Analysis
-
max time kernel
23s -
max time network
114s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:42
Behavioral task
behavioral1
Sample
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe
Resource
win10v20210408
General
-
Target
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe
-
Size
951KB
-
MD5
edbf07eaca4fff5f2d3f045567a9dc6f
-
SHA1
9292fa66c917bfa47e8012d302a69bec48e9b98c
-
SHA256
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
-
SHA512
731214358d4fcecdafe0d386a305a130185727b20704e6251e37ac5feb35eff8f3f31d8c740954feb57c699cc5975c3bb50fac5c5202c5933c4fe0dfd06bc8e6
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Secure:bin cryptone C:\Users\Admin\AppData\Roaming\Secure:bin cryptone C:\Windows\SysWOW64\Secure.exe cryptone C:\Windows\SysWOW64\Secure.exe cryptone -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Secure:binSecure.exepid process 1988 Secure:bin 1640 Secure.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Secure.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\UndoRead.tiff.d2lwasted Secure.exe File created C:\Users\Admin\Pictures\MeasureUpdate.tiff.d2lwasted_info Secure.exe File renamed C:\Users\Admin\Pictures\MeasureUpdate.tiff => C:\Users\Admin\Pictures\MeasureUpdate.tiff.d2lwasted Secure.exe File opened for modification C:\Users\Admin\Pictures\ExportReceive.tiff.d2lwasted Secure.exe File opened for modification C:\Users\Admin\Pictures\MeasureUpdate.tiff.d2lwasted Secure.exe File created C:\Users\Admin\Pictures\UndoRead.tiff.d2lwasted_info Secure.exe File renamed C:\Users\Admin\Pictures\UndoRead.tiff => C:\Users\Admin\Pictures\UndoRead.tiff.d2lwasted Secure.exe File created C:\Users\Admin\Pictures\ExportReceive.tiff.d2lwasted_info Secure.exe File renamed C:\Users\Admin\Pictures\ExportReceive.tiff => C:\Users\Admin\Pictures\ExportReceive.tiff.d2lwasted Secure.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1300 takeown.exe 1144 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 516 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exepid process 308 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe 308 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1300 takeown.exe 1144 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Secure:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Secure.exe Secure:bin File opened for modification C:\Windows\SysWOW64\Secure.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1192 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Secure:bin ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1980 vssvc.exe Token: SeRestorePrivilege 1980 vssvc.exe Token: SeAuditPrivilege 1980 vssvc.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exeSecure:binSecure.execmd.execmd.execmd.exedescription pid process target process PID 308 wrote to memory of 1988 308 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe Secure:bin PID 308 wrote to memory of 1988 308 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe Secure:bin PID 308 wrote to memory of 1988 308 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe Secure:bin PID 308 wrote to memory of 1988 308 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe Secure:bin PID 1988 wrote to memory of 1192 1988 Secure:bin vssadmin.exe PID 1988 wrote to memory of 1192 1988 Secure:bin vssadmin.exe PID 1988 wrote to memory of 1192 1988 Secure:bin vssadmin.exe PID 1988 wrote to memory of 1192 1988 Secure:bin vssadmin.exe PID 1988 wrote to memory of 1300 1988 Secure:bin takeown.exe PID 1988 wrote to memory of 1300 1988 Secure:bin takeown.exe PID 1988 wrote to memory of 1300 1988 Secure:bin takeown.exe PID 1988 wrote to memory of 1300 1988 Secure:bin takeown.exe PID 1988 wrote to memory of 1144 1988 Secure:bin icacls.exe PID 1988 wrote to memory of 1144 1988 Secure:bin icacls.exe PID 1988 wrote to memory of 1144 1988 Secure:bin icacls.exe PID 1988 wrote to memory of 1144 1988 Secure:bin icacls.exe PID 1640 wrote to memory of 1840 1640 Secure.exe cmd.exe PID 1640 wrote to memory of 1840 1640 Secure.exe cmd.exe PID 1640 wrote to memory of 1840 1640 Secure.exe cmd.exe PID 1640 wrote to memory of 1840 1640 Secure.exe cmd.exe PID 1840 wrote to memory of 1124 1840 cmd.exe choice.exe PID 1840 wrote to memory of 1124 1840 cmd.exe choice.exe PID 1840 wrote to memory of 1124 1840 cmd.exe choice.exe PID 1840 wrote to memory of 1124 1840 cmd.exe choice.exe PID 1988 wrote to memory of 928 1988 Secure:bin cmd.exe PID 1988 wrote to memory of 928 1988 Secure:bin cmd.exe PID 1988 wrote to memory of 928 1988 Secure:bin cmd.exe PID 1988 wrote to memory of 928 1988 Secure:bin cmd.exe PID 308 wrote to memory of 516 308 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe cmd.exe PID 308 wrote to memory of 516 308 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe cmd.exe PID 308 wrote to memory of 516 308 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe cmd.exe PID 308 wrote to memory of 516 308 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe cmd.exe PID 928 wrote to memory of 672 928 cmd.exe choice.exe PID 928 wrote to memory of 672 928 cmd.exe choice.exe PID 928 wrote to memory of 672 928 cmd.exe choice.exe PID 928 wrote to memory of 672 928 cmd.exe choice.exe PID 516 wrote to memory of 1552 516 cmd.exe choice.exe PID 516 wrote to memory of 1552 516 cmd.exe choice.exe PID 516 wrote to memory of 1552 516 cmd.exe choice.exe PID 516 wrote to memory of 1552 516 cmd.exe choice.exe PID 1840 wrote to memory of 1760 1840 cmd.exe attrib.exe PID 1840 wrote to memory of 1760 1840 cmd.exe attrib.exe PID 1840 wrote to memory of 1760 1840 cmd.exe attrib.exe PID 1840 wrote to memory of 1760 1840 cmd.exe attrib.exe PID 928 wrote to memory of 1804 928 cmd.exe attrib.exe PID 928 wrote to memory of 1804 928 cmd.exe attrib.exe PID 928 wrote to memory of 1804 928 cmd.exe attrib.exe PID 928 wrote to memory of 1804 928 cmd.exe attrib.exe PID 516 wrote to memory of 1732 516 cmd.exe attrib.exe PID 516 wrote to memory of 1732 516 cmd.exe attrib.exe PID 516 wrote to memory of 1732 516 cmd.exe attrib.exe PID 516 wrote to memory of 1732 516 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1760 attrib.exe 1804 attrib.exe 1732 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe"C:\Users\Admin\AppData\Local\Temp\ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Secure:binC:\Users\Admin\AppData\Roaming\Secure:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Secure.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Secure.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Secure" & del "C:\Users\Admin\AppData\Roaming\Secure"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Secure"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe" & del "C:\Users\Admin\AppData\Local\Temp\ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Secure.exeC:\Windows\SysWOW64\Secure.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Secure.exe" & del "C:\Windows\SysWOW64\Secure.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Secure.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Secure:binMD5
edbf07eaca4fff5f2d3f045567a9dc6f
SHA19292fa66c917bfa47e8012d302a69bec48e9b98c
SHA256ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
SHA512731214358d4fcecdafe0d386a305a130185727b20704e6251e37ac5feb35eff8f3f31d8c740954feb57c699cc5975c3bb50fac5c5202c5933c4fe0dfd06bc8e6
-
C:\Users\Admin\AppData\Roaming\Secure:binMD5
edbf07eaca4fff5f2d3f045567a9dc6f
SHA19292fa66c917bfa47e8012d302a69bec48e9b98c
SHA256ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
SHA512731214358d4fcecdafe0d386a305a130185727b20704e6251e37ac5feb35eff8f3f31d8c740954feb57c699cc5975c3bb50fac5c5202c5933c4fe0dfd06bc8e6
-
C:\Windows\SysWOW64\Secure.exeMD5
edbf07eaca4fff5f2d3f045567a9dc6f
SHA19292fa66c917bfa47e8012d302a69bec48e9b98c
SHA256ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
SHA512731214358d4fcecdafe0d386a305a130185727b20704e6251e37ac5feb35eff8f3f31d8c740954feb57c699cc5975c3bb50fac5c5202c5933c4fe0dfd06bc8e6
-
C:\Windows\SysWOW64\Secure.exeMD5
edbf07eaca4fff5f2d3f045567a9dc6f
SHA19292fa66c917bfa47e8012d302a69bec48e9b98c
SHA256ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
SHA512731214358d4fcecdafe0d386a305a130185727b20704e6251e37ac5feb35eff8f3f31d8c740954feb57c699cc5975c3bb50fac5c5202c5933c4fe0dfd06bc8e6
-
\Users\Admin\AppData\Roaming\SecureMD5
f748f53fe09d21d8ecbb6421e6792024
SHA1161bd68c875ad4f0c3085f35f40883bfbd11e4b9
SHA25638f737673f8b089b2540ce7015a4df7081754f7cc83bff85199b70555af32ed0
SHA5123ace48f2b176857bf02b127e33829d3765c0711f9f446c4b32975f44b1d30f8546dfc44a7ecdf4d9b5b62d9e5d09da72636a921b59190ec889b13ae110697aa0
-
\Users\Admin\AppData\Roaming\SecureMD5
f748f53fe09d21d8ecbb6421e6792024
SHA1161bd68c875ad4f0c3085f35f40883bfbd11e4b9
SHA25638f737673f8b089b2540ce7015a4df7081754f7cc83bff85199b70555af32ed0
SHA5123ace48f2b176857bf02b127e33829d3765c0711f9f446c4b32975f44b1d30f8546dfc44a7ecdf4d9b5b62d9e5d09da72636a921b59190ec889b13ae110697aa0
-
memory/308-61-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB
-
memory/308-62-0x0000000000400000-0x00000000004EF000-memory.dmpFilesize
956KB
-
memory/308-60-0x0000000075A31000-0x0000000075A33000-memory.dmpFilesize
8KB
-
memory/516-79-0x0000000000000000-mapping.dmp
-
memory/672-80-0x0000000000000000-mapping.dmp
-
memory/928-78-0x0000000000000000-mapping.dmp
-
memory/1124-77-0x0000000000000000-mapping.dmp
-
memory/1144-72-0x0000000000000000-mapping.dmp
-
memory/1192-68-0x0000000000000000-mapping.dmp
-
memory/1300-70-0x0000000000000000-mapping.dmp
-
memory/1552-81-0x0000000000000000-mapping.dmp
-
memory/1640-75-0x0000000000400000-0x00000000004EF000-memory.dmpFilesize
956KB
-
memory/1732-84-0x0000000000000000-mapping.dmp
-
memory/1760-82-0x0000000000000000-mapping.dmp
-
memory/1804-83-0x0000000000000000-mapping.dmp
-
memory/1840-76-0x0000000000000000-mapping.dmp
-
memory/1988-65-0x0000000000000000-mapping.dmp