Analysis
-
max time kernel
29s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 13:00
Behavioral task
behavioral1
Sample
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe
Resource
win10v20210408
General
-
Target
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe
-
Size
112KB
-
MD5
d01fc079881dc0d33a88e4f8df1ae7ce
-
SHA1
c40c8848808da12ef78c68de1e6477b862161a43
-
SHA256
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821
-
SHA512
83bca79d1f0ac14c6d79685fd192964e7117e8c9c734036abddfdbb068c801ff38027a0812a2499e1d9e528a47af07150cafee27384b5a78b8fc32c23bd21130
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Product:bin cryptone C:\Users\Admin\AppData\Roaming\Product:bin cryptone C:\Windows\SysWOW64\Product.exe cryptone C:\Windows\SysWOW64\Product.exe cryptone -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Product:binProduct.exepid process 2708 Product:bin 2200 Product.exe -
Modifies extensions of user files 42 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Product.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\FormatShow.tif.tcwwasted Product.exe File renamed C:\Users\Admin\Pictures\MoveResolve.raw => C:\Users\Admin\Pictures\MoveResolve.raw.tcwwasted Product.exe File created C:\Users\Admin\Pictures\RevokeInitialize.png.tcwwasted_info Product.exe File opened for modification C:\Users\Admin\Pictures\RevokeInitialize.png.tcwwasted Product.exe File opened for modification C:\Users\Admin\Pictures\RevokeMerge.tif.tcwwasted Product.exe File opened for modification C:\Users\Admin\Pictures\RevokeTest.tif.tcwwasted Product.exe File renamed C:\Users\Admin\Pictures\SubmitUndo.tif => C:\Users\Admin\Pictures\SubmitUndo.tif.tcwwasted Product.exe File created C:\Users\Admin\Pictures\CompleteSelect.png.tcwwasted_info Product.exe File opened for modification C:\Users\Admin\Pictures\UnlockEdit.crw.tcwwasted Product.exe File renamed C:\Users\Admin\Pictures\UseLimit.tiff => C:\Users\Admin\Pictures\UseLimit.tiff.tcwwasted Product.exe File opened for modification C:\Users\Admin\Pictures\UseLimit.tiff.tcwwasted Product.exe File created C:\Users\Admin\Pictures\UseUndo.png.tcwwasted_info Product.exe File renamed C:\Users\Admin\Pictures\StopBackup.png => C:\Users\Admin\Pictures\StopBackup.png.tcwwasted Product.exe File created C:\Users\Admin\Pictures\FormatShow.tif.tcwwasted_info Product.exe File created C:\Users\Admin\Pictures\ImportUninstall.tiff.tcwwasted_info Product.exe File opened for modification C:\Users\Admin\Pictures\SubmitUndo.tif.tcwwasted Product.exe File created C:\Users\Admin\Pictures\UnlockEdit.crw.tcwwasted_info Product.exe File opened for modification C:\Users\Admin\Pictures\ConfirmRestore.tif.tcwwasted Product.exe File created C:\Users\Admin\Pictures\StopBackup.png.tcwwasted_info Product.exe File created C:\Users\Admin\Pictures\SubmitUndo.tif.tcwwasted_info Product.exe File renamed C:\Users\Admin\Pictures\UnlockEdit.crw => C:\Users\Admin\Pictures\UnlockEdit.crw.tcwwasted Product.exe File renamed C:\Users\Admin\Pictures\UseUndo.png => C:\Users\Admin\Pictures\UseUndo.png.tcwwasted Product.exe File opened for modification C:\Users\Admin\Pictures\ImportUninstall.tiff.tcwwasted Product.exe File opened for modification C:\Users\Admin\Pictures\CompleteSelect.png.tcwwasted Product.exe File renamed C:\Users\Admin\Pictures\ImportUninstall.tiff => C:\Users\Admin\Pictures\ImportUninstall.tiff.tcwwasted Product.exe File created C:\Users\Admin\Pictures\RevokeMerge.tif.tcwwasted_info Product.exe File opened for modification C:\Users\Admin\Pictures\StopBackup.png.tcwwasted Product.exe File renamed C:\Users\Admin\Pictures\CompleteSelect.png => C:\Users\Admin\Pictures\CompleteSelect.png.tcwwasted Product.exe File renamed C:\Users\Admin\Pictures\PopUnregister.tif => C:\Users\Admin\Pictures\PopUnregister.tif.tcwwasted Product.exe File created C:\Users\Admin\Pictures\RevokeTest.tif.tcwwasted_info Product.exe File opened for modification C:\Users\Admin\Pictures\UseUndo.png.tcwwasted Product.exe File opened for modification C:\Users\Admin\Pictures\MoveResolve.raw.tcwwasted Product.exe File renamed C:\Users\Admin\Pictures\FormatShow.tif => C:\Users\Admin\Pictures\FormatShow.tif.tcwwasted Product.exe File opened for modification C:\Users\Admin\Pictures\PopUnregister.tif.tcwwasted Product.exe File renamed C:\Users\Admin\Pictures\RevokeMerge.tif => C:\Users\Admin\Pictures\RevokeMerge.tif.tcwwasted Product.exe File renamed C:\Users\Admin\Pictures\ConfirmRestore.tif => C:\Users\Admin\Pictures\ConfirmRestore.tif.tcwwasted Product.exe File created C:\Users\Admin\Pictures\PopUnregister.tif.tcwwasted_info Product.exe File created C:\Users\Admin\Pictures\MoveResolve.raw.tcwwasted_info Product.exe File renamed C:\Users\Admin\Pictures\RevokeInitialize.png => C:\Users\Admin\Pictures\RevokeInitialize.png.tcwwasted Product.exe File renamed C:\Users\Admin\Pictures\RevokeTest.tif => C:\Users\Admin\Pictures\RevokeTest.tif.tcwwasted Product.exe File created C:\Users\Admin\Pictures\UseLimit.tiff.tcwwasted_info Product.exe File created C:\Users\Admin\Pictures\ConfirmRestore.tif.tcwwasted_info Product.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4092 takeown.exe 2140 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4092 takeown.exe 2140 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Product:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Product.exe Product:bin File opened for modification C:\Windows\SysWOW64\Product.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 192 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Product:bin 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1940 vssvc.exe Token: SeRestorePrivilege 1940 vssvc.exe Token: SeAuditPrivilege 1940 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exeProduct:binProduct.execmd.execmd.execmd.exedescription pid process target process PID 580 wrote to memory of 2708 580 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe Product:bin PID 580 wrote to memory of 2708 580 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe Product:bin PID 580 wrote to memory of 2708 580 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe Product:bin PID 2708 wrote to memory of 192 2708 Product:bin vssadmin.exe PID 2708 wrote to memory of 192 2708 Product:bin vssadmin.exe PID 2708 wrote to memory of 4092 2708 Product:bin takeown.exe PID 2708 wrote to memory of 4092 2708 Product:bin takeown.exe PID 2708 wrote to memory of 4092 2708 Product:bin takeown.exe PID 2708 wrote to memory of 2140 2708 Product:bin icacls.exe PID 2708 wrote to memory of 2140 2708 Product:bin icacls.exe PID 2708 wrote to memory of 2140 2708 Product:bin icacls.exe PID 2708 wrote to memory of 3504 2708 Product:bin cmd.exe PID 2708 wrote to memory of 3504 2708 Product:bin cmd.exe PID 2708 wrote to memory of 3504 2708 Product:bin cmd.exe PID 2200 wrote to memory of 3780 2200 Product.exe cmd.exe PID 2200 wrote to memory of 3780 2200 Product.exe cmd.exe PID 2200 wrote to memory of 3780 2200 Product.exe cmd.exe PID 580 wrote to memory of 3948 580 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe cmd.exe PID 580 wrote to memory of 3948 580 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe cmd.exe PID 580 wrote to memory of 3948 580 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe cmd.exe PID 3780 wrote to memory of 200 3780 cmd.exe choice.exe PID 3504 wrote to memory of 3560 3504 cmd.exe choice.exe PID 3780 wrote to memory of 200 3780 cmd.exe choice.exe PID 3504 wrote to memory of 3560 3504 cmd.exe choice.exe PID 3780 wrote to memory of 200 3780 cmd.exe choice.exe PID 3504 wrote to memory of 3560 3504 cmd.exe choice.exe PID 3948 wrote to memory of 960 3948 cmd.exe choice.exe PID 3948 wrote to memory of 960 3948 cmd.exe choice.exe PID 3948 wrote to memory of 960 3948 cmd.exe choice.exe PID 3948 wrote to memory of 192 3948 cmd.exe attrib.exe PID 3948 wrote to memory of 192 3948 cmd.exe attrib.exe PID 3948 wrote to memory of 192 3948 cmd.exe attrib.exe PID 3780 wrote to memory of 2764 3780 cmd.exe attrib.exe PID 3780 wrote to memory of 2764 3780 cmd.exe attrib.exe PID 3780 wrote to memory of 2764 3780 cmd.exe attrib.exe PID 3504 wrote to memory of 196 3504 cmd.exe attrib.exe PID 3504 wrote to memory of 196 3504 cmd.exe attrib.exe PID 3504 wrote to memory of 196 3504 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 196 attrib.exe 192 attrib.exe 2764 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe"C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Product:binC:\Users\Admin\AppData\Roaming\Product:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Product.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Product.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Product" & del "C:\Users\Admin\AppData\Roaming\Product"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Product"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe" & del "C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.sample.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Product.exeC:\Windows\SysWOW64\Product.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Product.exe" & del "C:\Windows\SysWOW64\Product.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Product.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Product:binMD5
d01fc079881dc0d33a88e4f8df1ae7ce
SHA1c40c8848808da12ef78c68de1e6477b862161a43
SHA2560e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821
SHA51283bca79d1f0ac14c6d79685fd192964e7117e8c9c734036abddfdbb068c801ff38027a0812a2499e1d9e528a47af07150cafee27384b5a78b8fc32c23bd21130
-
C:\Users\Admin\AppData\Roaming\Product:binMD5
d01fc079881dc0d33a88e4f8df1ae7ce
SHA1c40c8848808da12ef78c68de1e6477b862161a43
SHA2560e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821
SHA51283bca79d1f0ac14c6d79685fd192964e7117e8c9c734036abddfdbb068c801ff38027a0812a2499e1d9e528a47af07150cafee27384b5a78b8fc32c23bd21130
-
C:\Windows\SysWOW64\Product.exeMD5
d01fc079881dc0d33a88e4f8df1ae7ce
SHA1c40c8848808da12ef78c68de1e6477b862161a43
SHA2560e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821
SHA51283bca79d1f0ac14c6d79685fd192964e7117e8c9c734036abddfdbb068c801ff38027a0812a2499e1d9e528a47af07150cafee27384b5a78b8fc32c23bd21130
-
C:\Windows\SysWOW64\Product.exeMD5
d01fc079881dc0d33a88e4f8df1ae7ce
SHA1c40c8848808da12ef78c68de1e6477b862161a43
SHA2560e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821
SHA51283bca79d1f0ac14c6d79685fd192964e7117e8c9c734036abddfdbb068c801ff38027a0812a2499e1d9e528a47af07150cafee27384b5a78b8fc32c23bd21130
-
memory/192-119-0x0000000000000000-mapping.dmp
-
memory/192-134-0x0000000000000000-mapping.dmp
-
memory/196-136-0x0000000000000000-mapping.dmp
-
memory/200-131-0x0000000000000000-mapping.dmp
-
memory/580-115-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/580-114-0x0000000000580000-0x0000000000592000-memory.dmpFilesize
72KB
-
memory/960-133-0x0000000000000000-mapping.dmp
-
memory/2140-124-0x0000000000000000-mapping.dmp
-
memory/2200-126-0x0000000000420000-0x00000000004CE000-memory.dmpFilesize
696KB
-
memory/2200-127-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2708-120-0x0000000000420000-0x000000000056A000-memory.dmpFilesize
1.3MB
-
memory/2708-121-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2708-116-0x0000000000000000-mapping.dmp
-
memory/2764-135-0x0000000000000000-mapping.dmp
-
memory/3504-128-0x0000000000000000-mapping.dmp
-
memory/3560-132-0x0000000000000000-mapping.dmp
-
memory/3780-129-0x0000000000000000-mapping.dmp
-
memory/3948-130-0x0000000000000000-mapping.dmp
-
memory/4092-122-0x0000000000000000-mapping.dmp