wastedlocker | ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518

Analysis

max time kernel
32s
max time network
14s
platform
windows7_x64
resource
win7v20210408
submitted
04/05/2021, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe
Size

113KB
MD5

0332ce73221dc1b6d26b5f5fa0f06318
SHA1

872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
SHA256

ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
SHA512

71482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702

Score

10^/10

wastedlocker cryptone discovery exploit packer ransomware

Malware Config

Signatures

WastedLocker
Ransomware family seen in the wild since May 2020.
ransomware wastedlocker

CryptOne packer 4 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

resource	yara_rule
behavioral1/files/0x00040000000130df-66.dat	cryptone
behavioral1/files/0x00040000000130df-71.dat	cryptone
behavioral1/files/0x0005000000005668-73.dat	cryptone
behavioral1/files/0x0005000000005668-75.dat	cryptone

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
1796	File:bin
2016	File.exe

Modifies extensions of user files 24 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\BackupTrace.tif.saverswasted_info	File.exe
File opened for modification	C:\Users\Admin\Pictures\BackupTrace.tif.saverswasted	File.exe
File created	C:\Users\Admin\Pictures\MergeApprove.tiff.saverswasted_info	File.exe
File created	C:\Users\Admin\Pictures\UnprotectBackup.crw.saverswasted_info	File.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectBackup.crw.saverswasted	File.exe
File opened for modification	C:\Users\Admin\Pictures\RevokeEdit.crw.saverswasted	File.exe
File opened for modification	C:\Users\Admin\Pictures\WatchPing.tiff.saverswasted	File.exe
File opened for modification	C:\Users\Admin\Pictures\AddGroup.png.saverswasted	File.exe
File renamed	C:\Users\Admin\Pictures\BackupTrace.tif => C:\Users\Admin\Pictures\BackupTrace.tif.saverswasted	File.exe
File renamed	C:\Users\Admin\Pictures\ConfirmSet.tif => C:\Users\Admin\Pictures\ConfirmSet.tif.saverswasted	File.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmSet.tif.saverswasted	File.exe
File renamed	C:\Users\Admin\Pictures\MergeApprove.tiff => C:\Users\Admin\Pictures\MergeApprove.tiff.saverswasted	File.exe
File renamed	C:\Users\Admin\Pictures\PopShow.crw => C:\Users\Admin\Pictures\PopShow.crw.saverswasted	File.exe
File created	C:\Users\Admin\Pictures\RevokeEdit.crw.saverswasted_info	File.exe
File created	C:\Users\Admin\Pictures\ConfirmSet.tif.saverswasted_info	File.exe
File created	C:\Users\Admin\Pictures\PopShow.crw.saverswasted_info	File.exe
File renamed	C:\Users\Admin\Pictures\UnprotectBackup.crw => C:\Users\Admin\Pictures\UnprotectBackup.crw.saverswasted	File.exe
File created	C:\Users\Admin\Pictures\WatchPing.tiff.saverswasted_info	File.exe
File created	C:\Users\Admin\Pictures\AddGroup.png.saverswasted_info	File.exe
File renamed	C:\Users\Admin\Pictures\AddGroup.png => C:\Users\Admin\Pictures\AddGroup.png.saverswasted	File.exe
File opened for modification	C:\Users\Admin\Pictures\MergeApprove.tiff.saverswasted	File.exe
File opened for modification	C:\Users\Admin\Pictures\PopShow.crw.saverswasted	File.exe
File renamed	C:\Users\Admin\Pictures\RevokeEdit.crw => C:\Users\Admin\Pictures\RevokeEdit.crw.saverswasted	File.exe
File renamed	C:\Users\Admin\Pictures\WatchPing.tiff => C:\Users\Admin\Pictures\WatchPing.tiff.saverswasted	File.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
428	takeown.exe
916	icacls.exe

Deletes itself 1 IoCs

pid	Process
1468	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
792	ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe
792	ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
428	takeown.exe
916	icacls.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\File.exe	File:bin
File opened for modification	C:\Windows\SysWOW64\File.exe	attrib.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1168	vssadmin.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\File:bin	ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1628	vssvc.exe
Token: SeRestorePrivilege	1628	vssvc.exe
Token: SeAuditPrivilege	1628	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
948	notepad.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 1796	792	ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe	25
PID 792 wrote to memory of 1796	792	ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe	25
PID 792 wrote to memory of 1796	792	ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe	25
PID 792 wrote to memory of 1796	792	ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe	25
PID 1796 wrote to memory of 1168	1796	File:bin	26
PID 1796 wrote to memory of 1168	1796	File:bin	26
PID 1796 wrote to memory of 1168	1796	File:bin	26
PID 1796 wrote to memory of 1168	1796	File:bin	26
PID 1796 wrote to memory of 428	1796	File:bin	34
PID 1796 wrote to memory of 428	1796	File:bin	34
PID 1796 wrote to memory of 428	1796	File:bin	34
PID 1796 wrote to memory of 428	1796	File:bin	34
PID 1796 wrote to memory of 916	1796	File:bin	36
PID 1796 wrote to memory of 916	1796	File:bin	36
PID 1796 wrote to memory of 916	1796	File:bin	36
PID 1796 wrote to memory of 916	1796	File:bin	36
PID 2016 wrote to memory of 1608	2016	File.exe	40
PID 2016 wrote to memory of 1608	2016	File.exe	40
PID 2016 wrote to memory of 1608	2016	File.exe	40
PID 2016 wrote to memory of 1608	2016	File.exe	40
PID 1796 wrote to memory of 1680	1796	File:bin	42
PID 1796 wrote to memory of 1680	1796	File:bin	42
PID 1796 wrote to memory of 1680	1796	File:bin	42
PID 1796 wrote to memory of 1680	1796	File:bin	42
PID 1608 wrote to memory of 1640	1608	cmd.exe	43
PID 1608 wrote to memory of 1640	1608	cmd.exe	43
PID 1608 wrote to memory of 1640	1608	cmd.exe	43
PID 1608 wrote to memory of 1640	1608	cmd.exe	43
PID 792 wrote to memory of 1468	792	ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe	45
PID 792 wrote to memory of 1468	792	ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe	45
PID 792 wrote to memory of 1468	792	ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe	45
PID 792 wrote to memory of 1468	792	ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe	45
PID 1680 wrote to memory of 1328	1680	cmd.exe	47
PID 1680 wrote to memory of 1328	1680	cmd.exe	47
PID 1680 wrote to memory of 1328	1680	cmd.exe	47
PID 1680 wrote to memory of 1328	1680	cmd.exe	47
PID 1468 wrote to memory of 2044	1468	cmd.exe	48
PID 1468 wrote to memory of 2044	1468	cmd.exe	48
PID 1468 wrote to memory of 2044	1468	cmd.exe	48
PID 1468 wrote to memory of 2044	1468	cmd.exe	48
PID 1608 wrote to memory of 208	1608	cmd.exe	50
PID 1608 wrote to memory of 208	1608	cmd.exe	50
PID 1608 wrote to memory of 208	1608	cmd.exe	50
PID 1608 wrote to memory of 208	1608	cmd.exe	50
PID 1680 wrote to memory of 228	1680	cmd.exe	52
PID 1680 wrote to memory of 228	1680	cmd.exe	52
PID 1680 wrote to memory of 228	1680	cmd.exe	52
PID 1680 wrote to memory of 228	1680	cmd.exe	52
PID 1468 wrote to memory of 220	1468	cmd.exe	51
PID 1468 wrote to memory of 220	1468	cmd.exe	51
PID 1468 wrote to memory of 220	1468	cmd.exe	51
PID 1468 wrote to memory of 220	1468	cmd.exe	51

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
220	attrib.exe
228	attrib.exe
208	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe
"C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Roaming\File:bin
  C:\Users\Admin\AppData\Roaming\File:bin -r
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1168
- - C:\Windows\SysWOW64\takeown.exe
    C:\Windows\system32\takeown.exe /F C:\Windows\system32\File.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:428
- - C:\Windows\SysWOW64\icacls.exe
    C:\Windows\system32\icacls.exe C:\Windows\system32\File.exe /reset
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\File" & del "C:\Users\Admin\AppData\Roaming\File"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\choice.exe
      choice /t 10 /d y
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h "C:\Users\Admin\AppData\Roaming\File"
      4⤵
      Views/modifies file attributes
      PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe" & del "C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\choice.exe
    choice /t 10 /d y
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h "C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"
    3⤵
    - Views/modifies file attributes
    PID:220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\SysWOW64\File.exe
C:\Windows\SysWOW64\File.exe -s
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\File.exe" & del "C:\Windows\SysWOW64\File.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\choice.exe
    choice /t 10 /d y
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h "C:\Windows\SysWOW64\File.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:208

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/792-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/792-61-0x0000000000220000-0x0000000000232000-memory.dmp

Filesize
72KB

Download
memory/792-60-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/948-85-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download
memory/1796-70-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2016-78-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads