Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe
Resource
win10v20210410
General
-
Target
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe
-
Size
58KB
-
MD5
33b80a574c6441baf5409a292aafb1cf
-
SHA1
8048aba11ea6209d1f49fa4e12741050350557df
-
SHA256
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
-
SHA512
52843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Index:binIndex.exepid process 1284 Index:bin 1632 Index.exe -
Modifies extensions of user files 36 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Index.exedescription ioc process File renamed C:\Users\Admin\Pictures\GrantFind.png => C:\Users\Admin\Pictures\GrantFind.png.garminwasted Index.exe File opened for modification C:\Users\Admin\Pictures\OutInitialize.crw.garminwasted Index.exe File renamed C:\Users\Admin\Pictures\ReadRegister.tiff => C:\Users\Admin\Pictures\ReadRegister.tiff.garminwasted Index.exe File renamed C:\Users\Admin\Pictures\RenameTest.raw => C:\Users\Admin\Pictures\RenameTest.raw.garminwasted Index.exe File renamed C:\Users\Admin\Pictures\RepairSearch.crw => C:\Users\Admin\Pictures\RepairSearch.crw.garminwasted Index.exe File created C:\Users\Admin\Pictures\GrantFind.png.garminwasted_info Index.exe File created C:\Users\Admin\Pictures\TraceStop.raw.garminwasted_info Index.exe File created C:\Users\Admin\Pictures\SyncOpen.png.garminwasted_info Index.exe File opened for modification C:\Users\Admin\Pictures\GrantFind.png.garminwasted Index.exe File opened for modification C:\Users\Admin\Pictures\RenameTest.raw.garminwasted Index.exe File created C:\Users\Admin\Pictures\ResumeSync.crw.garminwasted_info Index.exe File opened for modification C:\Users\Admin\Pictures\SyncOpen.png.garminwasted Index.exe File renamed C:\Users\Admin\Pictures\TraceStop.raw => C:\Users\Admin\Pictures\TraceStop.raw.garminwasted Index.exe File opened for modification C:\Users\Admin\Pictures\GetFind.png.garminwasted Index.exe File created C:\Users\Admin\Pictures\OutInitialize.crw.garminwasted_info Index.exe File opened for modification C:\Users\Admin\Pictures\RepairSearch.crw.garminwasted Index.exe File renamed C:\Users\Admin\Pictures\ResumeSync.crw => C:\Users\Admin\Pictures\ResumeSync.crw.garminwasted Index.exe File opened for modification C:\Users\Admin\Pictures\ResumeSync.crw.garminwasted Index.exe File opened for modification C:\Users\Admin\Pictures\SwitchRestart.tif.garminwasted Index.exe File opened for modification C:\Users\Admin\Pictures\TraceStop.raw.garminwasted Index.exe File created C:\Users\Admin\Pictures\GetFind.png.garminwasted_info Index.exe File opened for modification C:\Users\Admin\Pictures\ReadRegister.tiff.garminwasted Index.exe File created C:\Users\Admin\Pictures\SwitchRestart.tif.garminwasted_info Index.exe File opened for modification C:\Users\Admin\Pictures\InitializeConvert.tiff.garminwasted Index.exe File renamed C:\Users\Admin\Pictures\SwitchRestart.tif => C:\Users\Admin\Pictures\SwitchRestart.tif.garminwasted Index.exe File created C:\Users\Admin\Pictures\WatchHide.tif.garminwasted_info Index.exe File renamed C:\Users\Admin\Pictures\WatchHide.tif => C:\Users\Admin\Pictures\WatchHide.tif.garminwasted Index.exe File created C:\Users\Admin\Pictures\RepairSearch.crw.garminwasted_info Index.exe File created C:\Users\Admin\Pictures\RenameTest.raw.garminwasted_info Index.exe File renamed C:\Users\Admin\Pictures\InitializeConvert.tiff => C:\Users\Admin\Pictures\InitializeConvert.tiff.garminwasted Index.exe File created C:\Users\Admin\Pictures\InitializeConvert.tiff.garminwasted_info Index.exe File renamed C:\Users\Admin\Pictures\OutInitialize.crw => C:\Users\Admin\Pictures\OutInitialize.crw.garminwasted Index.exe File created C:\Users\Admin\Pictures\ReadRegister.tiff.garminwasted_info Index.exe File renamed C:\Users\Admin\Pictures\SyncOpen.png => C:\Users\Admin\Pictures\SyncOpen.png.garminwasted Index.exe File opened for modification C:\Users\Admin\Pictures\WatchHide.tif.garminwasted Index.exe File renamed C:\Users\Admin\Pictures\GetFind.png => C:\Users\Admin\Pictures\GetFind.png.garminwasted Index.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1760 takeown.exe 1616 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 920 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exepid process 1948 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe 1948 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1760 takeown.exe 1616 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Index:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Index.exe Index:bin File opened for modification C:\Windows\SysWOW64\Index.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 848 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Index:bin ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1980 vssvc.exe Token: SeRestorePrivilege 1980 vssvc.exe Token: SeAuditPrivilege 1980 vssvc.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exeIndex:binIndex.execmd.execmd.execmd.exedescription pid process target process PID 1948 wrote to memory of 1284 1948 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe Index:bin PID 1948 wrote to memory of 1284 1948 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe Index:bin PID 1948 wrote to memory of 1284 1948 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe Index:bin PID 1948 wrote to memory of 1284 1948 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe Index:bin PID 1284 wrote to memory of 848 1284 Index:bin vssadmin.exe PID 1284 wrote to memory of 848 1284 Index:bin vssadmin.exe PID 1284 wrote to memory of 848 1284 Index:bin vssadmin.exe PID 1284 wrote to memory of 848 1284 Index:bin vssadmin.exe PID 1284 wrote to memory of 1760 1284 Index:bin takeown.exe PID 1284 wrote to memory of 1760 1284 Index:bin takeown.exe PID 1284 wrote to memory of 1760 1284 Index:bin takeown.exe PID 1284 wrote to memory of 1760 1284 Index:bin takeown.exe PID 1284 wrote to memory of 1616 1284 Index:bin icacls.exe PID 1284 wrote to memory of 1616 1284 Index:bin icacls.exe PID 1284 wrote to memory of 1616 1284 Index:bin icacls.exe PID 1284 wrote to memory of 1616 1284 Index:bin icacls.exe PID 1632 wrote to memory of 380 1632 Index.exe cmd.exe PID 1632 wrote to memory of 380 1632 Index.exe cmd.exe PID 1632 wrote to memory of 380 1632 Index.exe cmd.exe PID 1632 wrote to memory of 380 1632 Index.exe cmd.exe PID 380 wrote to memory of 1652 380 cmd.exe choice.exe PID 380 wrote to memory of 1652 380 cmd.exe choice.exe PID 380 wrote to memory of 1652 380 cmd.exe choice.exe PID 380 wrote to memory of 1652 380 cmd.exe choice.exe PID 1284 wrote to memory of 1120 1284 Index:bin cmd.exe PID 1284 wrote to memory of 1120 1284 Index:bin cmd.exe PID 1284 wrote to memory of 1120 1284 Index:bin cmd.exe PID 1284 wrote to memory of 1120 1284 Index:bin cmd.exe PID 1948 wrote to memory of 920 1948 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe cmd.exe PID 1948 wrote to memory of 920 1948 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe cmd.exe PID 1948 wrote to memory of 920 1948 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe cmd.exe PID 1948 wrote to memory of 920 1948 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe cmd.exe PID 1120 wrote to memory of 1296 1120 cmd.exe choice.exe PID 1120 wrote to memory of 1296 1120 cmd.exe choice.exe PID 1120 wrote to memory of 1296 1120 cmd.exe choice.exe PID 1120 wrote to memory of 1296 1120 cmd.exe choice.exe PID 920 wrote to memory of 1376 920 cmd.exe choice.exe PID 920 wrote to memory of 1376 920 cmd.exe choice.exe PID 920 wrote to memory of 1376 920 cmd.exe choice.exe PID 920 wrote to memory of 1376 920 cmd.exe choice.exe PID 380 wrote to memory of 1780 380 cmd.exe attrib.exe PID 380 wrote to memory of 1780 380 cmd.exe attrib.exe PID 380 wrote to memory of 1780 380 cmd.exe attrib.exe PID 380 wrote to memory of 1780 380 cmd.exe attrib.exe PID 1120 wrote to memory of 1704 1120 cmd.exe attrib.exe PID 1120 wrote to memory of 1704 1120 cmd.exe attrib.exe PID 1120 wrote to memory of 1704 1120 cmd.exe attrib.exe PID 1120 wrote to memory of 1704 1120 cmd.exe attrib.exe PID 920 wrote to memory of 1724 920 cmd.exe attrib.exe PID 920 wrote to memory of 1724 920 cmd.exe attrib.exe PID 920 wrote to memory of 1724 920 cmd.exe attrib.exe PID 920 wrote to memory of 1724 920 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1780 attrib.exe 1704 attrib.exe 1724 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe"C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Index:binC:\Users\Admin\AppData\Roaming\Index:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Index.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Index.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Index" & del "C:\Users\Admin\AppData\Roaming\Index"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Index"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe" & del "C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Index.exeC:\Windows\SysWOW64\Index.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Index.exe" & del "C:\Windows\SysWOW64\Index.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Index.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Index:binMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
C:\Users\Admin\AppData\Roaming\Index:binMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
C:\Windows\SysWOW64\Index.exeMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
C:\Windows\SysWOW64\Index.exeMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
\Users\Admin\AppData\Roaming\IndexMD5
4c1549d5165f74abc24df7bfb981df05
SHA169d17824012e206c64ccecc40825b378efd29cc4
SHA2565c954bf24b3b958d430336aa5d30fbda54601caee6572b330ee28d54c16852d0
SHA51266711d9e1aedfbca7fdb5d91efde9de64509dfa01b99974a9246c13591c22789552f99b766748262c593d68f109f4d49405a1693ce1f2518776986e191a45b00
-
\Users\Admin\AppData\Roaming\IndexMD5
4c1549d5165f74abc24df7bfb981df05
SHA169d17824012e206c64ccecc40825b378efd29cc4
SHA2565c954bf24b3b958d430336aa5d30fbda54601caee6572b330ee28d54c16852d0
SHA51266711d9e1aedfbca7fdb5d91efde9de64509dfa01b99974a9246c13591c22789552f99b766748262c593d68f109f4d49405a1693ce1f2518776986e191a45b00
-
memory/380-73-0x0000000000000000-mapping.dmp
-
memory/848-66-0x0000000000000000-mapping.dmp
-
memory/920-76-0x0000000000000000-mapping.dmp
-
memory/1120-75-0x0000000000000000-mapping.dmp
-
memory/1284-63-0x0000000000000000-mapping.dmp
-
memory/1296-77-0x0000000000000000-mapping.dmp
-
memory/1376-78-0x0000000000000000-mapping.dmp
-
memory/1616-70-0x0000000000000000-mapping.dmp
-
memory/1652-74-0x0000000000000000-mapping.dmp
-
memory/1704-80-0x0000000000000000-mapping.dmp
-
memory/1724-81-0x0000000000000000-mapping.dmp
-
memory/1760-68-0x0000000000000000-mapping.dmp
-
memory/1780-79-0x0000000000000000-mapping.dmp
-
memory/1948-60-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB