Analysis
-
max time kernel
16s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe
Resource
win10v20210410
General
-
Target
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe
-
Size
58KB
-
MD5
33b80a574c6441baf5409a292aafb1cf
-
SHA1
8048aba11ea6209d1f49fa4e12741050350557df
-
SHA256
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
-
SHA512
52843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Early:binEarly.exepid process 2812 Early:bin 1292 Early.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Early.exedescription ioc process File renamed C:\Users\Admin\Pictures\FormatRemove.png => C:\Users\Admin\Pictures\FormatRemove.png.garminwasted Early.exe File opened for modification C:\Users\Admin\Pictures\FormatRemove.png.garminwasted Early.exe File created C:\Users\Admin\Pictures\ConvertConnect.tiff.garminwasted_info Early.exe File renamed C:\Users\Admin\Pictures\ConvertConnect.tiff => C:\Users\Admin\Pictures\ConvertConnect.tiff.garminwasted Early.exe File opened for modification C:\Users\Admin\Pictures\ConvertConnect.tiff.garminwasted Early.exe File created C:\Users\Admin\Pictures\FormatRemove.png.garminwasted_info Early.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 3080 icacls.exe 3264 takeown.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3264 takeown.exe 3080 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Early:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Early.exe Early:bin File opened for modification C:\Windows\SysWOW64\Early.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3036 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Early:bin ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 508 vssvc.exe Token: SeRestorePrivilege 508 vssvc.exe Token: SeAuditPrivilege 508 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exeEarly:binEarly.execmd.execmd.execmd.exedescription pid process target process PID 744 wrote to memory of 2812 744 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe Early:bin PID 744 wrote to memory of 2812 744 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe Early:bin PID 744 wrote to memory of 2812 744 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe Early:bin PID 2812 wrote to memory of 3036 2812 Early:bin vssadmin.exe PID 2812 wrote to memory of 3036 2812 Early:bin vssadmin.exe PID 2812 wrote to memory of 3264 2812 Early:bin takeown.exe PID 2812 wrote to memory of 3264 2812 Early:bin takeown.exe PID 2812 wrote to memory of 3264 2812 Early:bin takeown.exe PID 2812 wrote to memory of 3080 2812 Early:bin icacls.exe PID 2812 wrote to memory of 3080 2812 Early:bin icacls.exe PID 2812 wrote to memory of 3080 2812 Early:bin icacls.exe PID 1292 wrote to memory of 3852 1292 Early.exe cmd.exe PID 1292 wrote to memory of 3852 1292 Early.exe cmd.exe PID 1292 wrote to memory of 3852 1292 Early.exe cmd.exe PID 3852 wrote to memory of 740 3852 cmd.exe choice.exe PID 3852 wrote to memory of 740 3852 cmd.exe choice.exe PID 3852 wrote to memory of 740 3852 cmd.exe choice.exe PID 2812 wrote to memory of 1056 2812 Early:bin cmd.exe PID 2812 wrote to memory of 1056 2812 Early:bin cmd.exe PID 2812 wrote to memory of 1056 2812 Early:bin cmd.exe PID 744 wrote to memory of 3860 744 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe cmd.exe PID 744 wrote to memory of 3860 744 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe cmd.exe PID 744 wrote to memory of 3860 744 ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe cmd.exe PID 1056 wrote to memory of 2496 1056 cmd.exe choice.exe PID 1056 wrote to memory of 2496 1056 cmd.exe choice.exe PID 1056 wrote to memory of 2496 1056 cmd.exe choice.exe PID 3860 wrote to memory of 2728 3860 cmd.exe choice.exe PID 3860 wrote to memory of 2728 3860 cmd.exe choice.exe PID 3860 wrote to memory of 2728 3860 cmd.exe choice.exe PID 3852 wrote to memory of 8 3852 cmd.exe attrib.exe PID 3852 wrote to memory of 8 3852 cmd.exe attrib.exe PID 3852 wrote to memory of 8 3852 cmd.exe attrib.exe PID 3860 wrote to memory of 3744 3860 cmd.exe attrib.exe PID 3860 wrote to memory of 3744 3860 cmd.exe attrib.exe PID 3860 wrote to memory of 3744 3860 cmd.exe attrib.exe PID 1056 wrote to memory of 2040 1056 cmd.exe attrib.exe PID 1056 wrote to memory of 2040 1056 cmd.exe attrib.exe PID 1056 wrote to memory of 2040 1056 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 8 attrib.exe 3744 attrib.exe 2040 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe"C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Early:binC:\Users\Admin\AppData\Roaming\Early:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Early.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Early.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Early" & del "C:\Users\Admin\AppData\Roaming\Early"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Early"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe" & del "C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56.sample.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Early.exeC:\Windows\SysWOW64\Early.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Early.exe" & del "C:\Windows\SysWOW64\Early.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Early.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Early:binMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
C:\Users\Admin\AppData\Roaming\Early:binMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
C:\Windows\SysWOW64\Early.exeMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
C:\Windows\SysWOW64\Early.exeMD5
33b80a574c6441baf5409a292aafb1cf
SHA18048aba11ea6209d1f49fa4e12741050350557df
SHA256ab007094afec534a2aa64436f214866014a664e7399aeaf361790ede5eec6b56
SHA51252843695c364814c0d0d375f68f9c7202a26e492f59c01eaf23dd366da443ae6a02c2a7ff1748a033658808e900a61e097deb95c98de3744f2767faa040ddc00
-
memory/8-128-0x0000000000000000-mapping.dmp
-
memory/740-123-0x0000000000000000-mapping.dmp
-
memory/1056-124-0x0000000000000000-mapping.dmp
-
memory/2040-130-0x0000000000000000-mapping.dmp
-
memory/2496-126-0x0000000000000000-mapping.dmp
-
memory/2728-127-0x0000000000000000-mapping.dmp
-
memory/2812-114-0x0000000000000000-mapping.dmp
-
memory/3036-117-0x0000000000000000-mapping.dmp
-
memory/3080-120-0x0000000000000000-mapping.dmp
-
memory/3264-118-0x0000000000000000-mapping.dmp
-
memory/3744-129-0x0000000000000000-mapping.dmp
-
memory/3852-122-0x0000000000000000-mapping.dmp
-
memory/3860-125-0x0000000000000000-mapping.dmp