Analysis
-
max time kernel
32s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 23:44
General
-
Target
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe
-
Size
113KB
-
MD5
0332ce73221dc1b6d26b5f5fa0f06318
-
SHA1
872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
-
SHA256
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
-
SHA512
71482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
CryptOne packer 4 IoCs
Detects CryptOne packer defined in NCC blogpost.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 24 IoCs
Ransomware generally changes the extension on encrypted files.
-
Possible privilege escalation attempt 2 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\File:binC:\Users\Admin\AppData\Roaming\File:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\File.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\File.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\File" & del "C:\Users\Admin\AppData\Roaming\File"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\File"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe" & del "C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\File.exeC:\Windows\SysWOW64\File.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\File.exe" & del "C:\Windows\SysWOW64\File.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\File.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\File:binMD5
0332ce73221dc1b6d26b5f5fa0f06318
SHA1872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
SHA256ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
SHA51271482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
-
C:\Users\Admin\AppData\Roaming\File:binMD5
0332ce73221dc1b6d26b5f5fa0f06318
SHA1872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
SHA256ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
SHA51271482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
-
C:\Users\Admin\Desktop\ConnectCompare.mov.saverswasted_infoMD5
7a40df8d00f8d78778a9536302385175
SHA114a913314356952d098f412c1bb6b506b0fb11bf
SHA2562a44b60dbc6edd8ad9d21ae1a26d92dfe039c41654880d2d5aad04f7332df1c1
SHA512af8f2c95a8edfc6abcc26c7ed722737664edfac97a1db37b01e4c72272e622addf413c6a4736bf9fe8ad03d618fa63381c912429af8fa2475541ab747e41247a
-
C:\Windows\SysWOW64\File.exeMD5
0332ce73221dc1b6d26b5f5fa0f06318
SHA1872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
SHA256ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
SHA51271482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
-
C:\Windows\SysWOW64\File.exeMD5
0332ce73221dc1b6d26b5f5fa0f06318
SHA1872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
SHA256ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
SHA51271482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
-
\Users\Admin\AppData\Roaming\FileMD5
fd52c1321514bb28fb2781247dd61cd1
SHA153aaf7461928e9451d3fb327db2502112919883c
SHA256103befe077c8708b2ea33902729b246208ceb8ec7e8db8c07f77ab906830effa
SHA51219fa091a6f30581b962c2df111cc33cbae68c8ba5a14ce7c487589029d421aba43770cff7bda58d7ecc0e293bb00945ea6e4787cc50d83c365a2f90d666e4181
-
\Users\Admin\AppData\Roaming\FileMD5
fd52c1321514bb28fb2781247dd61cd1
SHA153aaf7461928e9451d3fb327db2502112919883c
SHA256103befe077c8708b2ea33902729b246208ceb8ec7e8db8c07f77ab906830effa
SHA51219fa091a6f30581b962c2df111cc33cbae68c8ba5a14ce7c487589029d421aba43770cff7bda58d7ecc0e293bb00945ea6e4787cc50d83c365a2f90d666e4181
-
memory/208-86-0x0000000000000000-mapping.dmp
-
memory/220-88-0x0000000000000000-mapping.dmp
-
memory/228-87-0x0000000000000000-mapping.dmp
-
memory/428-72-0x0000000000000000-mapping.dmp
-
memory/792-62-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/792-61-0x0000000000220000-0x0000000000232000-memory.dmpFilesize
72KB
-
memory/792-60-0x0000000075041000-0x0000000075043000-memory.dmpFilesize
8KB
-
memory/916-74-0x0000000000000000-mapping.dmp
-
memory/948-85-0x000007FEFB561000-0x000007FEFB563000-memory.dmpFilesize
8KB
-
memory/1168-68-0x0000000000000000-mapping.dmp
-
memory/1328-83-0x0000000000000000-mapping.dmp
-
memory/1468-82-0x0000000000000000-mapping.dmp
-
memory/1608-79-0x0000000000000000-mapping.dmp
-
memory/1640-81-0x0000000000000000-mapping.dmp
-
memory/1680-80-0x0000000000000000-mapping.dmp
-
memory/1796-70-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1796-65-0x0000000000000000-mapping.dmp
-
memory/2016-78-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2044-84-0x0000000000000000-mapping.dmp