Analysis
-
max time kernel
130s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-05-2021 23:44
Behavioral task
behavioral1
Sample
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe
Resource
win10v20210410
General
-
Target
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe
-
Size
113KB
-
MD5
0332ce73221dc1b6d26b5f5fa0f06318
-
SHA1
872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
-
SHA256
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
-
SHA512
71482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Remote:bin cryptone C:\Users\Admin\AppData\Roaming\Remote:bin cryptone C:\Windows\SysWOW64\Remote.exe cryptone C:\Windows\SysWOW64\Remote.exe cryptone -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Remote:binRemote.exepid process 2448 Remote:bin 3292 Remote.exe -
Modifies extensions of user files 21 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Remote.exedescription ioc process File renamed C:\Users\Admin\Pictures\RenameJoin.tif => C:\Users\Admin\Pictures\RenameJoin.tif.saverswasted Remote.exe File renamed C:\Users\Admin\Pictures\SyncClear.tif => C:\Users\Admin\Pictures\SyncClear.tif.saverswasted Remote.exe File opened for modification C:\Users\Admin\Pictures\InitializeExit.crw.saverswasted Remote.exe File opened for modification C:\Users\Admin\Pictures\OutStep.png.saverswasted Remote.exe File opened for modification C:\Users\Admin\Pictures\RenameJoin.tif.saverswasted Remote.exe File created C:\Users\Admin\Pictures\SyncClear.tif.saverswasted_info Remote.exe File opened for modification C:\Users\Admin\Pictures\SubmitUnpublish.tiff.saverswasted Remote.exe File opened for modification C:\Users\Admin\Pictures\SyncClear.tif.saverswasted Remote.exe File renamed C:\Users\Admin\Pictures\EnableHide.tiff => C:\Users\Admin\Pictures\EnableHide.tiff.saverswasted Remote.exe File opened for modification C:\Users\Admin\Pictures\EnableHide.tiff.saverswasted Remote.exe File created C:\Users\Admin\Pictures\InitializeExit.crw.saverswasted_info Remote.exe File created C:\Users\Admin\Pictures\OutStep.png.saverswasted_info Remote.exe File renamed C:\Users\Admin\Pictures\OutStep.png => C:\Users\Admin\Pictures\OutStep.png.saverswasted Remote.exe File created C:\Users\Admin\Pictures\SetUse.tiff.saverswasted_info Remote.exe File renamed C:\Users\Admin\Pictures\SetUse.tiff => C:\Users\Admin\Pictures\SetUse.tiff.saverswasted Remote.exe File opened for modification C:\Users\Admin\Pictures\SetUse.tiff.saverswasted Remote.exe File created C:\Users\Admin\Pictures\EnableHide.tiff.saverswasted_info Remote.exe File renamed C:\Users\Admin\Pictures\SubmitUnpublish.tiff => C:\Users\Admin\Pictures\SubmitUnpublish.tiff.saverswasted Remote.exe File created C:\Users\Admin\Pictures\RenameJoin.tif.saverswasted_info Remote.exe File created C:\Users\Admin\Pictures\SubmitUnpublish.tiff.saverswasted_info Remote.exe File renamed C:\Users\Admin\Pictures\InitializeExit.crw => C:\Users\Admin\Pictures\InitializeExit.crw.saverswasted Remote.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1332 takeown.exe 2184 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1332 takeown.exe 2184 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Remote:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Remote.exe Remote:bin File opened for modification C:\Windows\SysWOW64\Remote.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2728 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Remote:bin ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1940 vssvc.exe Token: SeRestorePrivilege 1940 vssvc.exe Token: SeAuditPrivilege 1940 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exeRemote:binRemote.execmd.execmd.execmd.exedescription pid process target process PID 3180 wrote to memory of 2448 3180 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe Remote:bin PID 3180 wrote to memory of 2448 3180 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe Remote:bin PID 3180 wrote to memory of 2448 3180 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe Remote:bin PID 2448 wrote to memory of 2728 2448 Remote:bin vssadmin.exe PID 2448 wrote to memory of 2728 2448 Remote:bin vssadmin.exe PID 2448 wrote to memory of 1332 2448 Remote:bin takeown.exe PID 2448 wrote to memory of 1332 2448 Remote:bin takeown.exe PID 2448 wrote to memory of 1332 2448 Remote:bin takeown.exe PID 2448 wrote to memory of 2184 2448 Remote:bin icacls.exe PID 2448 wrote to memory of 2184 2448 Remote:bin icacls.exe PID 2448 wrote to memory of 2184 2448 Remote:bin icacls.exe PID 3292 wrote to memory of 4080 3292 Remote.exe cmd.exe PID 3292 wrote to memory of 4080 3292 Remote.exe cmd.exe PID 3292 wrote to memory of 4080 3292 Remote.exe cmd.exe PID 4080 wrote to memory of 268 4080 cmd.exe choice.exe PID 4080 wrote to memory of 268 4080 cmd.exe choice.exe PID 4080 wrote to memory of 268 4080 cmd.exe choice.exe PID 2448 wrote to memory of 3528 2448 Remote:bin cmd.exe PID 2448 wrote to memory of 3528 2448 Remote:bin cmd.exe PID 2448 wrote to memory of 3528 2448 Remote:bin cmd.exe PID 3180 wrote to memory of 2708 3180 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe cmd.exe PID 3180 wrote to memory of 2708 3180 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe cmd.exe PID 3180 wrote to memory of 2708 3180 ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe cmd.exe PID 3528 wrote to memory of 2180 3528 cmd.exe choice.exe PID 3528 wrote to memory of 2180 3528 cmd.exe choice.exe PID 3528 wrote to memory of 2180 3528 cmd.exe choice.exe PID 2708 wrote to memory of 3048 2708 cmd.exe choice.exe PID 2708 wrote to memory of 3048 2708 cmd.exe choice.exe PID 2708 wrote to memory of 3048 2708 cmd.exe choice.exe PID 4080 wrote to memory of 1376 4080 cmd.exe attrib.exe PID 4080 wrote to memory of 1376 4080 cmd.exe attrib.exe PID 4080 wrote to memory of 1376 4080 cmd.exe attrib.exe PID 3528 wrote to memory of 1916 3528 cmd.exe attrib.exe PID 3528 wrote to memory of 1916 3528 cmd.exe attrib.exe PID 3528 wrote to memory of 1916 3528 cmd.exe attrib.exe PID 2708 wrote to memory of 3852 2708 cmd.exe attrib.exe PID 2708 wrote to memory of 3852 2708 cmd.exe attrib.exe PID 2708 wrote to memory of 3852 2708 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1376 attrib.exe 1916 attrib.exe 3852 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Remote:binC:\Users\Admin\AppData\Roaming\Remote:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Remote.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Remote.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Remote" & del "C:\Users\Admin\AppData\Roaming\Remote"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Remote"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe" & del "C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Remote.exeC:\Windows\SysWOW64\Remote.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Remote.exe" & del "C:\Windows\SysWOW64\Remote.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Remote.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Remote:binMD5
0332ce73221dc1b6d26b5f5fa0f06318
SHA1872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
SHA256ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
SHA51271482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
-
C:\Users\Admin\AppData\Roaming\Remote:binMD5
0332ce73221dc1b6d26b5f5fa0f06318
SHA1872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
SHA256ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
SHA51271482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
-
C:\Windows\SysWOW64\Remote.exeMD5
0332ce73221dc1b6d26b5f5fa0f06318
SHA1872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
SHA256ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
SHA51271482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
-
C:\Windows\SysWOW64\Remote.exeMD5
0332ce73221dc1b6d26b5f5fa0f06318
SHA1872e61c0a08c9dea4388d5c897b3d7ed3e8c13b7
SHA256ef6b588a8b3d3ca409eb2ac15b38bfedcaf9f6bcede91e38b15ae6ba2ef9e518
SHA51271482a7798e70ab8176d88e3bfaec0c823118aa19c21b7afdb69f5fd031a91fef4e3d04a05c0ac0752df5904be32e6a9895448f62ee23b015f5e563c29385702
-
memory/268-129-0x0000000000000000-mapping.dmp
-
memory/1332-120-0x0000000000000000-mapping.dmp
-
memory/1376-134-0x0000000000000000-mapping.dmp
-
memory/1916-135-0x0000000000000000-mapping.dmp
-
memory/2180-132-0x0000000000000000-mapping.dmp
-
memory/2184-122-0x0000000000000000-mapping.dmp
-
memory/2448-116-0x0000000000000000-mapping.dmp
-
memory/2448-125-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2448-124-0x0000000002020000-0x0000000002032000-memory.dmpFilesize
72KB
-
memory/2708-131-0x0000000000000000-mapping.dmp
-
memory/2728-119-0x0000000000000000-mapping.dmp
-
memory/3048-133-0x0000000000000000-mapping.dmp
-
memory/3180-114-0x0000000000420000-0x00000000004CE000-memory.dmpFilesize
696KB
-
memory/3180-115-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3292-127-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3528-130-0x0000000000000000-mapping.dmp
-
memory/3852-136-0x0000000000000000-mapping.dmp
-
memory/4080-128-0x0000000000000000-mapping.dmp