File:bin takeown.exe PID 1796 wrote to memory of 428 1796 File:bin takeown.exe PID 1796 wrote to memory of 428 1796 File:bin takeown.exe PID 1796 wrote to memory of 916 1796 File:bin icacls.exe PID 1796 wrote to memory of 916 1796 File:bin icacls.exe PID 1796 wrote to memory of 916 1796 File:bin icacls.exe PID 1796 wrote to memory of 916 1796 File:bin icacls.exe PID 2016 wrote to memory of 1608 2016 File.exe cmd.exe PID 2016 wrote to memory of 1608 2016 File.exe cmd.exe PID 2016 wrote to memory of 1608 2016 File.exe cmd.exe PID 2016 wrote to memory of 1608 2016 File.exe cmd.exe PID 1796 wrote to memory of 1680 1796 File:bin cmd.exe PID 1796 wrote to memory of 1680 1796 File:bin cmd.exe PID 1796 wrote to memory of 1680 1796 File:bin cmd.exe PID 1796 wrote to memory of 1680 1796 File:bin cmd.exe PID 1608 wrote to memory of 1640 1608 cmd.exe choice.exe PID 1608 wrote to memory of 1640 1608 cmd.exe choice.exe PID 1608 wrote to memory of 1640 1608 cmd.exe choice.exe PID 1608 wrote to memory of 1640 1608 cmd.exe choice.exe PID 792 wrote to memory of 1468 792 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe cmd.exe PID 792 wrote to memory of 1468 792 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe cmd.exe PID 792 wrote to memory of 1468 792 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe cmd.exe PID 792 wrote to memory of 1468 792 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe cmd.exe PID 1680 wrote to memory of 1328 1680 cmd.exe choice.exe PID 1680 wrote to memory of 1328 1680 cmd.exe choice.exe PID 1680 wrote to memory of 1328 1680 cmd.exe choice.exe PID 1680 wrote to memory of 1328 1680 cmd.exe choice.exe PID 1468 wrote to memory of 2044 1468 cmd.exe choice.exe PID 1468 wrote to memory of 2044 1468 cmd.exe choice.exe PID 1468 wrote to memory of 2044 1468 cmd.exe choice.exe PID 1468 wrote to memory of 2044 1468 cmd.exe choice.exe PID 1608 wrote to memory of 208 1608 cmd.exe attrib.exe PID 1608 wrote to memory of 208 1608 cmd.exe attrib.exe PID 1608 wrote to memory of 208 1608 cmd.exe attrib.exe PID 1608 wrote to memory of 208 1608 cmd.exe attrib.exe PID 1680 wrote to memory of 228 1680 cmd.exe attrib.exe PID 1680 wrote to memory of 228 1680 cmd.exe attrib.exe PID 1680 wrote to memory of 228 1680 cmd.exe attrib.exe PID 1680 wrote to memory of 228 1680 cmd.exe attrib.exe PID 1468 wrote to memory of 220 1468 cmd.exe attrib.exe PID 1468 wrote to memory of 220 1468 cmd.exe attrib.exe PID 1468 wrote to memory of 220 1468 cmd.exe attrib.exe PID 1468 wrote to memory of 220 1468 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 220 attrib.exe 228 attrib.exe 208 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\File:binC:\Users\Admin\AppData\Roaming\File:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\File.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\File.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\File" & del "C:\Users\Admin\AppData\Roaming\File"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\File"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe" & del "C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\File.exeC:\Windows\SysWOW64\File.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\File.exe" & del "C:\Windows\SysWOW64\File.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\File.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\File:binMD5
0332ce73221dc1b6d26b5f5fa0f06318
SHA1872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
SHA256ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
SHA51271482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
-
C:\Users\Admin\AppData\Roaming\File:binMD5
0332ce73221dc1b6d26b5f5fa0f06318
SHA1872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
SHA256ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
SHA51271482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
-
C:\Users\Admin\Desktop\ConnectCompare.mov.saverswasted_infoMD5
7a40df8d00f8d78778a9536302385175
SHA114a913314356952d098f412c1bb6b506b0fb11bf
SHA2562a44b60dbc6edd8ad9d21ae1a26d92dfe039c41654880d2d5aad04f7332df1c1
SHA512af8f2c95a8edfc6abcc26c7ed722737664edfac97a1db37b01e4c72272e622addf413c6a4736bf9fe8ad03d618fa63381c912429af8fa2475541ab747e41247a
-
C:\Windows\SysWOW64\File.exeMD5
0332ce73221dc1b6d26b5f5fa0f06318
SHA1872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
SHA256ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
SHA51271482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
-
C:\Windows\SysWOW64\File.exeMD5
0332ce73221dc1b6d26b5f5fa0f06318
SHA1872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
SHA256ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
SHA51271482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
-
\Users\Admin\AppData\Roaming\FileMD5
fd52c1321514bb28fb2781247dd61cd1
SHA153aaf7461928e9451d3fb327db2502112919883c
SHA256103befe077c8708b2ea33902729b246208ceb8ec7e8db8c07f77ab906830effa
SHA51219fa091a6f30581b962c2df111cc33cbae68c8ba5a14ce7c487589029d421aba43770cff7bda58d7ecc0e293bb00945ea6e4787cc50d83c365a2f90d666e4181
-
\Users\Admin\AppData\Roaming\FileMD5
fd52c1321514bb28fb2781247dd61cd1
SHA153aaf7461928e9451d3fb327db2502112919883c
SHA256103befe077c8708b2ea33902729b246208ceb8ec7e8db8c07f77ab906830effa
SHA51219fa091a6f30581b962c2df111cc33cbae68c8ba5a14ce7c487589029d421aba43770cff7bda58d7ecc0e293bb00945ea6e4787cc50d83c365a2f90d666e4181
-
memory/208-86-0x0000000000000000-mapping.dmp
-
memory/220-88-0x0000000000000000-mapping.dmp
-
memory/228-87-0x0000000000000000-mapping.dmp
-
memory/428-72-0x0000000000000000-mapping.dmp
-
memory/792-62-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/792-61-0x0000000000220000-0x0000000000232000-memory.dmpFilesize
72KB
-
memory/792-60-0x0000000075041000-0x0000000075043000-memory.dmpFilesize
8KB
-
memory/916-74-0x0000000000000000-mapping.dmp
-
memory/948-85-0x000007FEFB561000-0x000007FEFB563000-memory.dmpFilesize
8KB
-
memory/1168-68-0x0000000000000000-mapping.dmp
-
memory/1328-83-0x0000000000000000-mapping.dmp
-
memory/1468-82-0x0000000000000000-mapping.dmp
-
memory/1608-79-0x0000000000000000-mapping.dmp
-
memory/1640-81-0x0000000000000000-mapping.dmp
-
memory/1680-80-0x0000000000000000-mapping.dmp
-
memory/1796-70-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1796-65-0x0000000000000000-mapping.dmp
-
memory/2016-78-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2044-84-0x0000000000000000-mapping.dmp