wastedlocker | df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa

General

Target

df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe
Size

2.3MB
MD5

93d20353d7135a1086eac5855edafabf
SHA1

7dc81975c33c142aba3f1351c7bc066181a2a8c6
SHA256

df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa
SHA512

f2e8d4132b7d8fb5bce50468ef787e8708570373202c3a0cb626b192e0e0f7262718a9691453cacc49351a5e166677e3681dd387ef72c9dcb72e09257473726f

Score

10^/10

wastedlocker discovery evasion exploit ransomware themida trojan

Malware Config

Signatures

WastedLocker
Ransomware family seen in the wild since May 2020.
ransomware wastedlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

Device:binDevice.exe

pid process

1004 Device:bin
960 Device.exe

pid	process
1004	Device:bin
960	Device.exe

Modifies extensions of user files 15 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Device.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\CompressCheckpoint.tif.tcwwasted	Device.exe
File renamed	C:\Users\Admin\Pictures\RequestRead.raw => C:\Users\Admin\Pictures\RequestRead.raw.tcwwasted	Device.exe
File renamed	C:\Users\Admin\Pictures\RestoreRequest.png => C:\Users\Admin\Pictures\RestoreRequest.png.tcwwasted	Device.exe
File renamed	C:\Users\Admin\Pictures\CompressCheckpoint.tif => C:\Users\Admin\Pictures\CompressCheckpoint.tif.tcwwasted	Device.exe
File opened for modification	C:\Users\Admin\Pictures\JoinSet.png.tcwwasted	Device.exe
File created	C:\Users\Admin\Pictures\RegisterSend.png.tcwwasted_info	Device.exe
File created	C:\Users\Admin\Pictures\RequestRead.raw.tcwwasted_info	Device.exe
File opened for modification	C:\Users\Admin\Pictures\RequestRead.raw.tcwwasted	Device.exe
File created	C:\Users\Admin\Pictures\CompressCheckpoint.tif.tcwwasted_info	Device.exe
File renamed	C:\Users\Admin\Pictures\RegisterSend.png => C:\Users\Admin\Pictures\RegisterSend.png.tcwwasted	Device.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterSend.png.tcwwasted	Device.exe
File created	C:\Users\Admin\Pictures\JoinSet.png.tcwwasted_info	Device.exe
File renamed	C:\Users\Admin\Pictures\JoinSet.png => C:\Users\Admin\Pictures\JoinSet.png.tcwwasted	Device.exe
File created	C:\Users\Admin\Pictures\RestoreRequest.png.tcwwasted_info	Device.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreRequest.png.tcwwasted	Device.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1064 takeown.exe
1872 icacls.exe

pid	process
1064	takeown.exe
1872	icacls.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Device:binDevice.exedf35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Device:bin
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Device.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Device.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Device:bin

Loads dropped DLL 2 IoCs

Processes:

df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe

pid	process
1464	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe
1464	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1064 takeown.exe
1872 icacls.exe

pid	process
1064	takeown.exe
1872	icacls.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1464-56-0x0000000000400000-0x0000000000A09000-memory.dmp	themida
behavioral1/memory/1464-57-0x00000000774C0000-0x0000000077640000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Device:bin	themida
C:\Users\Admin\AppData\Roaming\Device:bin	themida
behavioral1/memory/1004-67-0x0000000000400000-0x0000000000A09000-memory.dmp	themida
C:\Windows\SysWOW64\Device.exe	themida
C:\Windows\SysWOW64\Device.exe	themida
behavioral1/memory/960-77-0x0000000000400000-0x0000000000A09000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exeDevice:binDevice.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Device:bin
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Device.exe

Drops file in System32 directory 1 IoCs

Processes:

Device:bin

description ioc process

File opened for modification C:\Windows\SysWOW64\Device.exe Device:bin
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exeDevice:binDevice.exe

pid process

1464 df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe
1004 Device:bin
960 Device.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

316 vssadmin.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Device.exe	Device:bin

pid	process
316	vssadmin.exe

NTFS ADS 1 IoCs

Processes:

df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Device:bin	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1496 vssvc.exe
Token: SeRestorePrivilege 1496 vssvc.exe
Token: SeAuditPrivilege 1496 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1496	vssvc.exe
Token: SeRestorePrivilege	1496	vssvc.exe
Token: SeAuditPrivilege	1496	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exeDevice:bin

description	pid	process	target process
PID 1464 wrote to memory of 1004	1464	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe	Device:bin
PID 1464 wrote to memory of 1004	1464	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe	Device:bin
PID 1464 wrote to memory of 1004	1464	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe	Device:bin
PID 1464 wrote to memory of 1004	1464	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe	Device:bin
PID 1004 wrote to memory of 316	1004	Device:bin	vssadmin.exe
PID 1004 wrote to memory of 316	1004	Device:bin	vssadmin.exe
PID 1004 wrote to memory of 316	1004	Device:bin	vssadmin.exe
PID 1004 wrote to memory of 316	1004	Device:bin	vssadmin.exe
PID 1004 wrote to memory of 1064	1004	Device:bin	takeown.exe
PID 1004 wrote to memory of 1064	1004	Device:bin	takeown.exe
PID 1004 wrote to memory of 1064	1004	Device:bin	takeown.exe
PID 1004 wrote to memory of 1064	1004	Device:bin	takeown.exe
PID 1004 wrote to memory of 1872	1004	Device:bin	icacls.exe
PID 1004 wrote to memory of 1872	1004	Device:bin	icacls.exe
PID 1004 wrote to memory of 1872	1004	Device:bin	icacls.exe
PID 1004 wrote to memory of 1872	1004	Device:bin	icacls.exe

C:\Users\Admin\AppData\Local\Temp\df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe
"C:\Users\Admin\AppData\Local\Temp\df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Roaming\Device:bin
C:\Users\Admin\AppData\Roaming\Device:bin -r
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:316

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Windows\system32\Device.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1064

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Windows\system32\Device.exe /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\Device.exe
C:\Windows\SysWOW64\Device.exe -s
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:960

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Virtualization/Sandbox Evasion

1

T1497

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Device:bin
Filesize
2.3MB

MD5
93d20353d7135a1086eac5855edafabf

SHA1
7dc81975c33c142aba3f1351c7bc066181a2a8c6

SHA256
df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa

SHA512
f2e8d4132b7d8fb5bce50468ef787e8708570373202c3a0cb626b192e0e0f7262718a9691453cacc49351a5e166677e3681dd387ef72c9dcb72e09257473726f

Download Submit
C:\Users\Admin\AppData\Roaming\Device:bin
Filesize
2.3MB

MD5
93d20353d7135a1086eac5855edafabf

SHA1
7dc81975c33c142aba3f1351c7bc066181a2a8c6

SHA256
df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa

SHA512
f2e8d4132b7d8fb5bce50468ef787e8708570373202c3a0cb626b192e0e0f7262718a9691453cacc49351a5e166677e3681dd387ef72c9dcb72e09257473726f

Download Submit
C:\Windows\SysWOW64\Device.exe
Filesize
2.3MB

MD5
93d20353d7135a1086eac5855edafabf

SHA1
7dc81975c33c142aba3f1351c7bc066181a2a8c6

SHA256
df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa

SHA512
f2e8d4132b7d8fb5bce50468ef787e8708570373202c3a0cb626b192e0e0f7262718a9691453cacc49351a5e166677e3681dd387ef72c9dcb72e09257473726f

Download Submit
C:\Windows\SysWOW64\Device.exe
Filesize
2.3MB

MD5
93d20353d7135a1086eac5855edafabf

SHA1
7dc81975c33c142aba3f1351c7bc066181a2a8c6

SHA256
df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa

SHA512
f2e8d4132b7d8fb5bce50468ef787e8708570373202c3a0cb626b192e0e0f7262718a9691453cacc49351a5e166677e3681dd387ef72c9dcb72e09257473726f

Download Submit
\Users\Admin\AppData\Roaming\Device
Filesize
45KB

MD5
c9a6121252634aa4d4618981de929bbb

SHA1
170b041a5729c4be4281573e1442c6a07e528708

SHA256
ff7b6e0a02b6e1182ce7be8813b57d0d472bda307086bd40a237b76aee0f54ca

SHA512
7510673c3af69a0df48105f75975583d4a2f97bdfa8c72123b0801af6ea304d6a85dd121630c735b6b83a3077fb16e14f7183c4f7679d996f002b02859db7b69

Download Submit
\Users\Admin\AppData\Roaming\Device
Filesize
45KB

MD5
c9a6121252634aa4d4618981de929bbb

SHA1
170b041a5729c4be4281573e1442c6a07e528708

SHA256
ff7b6e0a02b6e1182ce7be8813b57d0d472bda307086bd40a237b76aee0f54ca

SHA512
7510673c3af69a0df48105f75975583d4a2f97bdfa8c72123b0801af6ea304d6a85dd121630c735b6b83a3077fb16e14f7183c4f7679d996f002b02859db7b69

Download Submit
memory/316-68-0x0000000000000000-mapping.dmp

Download
memory/960-77-0x0000000000400000-0x0000000000A09000-memory.dmp

Filesize
6.0MB

Download
memory/960-78-0x00000000774C0000-0x0000000077640000-memory.dmp

Filesize
1.5MB

Download
memory/960-79-0x0000000000400000-0x0000000000A09000-memory.dmp

Filesize
6.0MB

Download
memory/1004-70-0x0000000000400000-0x0000000000A09000-memory.dmp

Filesize
6.0MB

Download
memory/1004-62-0x0000000000000000-mapping.dmp

Download
memory/1004-67-0x0000000000400000-0x0000000000A09000-memory.dmp

Filesize
6.0MB

Download
memory/1004-69-0x00000000774C0000-0x0000000077640000-memory.dmp

Filesize
1.5MB

Download
memory/1064-71-0x0000000000000000-mapping.dmp

Download
memory/1464-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1464-59-0x0000000000400000-0x0000000000A09000-memory.dmp

Filesize
6.0MB

Download
memory/1464-58-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/1464-57-0x00000000774C0000-0x0000000077640000-memory.dmp

Filesize
1.5MB

Download
memory/1464-56-0x0000000000400000-0x0000000000A09000-memory.dmp

Filesize
6.0MB

Download
memory/1464-55-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1872-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads