Analysis
-
max time kernel
27s -
max time network
80s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:42
Behavioral task
behavioral1
Sample
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe
Resource
win10v20210408
General
-
Target
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe
-
Size
1.2MB
-
MD5
2cc4534b0dd0e1c8d5b89644274a10c1
-
SHA1
735ee2c15c0b7172f65d39f0fd33b9186ee69653
-
SHA256
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
-
SHA512
a842b2d171aa6efa1b391d5d0f84663e78021b485555e2bf10a5e589d8652057f5abbd88e1a5ec628b714692ec5d63c3172894aa7846d5897e87d99dad67e2b8
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Drivers:bin cryptone C:\Users\Admin\AppData\Roaming\Drivers:bin cryptone C:\Windows\SysWOW64\Drivers.exe cryptone C:\Windows\SysWOW64\Drivers.exe cryptone -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Drivers:binDrivers.exepid process 3252 Drivers:bin 2664 Drivers.exe -
Modifies extensions of user files 33 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Drivers.exedescription ioc process File renamed C:\Users\Admin\Pictures\SendConvertFrom.png => C:\Users\Admin\Pictures\SendConvertFrom.png.garminwasted Drivers.exe File renamed C:\Users\Admin\Pictures\SetUnlock.tiff => C:\Users\Admin\Pictures\SetUnlock.tiff.garminwasted Drivers.exe File renamed C:\Users\Admin\Pictures\AddUnlock.tif => C:\Users\Admin\Pictures\AddUnlock.tif.garminwasted Drivers.exe File renamed C:\Users\Admin\Pictures\DenyUnlock.tiff => C:\Users\Admin\Pictures\DenyUnlock.tiff.garminwasted Drivers.exe File renamed C:\Users\Admin\Pictures\ReadAdd.raw => C:\Users\Admin\Pictures\ReadAdd.raw.garminwasted Drivers.exe File created C:\Users\Admin\Pictures\AddUnlock.tif.garminwasted_info Drivers.exe File renamed C:\Users\Admin\Pictures\MoveExport.tif => C:\Users\Admin\Pictures\MoveExport.tif.garminwasted Drivers.exe File opened for modification C:\Users\Admin\Pictures\UnprotectApprove.tif.garminwasted Drivers.exe File renamed C:\Users\Admin\Pictures\MountStart.png => C:\Users\Admin\Pictures\MountStart.png.garminwasted Drivers.exe File opened for modification C:\Users\Admin\Pictures\PushExit.tiff.garminwasted Drivers.exe File renamed C:\Users\Admin\Pictures\SetStep.tiff => C:\Users\Admin\Pictures\SetStep.tiff.garminwasted Drivers.exe File opened for modification C:\Users\Admin\Pictures\SendConvertFrom.png.garminwasted Drivers.exe File renamed C:\Users\Admin\Pictures\UnprotectApprove.tif => C:\Users\Admin\Pictures\UnprotectApprove.tif.garminwasted Drivers.exe File created C:\Users\Admin\Pictures\MoveExport.tif.garminwasted_info Drivers.exe File created C:\Users\Admin\Pictures\PushExit.tiff.garminwasted_info Drivers.exe File created C:\Users\Admin\Pictures\SendConvertFrom.png.garminwasted_info Drivers.exe File opened for modification C:\Users\Admin\Pictures\SetStep.tiff.garminwasted Drivers.exe File opened for modification C:\Users\Admin\Pictures\StepUnpublish.raw.garminwasted Drivers.exe File opened for modification C:\Users\Admin\Pictures\DenyUnlock.tiff.garminwasted Drivers.exe File opened for modification C:\Users\Admin\Pictures\MoveExport.tif.garminwasted Drivers.exe File created C:\Users\Admin\Pictures\ReadAdd.raw.garminwasted_info Drivers.exe File created C:\Users\Admin\Pictures\SetStep.tiff.garminwasted_info Drivers.exe File opened for modification C:\Users\Admin\Pictures\AddUnlock.tif.garminwasted Drivers.exe File created C:\Users\Admin\Pictures\MountStart.png.garminwasted_info Drivers.exe File opened for modification C:\Users\Admin\Pictures\MountStart.png.garminwasted Drivers.exe File created C:\Users\Admin\Pictures\DenyUnlock.tiff.garminwasted_info Drivers.exe File opened for modification C:\Users\Admin\Pictures\SetUnlock.tiff.garminwasted Drivers.exe File created C:\Users\Admin\Pictures\StepUnpublish.raw.garminwasted_info Drivers.exe File renamed C:\Users\Admin\Pictures\StepUnpublish.raw => C:\Users\Admin\Pictures\StepUnpublish.raw.garminwasted Drivers.exe File created C:\Users\Admin\Pictures\UnprotectApprove.tif.garminwasted_info Drivers.exe File renamed C:\Users\Admin\Pictures\PushExit.tiff => C:\Users\Admin\Pictures\PushExit.tiff.garminwasted Drivers.exe File opened for modification C:\Users\Admin\Pictures\ReadAdd.raw.garminwasted Drivers.exe File created C:\Users\Admin\Pictures\SetUnlock.tiff.garminwasted_info Drivers.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2924 takeown.exe 3888 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2924 takeown.exe 3888 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Drivers:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Drivers.exe Drivers:bin File opened for modification C:\Windows\SysWOW64\Drivers.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3064 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Drivers:bin 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2884 vssvc.exe Token: SeRestorePrivilege 2884 vssvc.exe Token: SeAuditPrivilege 2884 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exeDrivers:binDrivers.execmd.execmd.execmd.exedescription pid process target process PID 808 wrote to memory of 3252 808 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe Drivers:bin PID 808 wrote to memory of 3252 808 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe Drivers:bin PID 808 wrote to memory of 3252 808 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe Drivers:bin PID 3252 wrote to memory of 3064 3252 Drivers:bin vssadmin.exe PID 3252 wrote to memory of 3064 3252 Drivers:bin vssadmin.exe PID 3252 wrote to memory of 2924 3252 Drivers:bin takeown.exe PID 3252 wrote to memory of 2924 3252 Drivers:bin takeown.exe PID 3252 wrote to memory of 2924 3252 Drivers:bin takeown.exe PID 3252 wrote to memory of 3888 3252 Drivers:bin icacls.exe PID 3252 wrote to memory of 3888 3252 Drivers:bin icacls.exe PID 3252 wrote to memory of 3888 3252 Drivers:bin icacls.exe PID 2664 wrote to memory of 3832 2664 Drivers.exe cmd.exe PID 2664 wrote to memory of 3832 2664 Drivers.exe cmd.exe PID 2664 wrote to memory of 3832 2664 Drivers.exe cmd.exe PID 3832 wrote to memory of 3992 3832 cmd.exe choice.exe PID 3832 wrote to memory of 3992 3832 cmd.exe choice.exe PID 3832 wrote to memory of 3992 3832 cmd.exe choice.exe PID 3252 wrote to memory of 4060 3252 Drivers:bin cmd.exe PID 3252 wrote to memory of 4060 3252 Drivers:bin cmd.exe PID 3252 wrote to memory of 4060 3252 Drivers:bin cmd.exe PID 808 wrote to memory of 3032 808 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe cmd.exe PID 808 wrote to memory of 3032 808 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe cmd.exe PID 808 wrote to memory of 3032 808 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe cmd.exe PID 4060 wrote to memory of 3108 4060 cmd.exe choice.exe PID 4060 wrote to memory of 3108 4060 cmd.exe choice.exe PID 4060 wrote to memory of 3108 4060 cmd.exe choice.exe PID 3032 wrote to memory of 4088 3032 cmd.exe choice.exe PID 3032 wrote to memory of 4088 3032 cmd.exe choice.exe PID 3032 wrote to memory of 4088 3032 cmd.exe choice.exe PID 3832 wrote to memory of 264 3832 cmd.exe attrib.exe PID 3832 wrote to memory of 264 3832 cmd.exe attrib.exe PID 3832 wrote to memory of 264 3832 cmd.exe attrib.exe PID 4060 wrote to memory of 280 4060 cmd.exe attrib.exe PID 4060 wrote to memory of 280 4060 cmd.exe attrib.exe PID 4060 wrote to memory of 280 4060 cmd.exe attrib.exe PID 3032 wrote to memory of 2716 3032 cmd.exe attrib.exe PID 3032 wrote to memory of 2716 3032 cmd.exe attrib.exe PID 3032 wrote to memory of 2716 3032 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 264 attrib.exe 280 attrib.exe 2716 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe"C:\Users\Admin\AppData\Local\Temp\905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Drivers:binC:\Users\Admin\AppData\Roaming\Drivers:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Drivers.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Drivers.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Drivers" & del "C:\Users\Admin\AppData\Roaming\Drivers"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Drivers"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe" & del "C:\Users\Admin\AppData\Local\Temp\905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a.sample.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Drivers.exeC:\Windows\SysWOW64\Drivers.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Drivers.exe" & del "C:\Windows\SysWOW64\Drivers.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Drivers.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Drivers:binMD5
2cc4534b0dd0e1c8d5b89644274a10c1
SHA1735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA256905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
SHA512a842b2d171aa6efa1b391d5d0f84663e78021b485555e2bf10a5e589d8652057f5abbd88e1a5ec628b714692ec5d63c3172894aa7846d5897e87d99dad67e2b8
-
C:\Users\Admin\AppData\Roaming\Drivers:binMD5
2cc4534b0dd0e1c8d5b89644274a10c1
SHA1735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA256905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
SHA512a842b2d171aa6efa1b391d5d0f84663e78021b485555e2bf10a5e589d8652057f5abbd88e1a5ec628b714692ec5d63c3172894aa7846d5897e87d99dad67e2b8
-
C:\Windows\SysWOW64\Drivers.exeMD5
2cc4534b0dd0e1c8d5b89644274a10c1
SHA1735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA256905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
SHA512a842b2d171aa6efa1b391d5d0f84663e78021b485555e2bf10a5e589d8652057f5abbd88e1a5ec628b714692ec5d63c3172894aa7846d5897e87d99dad67e2b8
-
C:\Windows\SysWOW64\Drivers.exeMD5
2cc4534b0dd0e1c8d5b89644274a10c1
SHA1735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA256905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
SHA512a842b2d171aa6efa1b391d5d0f84663e78021b485555e2bf10a5e589d8652057f5abbd88e1a5ec628b714692ec5d63c3172894aa7846d5897e87d99dad67e2b8
-
memory/264-133-0x0000000000000000-mapping.dmp
-
memory/280-134-0x0000000000000000-mapping.dmp
-
memory/808-115-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/808-114-0x0000000000590000-0x00000000005A0000-memory.dmpFilesize
64KB
-
memory/2664-126-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/2716-135-0x0000000000000000-mapping.dmp
-
memory/2924-122-0x0000000000000000-mapping.dmp
-
memory/3032-130-0x0000000000000000-mapping.dmp
-
memory/3064-119-0x0000000000000000-mapping.dmp
-
memory/3108-131-0x0000000000000000-mapping.dmp
-
memory/3252-121-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/3252-120-0x0000000000540000-0x000000000068A000-memory.dmpFilesize
1.3MB
-
memory/3252-116-0x0000000000000000-mapping.dmp
-
memory/3832-127-0x0000000000000000-mapping.dmp
-
memory/3888-124-0x0000000000000000-mapping.dmp
-
memory/3992-128-0x0000000000000000-mapping.dmp
-
memory/4060-129-0x0000000000000000-mapping.dmp
-
memory/4088-132-0x0000000000000000-mapping.dmp