Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:42
Behavioral task
behavioral1
Sample
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe
Resource
win10v20210408
General
-
Target
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe
-
Size
1.2MB
-
MD5
2cc4534b0dd0e1c8d5b89644274a10c1
-
SHA1
735ee2c15c0b7172f65d39f0fd33b9186ee69653
-
SHA256
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
-
SHA512
a842b2d171aa6efa1b391d5d0f84663e78021b485555e2bf10a5e589d8652057f5abbd88e1a5ec628b714692ec5d63c3172894aa7846d5897e87d99dad67e2b8
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Options:bin cryptone C:\Users\Admin\AppData\Roaming\Options:bin cryptone C:\Windows\SysWOW64\Options.exe cryptone C:\Windows\SysWOW64\Options.exe cryptone -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Options:binOptions.exepid process 1272 Options:bin 752 Options.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Options.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\BackupClear.crw.garminwasted Options.exe File created C:\Users\Admin\Pictures\RedoTest.tif.garminwasted_info Options.exe File opened for modification C:\Users\Admin\Pictures\RedoTest.tif.garminwasted Options.exe File created C:\Users\Admin\Pictures\SelectOpen.crw.garminwasted_info Options.exe File renamed C:\Users\Admin\Pictures\SelectOpen.crw => C:\Users\Admin\Pictures\SelectOpen.crw.garminwasted Options.exe File opened for modification C:\Users\Admin\Pictures\SelectOpen.crw.garminwasted Options.exe File created C:\Users\Admin\Pictures\BackupClear.crw.garminwasted_info Options.exe File renamed C:\Users\Admin\Pictures\BackupClear.crw => C:\Users\Admin\Pictures\BackupClear.crw.garminwasted Options.exe File renamed C:\Users\Admin\Pictures\RedoTest.tif => C:\Users\Admin\Pictures\RedoTest.tif.garminwasted Options.exe File created C:\Users\Admin\Pictures\SendMove.tif.garminwasted_info Options.exe File renamed C:\Users\Admin\Pictures\SendMove.tif => C:\Users\Admin\Pictures\SendMove.tif.garminwasted Options.exe File opened for modification C:\Users\Admin\Pictures\SendMove.tif.garminwasted Options.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1660 takeown.exe 1700 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1324 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exepid process 1044 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe 1044 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1660 takeown.exe 1700 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Options:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Options.exe Options:bin File opened for modification C:\Windows\SysWOW64\Options.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1424 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Options:bin 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1788 vssvc.exe Token: SeRestorePrivilege 1788 vssvc.exe Token: SeAuditPrivilege 1788 vssvc.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exeOptions:binOptions.execmd.execmd.execmd.exedescription pid process target process PID 1044 wrote to memory of 1272 1044 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe Options:bin PID 1044 wrote to memory of 1272 1044 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe Options:bin PID 1044 wrote to memory of 1272 1044 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe Options:bin PID 1044 wrote to memory of 1272 1044 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe Options:bin PID 1272 wrote to memory of 1424 1272 Options:bin vssadmin.exe PID 1272 wrote to memory of 1424 1272 Options:bin vssadmin.exe PID 1272 wrote to memory of 1424 1272 Options:bin vssadmin.exe PID 1272 wrote to memory of 1424 1272 Options:bin vssadmin.exe PID 1272 wrote to memory of 1660 1272 Options:bin takeown.exe PID 1272 wrote to memory of 1660 1272 Options:bin takeown.exe PID 1272 wrote to memory of 1660 1272 Options:bin takeown.exe PID 1272 wrote to memory of 1660 1272 Options:bin takeown.exe PID 1272 wrote to memory of 1700 1272 Options:bin icacls.exe PID 1272 wrote to memory of 1700 1272 Options:bin icacls.exe PID 1272 wrote to memory of 1700 1272 Options:bin icacls.exe PID 1272 wrote to memory of 1700 1272 Options:bin icacls.exe PID 752 wrote to memory of 1048 752 Options.exe cmd.exe PID 752 wrote to memory of 1048 752 Options.exe cmd.exe PID 752 wrote to memory of 1048 752 Options.exe cmd.exe PID 752 wrote to memory of 1048 752 Options.exe cmd.exe PID 1048 wrote to memory of 932 1048 cmd.exe choice.exe PID 1048 wrote to memory of 932 1048 cmd.exe choice.exe PID 1048 wrote to memory of 932 1048 cmd.exe choice.exe PID 1048 wrote to memory of 932 1048 cmd.exe choice.exe PID 1272 wrote to memory of 1820 1272 Options:bin cmd.exe PID 1272 wrote to memory of 1820 1272 Options:bin cmd.exe PID 1272 wrote to memory of 1820 1272 Options:bin cmd.exe PID 1272 wrote to memory of 1820 1272 Options:bin cmd.exe PID 1044 wrote to memory of 1324 1044 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe cmd.exe PID 1044 wrote to memory of 1324 1044 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe cmd.exe PID 1044 wrote to memory of 1324 1044 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe cmd.exe PID 1044 wrote to memory of 1324 1044 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe cmd.exe PID 1820 wrote to memory of 844 1820 cmd.exe choice.exe PID 1820 wrote to memory of 844 1820 cmd.exe choice.exe PID 1820 wrote to memory of 844 1820 cmd.exe choice.exe PID 1820 wrote to memory of 844 1820 cmd.exe choice.exe PID 1324 wrote to memory of 1712 1324 cmd.exe choice.exe PID 1324 wrote to memory of 1712 1324 cmd.exe choice.exe PID 1324 wrote to memory of 1712 1324 cmd.exe choice.exe PID 1324 wrote to memory of 1712 1324 cmd.exe choice.exe PID 1048 wrote to memory of 1348 1048 cmd.exe attrib.exe PID 1048 wrote to memory of 1348 1048 cmd.exe attrib.exe PID 1048 wrote to memory of 1348 1048 cmd.exe attrib.exe PID 1048 wrote to memory of 1348 1048 cmd.exe attrib.exe PID 1820 wrote to memory of 1692 1820 cmd.exe attrib.exe PID 1820 wrote to memory of 1692 1820 cmd.exe attrib.exe PID 1820 wrote to memory of 1692 1820 cmd.exe attrib.exe PID 1820 wrote to memory of 1692 1820 cmd.exe attrib.exe PID 1324 wrote to memory of 208 1324 cmd.exe attrib.exe PID 1324 wrote to memory of 208 1324 cmd.exe attrib.exe PID 1324 wrote to memory of 208 1324 cmd.exe attrib.exe PID 1324 wrote to memory of 208 1324 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1348 attrib.exe 208 attrib.exe 1692 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe"C:\Users\Admin\AppData\Local\Temp\905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Options:binC:\Users\Admin\AppData\Roaming\Options:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Options.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Options.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Options" & del "C:\Users\Admin\AppData\Roaming\Options"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Options"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe" & del "C:\Users\Admin\AppData\Local\Temp\905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Options.exeC:\Windows\SysWOW64\Options.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Options.exe" & del "C:\Windows\SysWOW64\Options.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Options.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Options:binMD5
2cc4534b0dd0e1c8d5b89644274a10c1
SHA1735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA256905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
SHA512a842b2d171aa6efa1b391d5d0f84663e78021b485555e2bf10a5e589d8652057f5abbd88e1a5ec628b714692ec5d63c3172894aa7846d5897e87d99dad67e2b8
-
C:\Users\Admin\AppData\Roaming\Options:binMD5
2cc4534b0dd0e1c8d5b89644274a10c1
SHA1735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA256905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
SHA512a842b2d171aa6efa1b391d5d0f84663e78021b485555e2bf10a5e589d8652057f5abbd88e1a5ec628b714692ec5d63c3172894aa7846d5897e87d99dad67e2b8
-
C:\Windows\SysWOW64\Options.exeMD5
2cc4534b0dd0e1c8d5b89644274a10c1
SHA1735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA256905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
SHA512a842b2d171aa6efa1b391d5d0f84663e78021b485555e2bf10a5e589d8652057f5abbd88e1a5ec628b714692ec5d63c3172894aa7846d5897e87d99dad67e2b8
-
C:\Windows\SysWOW64\Options.exeMD5
2cc4534b0dd0e1c8d5b89644274a10c1
SHA1735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA256905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
SHA512a842b2d171aa6efa1b391d5d0f84663e78021b485555e2bf10a5e589d8652057f5abbd88e1a5ec628b714692ec5d63c3172894aa7846d5897e87d99dad67e2b8
-
\Users\Admin\AppData\Roaming\OptionsMD5
cfc97f07904067a1e5fae195d534da3a
SHA12ae4ea1e2f2248a86f0dd25a1cbf828b5496fa79
SHA256eb4d2d127312eb09e2acca3276779e80f90faf77322684babf72b8ec6e1f906c
SHA5125703f93c4a6b14a2319110edb09f4792b9c8677231835df30f239703fd106d351c82de148b8d862a6e3d8363c4a89fae04630007a14b10cf59b72eee5f80e147
-
\Users\Admin\AppData\Roaming\OptionsMD5
cfc97f07904067a1e5fae195d534da3a
SHA12ae4ea1e2f2248a86f0dd25a1cbf828b5496fa79
SHA256eb4d2d127312eb09e2acca3276779e80f90faf77322684babf72b8ec6e1f906c
SHA5125703f93c4a6b14a2319110edb09f4792b9c8677231835df30f239703fd106d351c82de148b8d862a6e3d8363c4a89fae04630007a14b10cf59b72eee5f80e147
-
memory/208-85-0x0000000000000000-mapping.dmp
-
memory/752-76-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/844-81-0x0000000000000000-mapping.dmp
-
memory/932-78-0x0000000000000000-mapping.dmp
-
memory/1044-60-0x0000000075721000-0x0000000075723000-memory.dmpFilesize
8KB
-
memory/1044-62-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/1044-61-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB
-
memory/1048-77-0x0000000000000000-mapping.dmp
-
memory/1272-69-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/1272-65-0x0000000000000000-mapping.dmp
-
memory/1324-80-0x0000000000000000-mapping.dmp
-
memory/1348-83-0x0000000000000000-mapping.dmp
-
memory/1424-68-0x0000000000000000-mapping.dmp
-
memory/1660-71-0x0000000000000000-mapping.dmp
-
memory/1692-84-0x0000000000000000-mapping.dmp
-
memory/1700-73-0x0000000000000000-mapping.dmp
-
memory/1712-82-0x0000000000000000-mapping.dmp
-
memory/1820-79-0x0000000000000000-mapping.dmp