Analysis
-
max time kernel
37s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:42
Behavioral task
behavioral1
Sample
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe
Resource
win10v20210408
General
-
Target
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe
-
Size
1.0MB
-
MD5
572fea5f025df78f2d316216fbeee52e
-
SHA1
91b2bf44b1f9282c09f07f16631deaa3ad9d956d
-
SHA256
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
-
SHA512
eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
Malware Config
Signatures
-
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\D80:bin cryptone C:\Users\Admin\AppData\Roaming\D80:bin cryptone C:\Windows\SysWOW64\D80.exe cryptone C:\Windows\SysWOW64\D80.exe cryptone -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
D80:binD80.exepid process 4068 D80:bin 2276 D80.exe -
Modifies extensions of user files 30 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
D80.exedescription ioc process File renamed C:\Users\Admin\Pictures\ApproveOptimize.tif => C:\Users\Admin\Pictures\ApproveOptimize.tif.rlhwasted D80.exe File renamed C:\Users\Admin\Pictures\CompareRename.tif => C:\Users\Admin\Pictures\CompareRename.tif.rlhwasted D80.exe File opened for modification C:\Users\Admin\Pictures\CompareRename.tif.rlhwasted D80.exe File created C:\Users\Admin\Pictures\RestartUse.raw.rlhwasted_info D80.exe File renamed C:\Users\Admin\Pictures\ReadResize.crw => C:\Users\Admin\Pictures\ReadResize.crw.rlhwasted D80.exe File created C:\Users\Admin\Pictures\ReceiveUnpublish.tiff.rlhwasted_info D80.exe File opened for modification C:\Users\Admin\Pictures\ResetExport.raw.rlhwasted D80.exe File renamed C:\Users\Admin\Pictures\RestartUse.raw => C:\Users\Admin\Pictures\RestartUse.raw.rlhwasted D80.exe File renamed C:\Users\Admin\Pictures\PingInvoke.png => C:\Users\Admin\Pictures\PingInvoke.png.rlhwasted D80.exe File created C:\Users\Admin\Pictures\ResetExport.raw.rlhwasted_info D80.exe File created C:\Users\Admin\Pictures\ResetRepair.png.rlhwasted_info D80.exe File created C:\Users\Admin\Pictures\ApproveOptimize.tif.rlhwasted_info D80.exe File renamed C:\Users\Admin\Pictures\CloseResume.tif => C:\Users\Admin\Pictures\CloseResume.tif.rlhwasted D80.exe File created C:\Users\Admin\Pictures\PingInvoke.png.rlhwasted_info D80.exe File opened for modification C:\Users\Admin\Pictures\ReadResize.crw.rlhwasted D80.exe File renamed C:\Users\Admin\Pictures\ResetRepair.png => C:\Users\Admin\Pictures\ResetRepair.png.rlhwasted D80.exe File opened for modification C:\Users\Admin\Pictures\CloseResume.tif.rlhwasted D80.exe File opened for modification C:\Users\Admin\Pictures\ResetRepair.png.rlhwasted D80.exe File opened for modification C:\Users\Admin\Pictures\ResumeConvertFrom.tiff.rlhwasted D80.exe File opened for modification C:\Users\Admin\Pictures\ApproveOptimize.tif.rlhwasted D80.exe File opened for modification C:\Users\Admin\Pictures\PingInvoke.png.rlhwasted D80.exe File renamed C:\Users\Admin\Pictures\ReceiveUnpublish.tiff => C:\Users\Admin\Pictures\ReceiveUnpublish.tiff.rlhwasted D80.exe File created C:\Users\Admin\Pictures\CloseResume.tif.rlhwasted_info D80.exe File created C:\Users\Admin\Pictures\ReadResize.crw.rlhwasted_info D80.exe File opened for modification C:\Users\Admin\Pictures\ReceiveUnpublish.tiff.rlhwasted D80.exe File renamed C:\Users\Admin\Pictures\ResetExport.raw => C:\Users\Admin\Pictures\ResetExport.raw.rlhwasted D80.exe File created C:\Users\Admin\Pictures\ResumeConvertFrom.tiff.rlhwasted_info D80.exe File created C:\Users\Admin\Pictures\CompareRename.tif.rlhwasted_info D80.exe File opened for modification C:\Users\Admin\Pictures\RestartUse.raw.rlhwasted D80.exe File renamed C:\Users\Admin\Pictures\ResumeConvertFrom.tiff => C:\Users\Admin\Pictures\ResumeConvertFrom.tiff.rlhwasted D80.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2784 takeown.exe 3052 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2784 takeown.exe 3052 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
D80:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\D80.exe D80:bin File opened for modification C:\Windows\SysWOW64\D80.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3484 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\D80:bin 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 4016 vssvc.exe Token: SeRestorePrivilege 4016 vssvc.exe Token: SeAuditPrivilege 4016 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exeD80:binD80.execmd.execmd.execmd.exedescription pid process target process PID 656 wrote to memory of 4068 656 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe D80:bin PID 656 wrote to memory of 4068 656 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe D80:bin PID 656 wrote to memory of 4068 656 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe D80:bin PID 4068 wrote to memory of 3484 4068 D80:bin vssadmin.exe PID 4068 wrote to memory of 3484 4068 D80:bin vssadmin.exe PID 4068 wrote to memory of 2784 4068 D80:bin takeown.exe PID 4068 wrote to memory of 2784 4068 D80:bin takeown.exe PID 4068 wrote to memory of 2784 4068 D80:bin takeown.exe PID 4068 wrote to memory of 3052 4068 D80:bin icacls.exe PID 4068 wrote to memory of 3052 4068 D80:bin icacls.exe PID 4068 wrote to memory of 3052 4068 D80:bin icacls.exe PID 2276 wrote to memory of 2100 2276 D80.exe cmd.exe PID 2276 wrote to memory of 2100 2276 D80.exe cmd.exe PID 2276 wrote to memory of 2100 2276 D80.exe cmd.exe PID 4068 wrote to memory of 2308 4068 D80:bin cmd.exe PID 4068 wrote to memory of 2308 4068 D80:bin cmd.exe PID 4068 wrote to memory of 2308 4068 D80:bin cmd.exe PID 656 wrote to memory of 2144 656 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe cmd.exe PID 656 wrote to memory of 2144 656 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe cmd.exe PID 656 wrote to memory of 2144 656 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe cmd.exe PID 2100 wrote to memory of 904 2100 cmd.exe choice.exe PID 2100 wrote to memory of 904 2100 cmd.exe choice.exe PID 2100 wrote to memory of 904 2100 cmd.exe choice.exe PID 2308 wrote to memory of 3708 2308 cmd.exe choice.exe PID 2308 wrote to memory of 3708 2308 cmd.exe choice.exe PID 2308 wrote to memory of 3708 2308 cmd.exe choice.exe PID 2144 wrote to memory of 3496 2144 cmd.exe choice.exe PID 2144 wrote to memory of 3496 2144 cmd.exe choice.exe PID 2144 wrote to memory of 3496 2144 cmd.exe choice.exe PID 2100 wrote to memory of 3192 2100 cmd.exe attrib.exe PID 2100 wrote to memory of 3192 2100 cmd.exe attrib.exe PID 2100 wrote to memory of 3192 2100 cmd.exe attrib.exe PID 2308 wrote to memory of 3728 2308 cmd.exe attrib.exe PID 2308 wrote to memory of 3728 2308 cmd.exe attrib.exe PID 2308 wrote to memory of 3728 2308 cmd.exe attrib.exe PID 2144 wrote to memory of 264 2144 cmd.exe attrib.exe PID 2144 wrote to memory of 264 2144 cmd.exe attrib.exe PID 2144 wrote to memory of 264 2144 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 3192 attrib.exe 3728 attrib.exe 264 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe"C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\D80:binC:\Users\Admin\AppData\Roaming\D80:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\D80.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\D80.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\D80" & del "C:\Users\Admin\AppData\Roaming\D80"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\D80"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe" & del "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.sample.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\D80.exeC:\Windows\SysWOW64\D80.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\D80.exe" & del "C:\Windows\SysWOW64\D80.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\D80.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\D80:binMD5
572fea5f025df78f2d316216fbeee52e
SHA191b2bf44b1f9282c09f07f16631deaa3ad9d956d
SHA2565cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
SHA512eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
-
C:\Users\Admin\AppData\Roaming\D80:binMD5
572fea5f025df78f2d316216fbeee52e
SHA191b2bf44b1f9282c09f07f16631deaa3ad9d956d
SHA2565cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
SHA512eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
-
C:\Windows\SysWOW64\D80.exeMD5
572fea5f025df78f2d316216fbeee52e
SHA191b2bf44b1f9282c09f07f16631deaa3ad9d956d
SHA2565cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
SHA512eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
-
C:\Windows\SysWOW64\D80.exeMD5
572fea5f025df78f2d316216fbeee52e
SHA191b2bf44b1f9282c09f07f16631deaa3ad9d956d
SHA2565cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
SHA512eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
-
memory/264-135-0x0000000000000000-mapping.dmp
-
memory/656-114-0x0000000000560000-0x00000000006AA000-memory.dmpFilesize
1.3MB
-
memory/656-115-0x0000000000400000-0x0000000000507000-memory.dmpFilesize
1.0MB
-
memory/904-130-0x0000000000000000-mapping.dmp
-
memory/2100-127-0x0000000000000000-mapping.dmp
-
memory/2144-129-0x0000000000000000-mapping.dmp
-
memory/2276-125-0x00000000001E0000-0x00000000001F0000-memory.dmpFilesize
64KB
-
memory/2276-126-0x0000000000400000-0x0000000000507000-memory.dmpFilesize
1.0MB
-
memory/2308-128-0x0000000000000000-mapping.dmp
-
memory/2784-121-0x0000000000000000-mapping.dmp
-
memory/3052-123-0x0000000000000000-mapping.dmp
-
memory/3192-133-0x0000000000000000-mapping.dmp
-
memory/3484-119-0x0000000000000000-mapping.dmp
-
memory/3496-132-0x0000000000000000-mapping.dmp
-
memory/3708-131-0x0000000000000000-mapping.dmp
-
memory/3728-134-0x0000000000000000-mapping.dmp
-
memory/4068-120-0x0000000000400000-0x0000000000507000-memory.dmpFilesize
1.0MB
-
memory/4068-116-0x0000000000000000-mapping.dmp