Analysis
-
max time kernel
22s -
max time network
69s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:42
Behavioral task
behavioral1
Sample
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe
Resource
win10v20210408
General
-
Target
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe
-
Size
1.0MB
-
MD5
572fea5f025df78f2d316216fbeee52e
-
SHA1
91b2bf44b1f9282c09f07f16631deaa3ad9d956d
-
SHA256
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
-
SHA512
eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Session:bin cryptone C:\Users\Admin\AppData\Roaming\Session:bin cryptone C:\Windows\SysWOW64\Session.exe cryptone C:\Windows\SysWOW64\Session.exe cryptone -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Session:binSession.exepid process 1212 Session:bin 1208 Session.exe -
Modifies extensions of user files 21 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Session.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\GrantUndo.raw.rlhwasted Session.exe File renamed C:\Users\Admin\Pictures\InvokeSearch.tiff => C:\Users\Admin\Pictures\InvokeSearch.tiff.rlhwasted Session.exe File opened for modification C:\Users\Admin\Pictures\InvokeSearch.tiff.rlhwasted Session.exe File renamed C:\Users\Admin\Pictures\RedoTrace.png => C:\Users\Admin\Pictures\RedoTrace.png.rlhwasted Session.exe File opened for modification C:\Users\Admin\Pictures\RedoTrace.png.rlhwasted Session.exe File renamed C:\Users\Admin\Pictures\BackupAdd.tiff => C:\Users\Admin\Pictures\BackupAdd.tiff.rlhwasted Session.exe File opened for modification C:\Users\Admin\Pictures\BackupAdd.tiff.rlhwasted Session.exe File renamed C:\Users\Admin\Pictures\DebugTrace.png => C:\Users\Admin\Pictures\DebugTrace.png.rlhwasted Session.exe File created C:\Users\Admin\Pictures\InvokeSearch.tiff.rlhwasted_info Session.exe File renamed C:\Users\Admin\Pictures\AssertOptimize.png => C:\Users\Admin\Pictures\AssertOptimize.png.rlhwasted Session.exe File opened for modification C:\Users\Admin\Pictures\AssertOptimize.png.rlhwasted Session.exe File created C:\Users\Admin\Pictures\DebugTrace.png.rlhwasted_info Session.exe File renamed C:\Users\Admin\Pictures\RestartDisable.tif => C:\Users\Admin\Pictures\RestartDisable.tif.rlhwasted Session.exe File created C:\Users\Admin\Pictures\GrantUndo.raw.rlhwasted_info Session.exe File renamed C:\Users\Admin\Pictures\GrantUndo.raw => C:\Users\Admin\Pictures\GrantUndo.raw.rlhwasted Session.exe File created C:\Users\Admin\Pictures\RestartDisable.tif.rlhwasted_info Session.exe File created C:\Users\Admin\Pictures\RedoTrace.png.rlhwasted_info Session.exe File opened for modification C:\Users\Admin\Pictures\RestartDisable.tif.rlhwasted Session.exe File created C:\Users\Admin\Pictures\AssertOptimize.png.rlhwasted_info Session.exe File created C:\Users\Admin\Pictures\BackupAdd.tiff.rlhwasted_info Session.exe File opened for modification C:\Users\Admin\Pictures\DebugTrace.png.rlhwasted Session.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1644 takeown.exe 672 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 972 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exepid process 1672 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe 1672 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1644 takeown.exe 672 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Session:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Session.exe Session:bin File opened for modification C:\Windows\SysWOW64\Session.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1928 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Session:bin 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1788 vssvc.exe Token: SeRestorePrivilege 1788 vssvc.exe Token: SeAuditPrivilege 1788 vssvc.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exeSession:binSession.execmd.execmd.execmd.exedescription pid process target process PID 1672 wrote to memory of 1212 1672 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe Session:bin PID 1672 wrote to memory of 1212 1672 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe Session:bin PID 1672 wrote to memory of 1212 1672 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe Session:bin PID 1672 wrote to memory of 1212 1672 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe Session:bin PID 1212 wrote to memory of 1928 1212 Session:bin vssadmin.exe PID 1212 wrote to memory of 1928 1212 Session:bin vssadmin.exe PID 1212 wrote to memory of 1928 1212 Session:bin vssadmin.exe PID 1212 wrote to memory of 1928 1212 Session:bin vssadmin.exe PID 1212 wrote to memory of 1644 1212 Session:bin takeown.exe PID 1212 wrote to memory of 1644 1212 Session:bin takeown.exe PID 1212 wrote to memory of 1644 1212 Session:bin takeown.exe PID 1212 wrote to memory of 1644 1212 Session:bin takeown.exe PID 1212 wrote to memory of 672 1212 Session:bin icacls.exe PID 1212 wrote to memory of 672 1212 Session:bin icacls.exe PID 1212 wrote to memory of 672 1212 Session:bin icacls.exe PID 1212 wrote to memory of 672 1212 Session:bin icacls.exe PID 1208 wrote to memory of 748 1208 Session.exe cmd.exe PID 1208 wrote to memory of 748 1208 Session.exe cmd.exe PID 1208 wrote to memory of 748 1208 Session.exe cmd.exe PID 1208 wrote to memory of 748 1208 Session.exe cmd.exe PID 1212 wrote to memory of 1816 1212 Session:bin cmd.exe PID 1212 wrote to memory of 1816 1212 Session:bin cmd.exe PID 1212 wrote to memory of 1816 1212 Session:bin cmd.exe PID 1212 wrote to memory of 1816 1212 Session:bin cmd.exe PID 1672 wrote to memory of 972 1672 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe cmd.exe PID 1672 wrote to memory of 972 1672 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe cmd.exe PID 1672 wrote to memory of 972 1672 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe cmd.exe PID 1672 wrote to memory of 972 1672 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe cmd.exe PID 1816 wrote to memory of 1692 1816 cmd.exe choice.exe PID 1816 wrote to memory of 1692 1816 cmd.exe choice.exe PID 1816 wrote to memory of 1692 1816 cmd.exe choice.exe PID 1816 wrote to memory of 1692 1816 cmd.exe choice.exe PID 748 wrote to memory of 896 748 cmd.exe choice.exe PID 748 wrote to memory of 896 748 cmd.exe choice.exe PID 748 wrote to memory of 896 748 cmd.exe choice.exe PID 748 wrote to memory of 896 748 cmd.exe choice.exe PID 972 wrote to memory of 928 972 cmd.exe choice.exe PID 972 wrote to memory of 928 972 cmd.exe choice.exe PID 972 wrote to memory of 928 972 cmd.exe choice.exe PID 972 wrote to memory of 928 972 cmd.exe choice.exe PID 1816 wrote to memory of 1536 1816 cmd.exe attrib.exe PID 1816 wrote to memory of 1536 1816 cmd.exe attrib.exe PID 1816 wrote to memory of 1536 1816 cmd.exe attrib.exe PID 1816 wrote to memory of 1536 1816 cmd.exe attrib.exe PID 748 wrote to memory of 1620 748 cmd.exe attrib.exe PID 748 wrote to memory of 1620 748 cmd.exe attrib.exe PID 748 wrote to memory of 1620 748 cmd.exe attrib.exe PID 748 wrote to memory of 1620 748 cmd.exe attrib.exe PID 972 wrote to memory of 1724 972 cmd.exe attrib.exe PID 972 wrote to memory of 1724 972 cmd.exe attrib.exe PID 972 wrote to memory of 1724 972 cmd.exe attrib.exe PID 972 wrote to memory of 1724 972 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1620 attrib.exe 1536 attrib.exe 1724 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe"C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Session:binC:\Users\Admin\AppData\Roaming\Session:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Session.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Session.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Session" & del "C:\Users\Admin\AppData\Roaming\Session"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Session"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe" & del "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Session.exeC:\Windows\SysWOW64\Session.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Session.exe" & del "C:\Windows\SysWOW64\Session.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Session.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Session:binMD5
572fea5f025df78f2d316216fbeee52e
SHA191b2bf44b1f9282c09f07f16631deaa3ad9d956d
SHA2565cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
SHA512eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
-
C:\Users\Admin\AppData\Roaming\Session:binMD5
572fea5f025df78f2d316216fbeee52e
SHA191b2bf44b1f9282c09f07f16631deaa3ad9d956d
SHA2565cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
SHA512eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
-
C:\Windows\SysWOW64\Session.exeMD5
572fea5f025df78f2d316216fbeee52e
SHA191b2bf44b1f9282c09f07f16631deaa3ad9d956d
SHA2565cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
SHA512eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
-
C:\Windows\SysWOW64\Session.exeMD5
572fea5f025df78f2d316216fbeee52e
SHA191b2bf44b1f9282c09f07f16631deaa3ad9d956d
SHA2565cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
SHA512eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
-
\Users\Admin\AppData\Roaming\SessionMD5
5fd9f4da2a693eff494b2ad2f2b46f74
SHA11fb1217ea249931b3af8bb7a721a4b47c1045c9d
SHA2562fe0c34b05264f9c0eb09948a058f89e404682150dbbba1613015bfd08391307
SHA512ed07f24e00e0d2afab5b4dd7f0c6ae13bb7c509c00bcc16ae40ec74e1b34517ac3013929837e2bba8c8848b73cb4fdf49eb0ec42831258e0f9393338c0d22307
-
\Users\Admin\AppData\Roaming\SessionMD5
5fd9f4da2a693eff494b2ad2f2b46f74
SHA11fb1217ea249931b3af8bb7a721a4b47c1045c9d
SHA2562fe0c34b05264f9c0eb09948a058f89e404682150dbbba1613015bfd08391307
SHA512ed07f24e00e0d2afab5b4dd7f0c6ae13bb7c509c00bcc16ae40ec74e1b34517ac3013929837e2bba8c8848b73cb4fdf49eb0ec42831258e0f9393338c0d22307
-
memory/672-72-0x0000000000000000-mapping.dmp
-
memory/748-76-0x0000000000000000-mapping.dmp
-
memory/896-80-0x0000000000000000-mapping.dmp
-
memory/928-81-0x0000000000000000-mapping.dmp
-
memory/972-78-0x0000000000000000-mapping.dmp
-
memory/1208-75-0x0000000000400000-0x0000000000507000-memory.dmpFilesize
1.0MB
-
memory/1212-63-0x0000000000000000-mapping.dmp
-
memory/1536-82-0x0000000000000000-mapping.dmp
-
memory/1620-83-0x0000000000000000-mapping.dmp
-
memory/1644-70-0x0000000000000000-mapping.dmp
-
memory/1672-67-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB
-
memory/1672-68-0x0000000000400000-0x0000000000507000-memory.dmpFilesize
1.0MB
-
memory/1672-60-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1692-79-0x0000000000000000-mapping.dmp
-
memory/1724-84-0x0000000000000000-mapping.dmp
-
memory/1816-77-0x0000000000000000-mapping.dmp
-
memory/1928-66-0x0000000000000000-mapping.dmp