Analysis
-
max time kernel
23s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:42
Behavioral task
behavioral1
Sample
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe
Resource
win10v20210408
General
-
Target
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe
-
Size
951KB
-
MD5
edbf07eaca4fff5f2d3f045567a9dc6f
-
SHA1
9292fa66c917bfa47e8012d302a69bec48e9b98c
-
SHA256
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
-
SHA512
731214358d4fcecdafe0d386a305a130185727b20704e6251e37ac5feb35eff8f3f31d8c740954feb57c699cc5975c3bb50fac5c5202c5933c4fe0dfd06bc8e6
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Init:bin cryptone C:\Users\Admin\AppData\Roaming\Init:bin cryptone C:\Windows\SysWOW64\Init.exe cryptone C:\Windows\SysWOW64\Init.exe cryptone -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Init:binInit.exepid process 3116 Init:bin 2124 Init.exe -
Modifies extensions of user files 27 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Init.exedescription ioc process File created C:\Users\Admin\Pictures\CopyReset.raw.d2lwasted_info Init.exe File renamed C:\Users\Admin\Pictures\JoinOut.tif => C:\Users\Admin\Pictures\JoinOut.tif.d2lwasted Init.exe File renamed C:\Users\Admin\Pictures\MergeUnregister.tiff => C:\Users\Admin\Pictures\MergeUnregister.tiff.d2lwasted Init.exe File created C:\Users\Admin\Pictures\RestartEdit.raw.d2lwasted_info Init.exe File opened for modification C:\Users\Admin\Pictures\SplitRedo.png.d2lwasted Init.exe File opened for modification C:\Users\Admin\Pictures\BlockConvert.png.d2lwasted Init.exe File created C:\Users\Admin\Pictures\CompleteDisconnect.tiff.d2lwasted_info Init.exe File opened for modification C:\Users\Admin\Pictures\CopyReset.raw.d2lwasted Init.exe File created C:\Users\Admin\Pictures\JoinOut.tif.d2lwasted_info Init.exe File created C:\Users\Admin\Pictures\ResolveRegister.tif.d2lwasted_info Init.exe File opened for modification C:\Users\Admin\Pictures\ResolveRegister.tif.d2lwasted Init.exe File renamed C:\Users\Admin\Pictures\BlockConvert.png => C:\Users\Admin\Pictures\BlockConvert.png.d2lwasted Init.exe File opened for modification C:\Users\Admin\Pictures\CompleteDisconnect.tiff.d2lwasted Init.exe File created C:\Users\Admin\Pictures\MergeUnregister.tiff.d2lwasted_info Init.exe File opened for modification C:\Users\Admin\Pictures\RestartEdit.raw.d2lwasted Init.exe File renamed C:\Users\Admin\Pictures\CompleteDisconnect.tiff => C:\Users\Admin\Pictures\CompleteDisconnect.tiff.d2lwasted Init.exe File opened for modification C:\Users\Admin\Pictures\JoinOut.tif.d2lwasted Init.exe File opened for modification C:\Users\Admin\Pictures\MergeUnregister.tiff.d2lwasted Init.exe File created C:\Users\Admin\Pictures\StopEdit.raw.d2lwasted_info Init.exe File created C:\Users\Admin\Pictures\BlockConvert.png.d2lwasted_info Init.exe File renamed C:\Users\Admin\Pictures\CopyReset.raw => C:\Users\Admin\Pictures\CopyReset.raw.d2lwasted Init.exe File renamed C:\Users\Admin\Pictures\ResolveRegister.tif => C:\Users\Admin\Pictures\ResolveRegister.tif.d2lwasted Init.exe File renamed C:\Users\Admin\Pictures\RestartEdit.raw => C:\Users\Admin\Pictures\RestartEdit.raw.d2lwasted Init.exe File renamed C:\Users\Admin\Pictures\SplitRedo.png => C:\Users\Admin\Pictures\SplitRedo.png.d2lwasted Init.exe File renamed C:\Users\Admin\Pictures\StopEdit.raw => C:\Users\Admin\Pictures\StopEdit.raw.d2lwasted Init.exe File opened for modification C:\Users\Admin\Pictures\StopEdit.raw.d2lwasted Init.exe File created C:\Users\Admin\Pictures\SplitRedo.png.d2lwasted_info Init.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 2816 icacls.exe 2220 takeown.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2220 takeown.exe 2816 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Init:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Init.exe Init:bin File opened for modification C:\Windows\SysWOW64\Init.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1020 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Init:bin ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2624 vssvc.exe Token: SeRestorePrivilege 2624 vssvc.exe Token: SeAuditPrivilege 2624 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exeInit:binInit.execmd.execmd.execmd.exedescription pid process target process PID 808 wrote to memory of 3116 808 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe Init:bin PID 808 wrote to memory of 3116 808 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe Init:bin PID 808 wrote to memory of 3116 808 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe Init:bin PID 3116 wrote to memory of 1020 3116 Init:bin vssadmin.exe PID 3116 wrote to memory of 1020 3116 Init:bin vssadmin.exe PID 3116 wrote to memory of 2220 3116 Init:bin takeown.exe PID 3116 wrote to memory of 2220 3116 Init:bin takeown.exe PID 3116 wrote to memory of 2220 3116 Init:bin takeown.exe PID 3116 wrote to memory of 2816 3116 Init:bin icacls.exe PID 3116 wrote to memory of 2816 3116 Init:bin icacls.exe PID 3116 wrote to memory of 2816 3116 Init:bin icacls.exe PID 2124 wrote to memory of 3288 2124 Init.exe cmd.exe PID 2124 wrote to memory of 3288 2124 Init.exe cmd.exe PID 2124 wrote to memory of 3288 2124 Init.exe cmd.exe PID 3288 wrote to memory of 3248 3288 cmd.exe choice.exe PID 3288 wrote to memory of 3248 3288 cmd.exe choice.exe PID 3288 wrote to memory of 3248 3288 cmd.exe choice.exe PID 3116 wrote to memory of 3304 3116 Init:bin cmd.exe PID 3116 wrote to memory of 3304 3116 Init:bin cmd.exe PID 3116 wrote to memory of 3304 3116 Init:bin cmd.exe PID 808 wrote to memory of 2304 808 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe cmd.exe PID 808 wrote to memory of 2304 808 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe cmd.exe PID 808 wrote to memory of 2304 808 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe cmd.exe PID 3304 wrote to memory of 2848 3304 cmd.exe choice.exe PID 3304 wrote to memory of 2848 3304 cmd.exe choice.exe PID 3304 wrote to memory of 2848 3304 cmd.exe choice.exe PID 2304 wrote to memory of 1020 2304 cmd.exe choice.exe PID 2304 wrote to memory of 1020 2304 cmd.exe choice.exe PID 2304 wrote to memory of 1020 2304 cmd.exe choice.exe PID 3288 wrote to memory of 920 3288 cmd.exe attrib.exe PID 3288 wrote to memory of 920 3288 cmd.exe attrib.exe PID 3288 wrote to memory of 920 3288 cmd.exe attrib.exe PID 3304 wrote to memory of 3592 3304 cmd.exe attrib.exe PID 3304 wrote to memory of 3592 3304 cmd.exe attrib.exe PID 3304 wrote to memory of 3592 3304 cmd.exe attrib.exe PID 2304 wrote to memory of 2292 2304 cmd.exe attrib.exe PID 2304 wrote to memory of 2292 2304 cmd.exe attrib.exe PID 2304 wrote to memory of 2292 2304 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 920 attrib.exe 3592 attrib.exe 2292 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe"C:\Users\Admin\AppData\Local\Temp\ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Init:binC:\Users\Admin\AppData\Roaming\Init:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Init.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Init.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Init" & del "C:\Users\Admin\AppData\Roaming\Init"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Init"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe" & del "C:\Users\Admin\AppData\Local\Temp\ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3.sample.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Init.exeC:\Windows\SysWOW64\Init.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Init.exe" & del "C:\Windows\SysWOW64\Init.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Init.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Init:binMD5
edbf07eaca4fff5f2d3f045567a9dc6f
SHA19292fa66c917bfa47e8012d302a69bec48e9b98c
SHA256ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
SHA512731214358d4fcecdafe0d386a305a130185727b20704e6251e37ac5feb35eff8f3f31d8c740954feb57c699cc5975c3bb50fac5c5202c5933c4fe0dfd06bc8e6
-
C:\Users\Admin\AppData\Roaming\Init:binMD5
edbf07eaca4fff5f2d3f045567a9dc6f
SHA19292fa66c917bfa47e8012d302a69bec48e9b98c
SHA256ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
SHA512731214358d4fcecdafe0d386a305a130185727b20704e6251e37ac5feb35eff8f3f31d8c740954feb57c699cc5975c3bb50fac5c5202c5933c4fe0dfd06bc8e6
-
C:\Windows\SysWOW64\Init.exeMD5
edbf07eaca4fff5f2d3f045567a9dc6f
SHA19292fa66c917bfa47e8012d302a69bec48e9b98c
SHA256ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
SHA512731214358d4fcecdafe0d386a305a130185727b20704e6251e37ac5feb35eff8f3f31d8c740954feb57c699cc5975c3bb50fac5c5202c5933c4fe0dfd06bc8e6
-
C:\Windows\SysWOW64\Init.exeMD5
edbf07eaca4fff5f2d3f045567a9dc6f
SHA19292fa66c917bfa47e8012d302a69bec48e9b98c
SHA256ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
SHA512731214358d4fcecdafe0d386a305a130185727b20704e6251e37ac5feb35eff8f3f31d8c740954feb57c699cc5975c3bb50fac5c5202c5933c4fe0dfd06bc8e6
-
memory/808-117-0x00000000005D0000-0x00000000005E0000-memory.dmpFilesize
64KB
-
memory/808-118-0x0000000000400000-0x00000000004EF000-memory.dmpFilesize
956KB
-
memory/920-133-0x0000000000000000-mapping.dmp
-
memory/1020-119-0x0000000000000000-mapping.dmp
-
memory/1020-132-0x0000000000000000-mapping.dmp
-
memory/2124-126-0x0000000000400000-0x00000000004EF000-memory.dmpFilesize
956KB
-
memory/2124-125-0x00000000005E0000-0x000000000072A000-memory.dmpFilesize
1.3MB
-
memory/2220-120-0x0000000000000000-mapping.dmp
-
memory/2292-135-0x0000000000000000-mapping.dmp
-
memory/2304-130-0x0000000000000000-mapping.dmp
-
memory/2816-122-0x0000000000000000-mapping.dmp
-
memory/2848-131-0x0000000000000000-mapping.dmp
-
memory/3116-124-0x0000000000400000-0x00000000004EF000-memory.dmpFilesize
956KB
-
memory/3116-114-0x0000000000000000-mapping.dmp
-
memory/3248-128-0x0000000000000000-mapping.dmp
-
memory/3288-127-0x0000000000000000-mapping.dmp
-
memory/3304-129-0x0000000000000000-mapping.dmp
-
memory/3592-134-0x0000000000000000-mapping.dmp