wastedlocker | df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa

General

Target

df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe
Size

2.3MB
MD5

93d20353d7135a1086eac5855edafabf
SHA1

7dc81975c33c142aba3f1351c7bc066181a2a8c6
SHA256

df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa
SHA512

f2e8d4132b7d8fb5bce50468ef787e8708570373202c3a0cb626b192e0e0f7262718a9691453cacc49351a5e166677e3681dd387ef72c9dcb72e09257473726f

Score

10^/10

wastedlocker discovery evasion exploit ransomware themida trojan

Malware Config

Signatures

WastedLocker
Ransomware family seen in the wild since May 2020.
ransomware wastedlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 2 IoCs

pid	Process
1004	Device:bin
960	Device.exe

Modifies extensions of user files 15 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CompressCheckpoint.tif.tcwwasted	Device.exe
File renamed	C:\Users\Admin\Pictures\RequestRead.raw => C:\Users\Admin\Pictures\RequestRead.raw.tcwwasted	Device.exe
File renamed	C:\Users\Admin\Pictures\RestoreRequest.png => C:\Users\Admin\Pictures\RestoreRequest.png.tcwwasted	Device.exe
File renamed	C:\Users\Admin\Pictures\CompressCheckpoint.tif => C:\Users\Admin\Pictures\CompressCheckpoint.tif.tcwwasted	Device.exe
File opened for modification	C:\Users\Admin\Pictures\JoinSet.png.tcwwasted	Device.exe
File created	C:\Users\Admin\Pictures\RegisterSend.png.tcwwasted_info	Device.exe
File created	C:\Users\Admin\Pictures\RequestRead.raw.tcwwasted_info	Device.exe
File opened for modification	C:\Users\Admin\Pictures\RequestRead.raw.tcwwasted	Device.exe
File created	C:\Users\Admin\Pictures\CompressCheckpoint.tif.tcwwasted_info	Device.exe
File renamed	C:\Users\Admin\Pictures\RegisterSend.png => C:\Users\Admin\Pictures\RegisterSend.png.tcwwasted	Device.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterSend.png.tcwwasted	Device.exe
File created	C:\Users\Admin\Pictures\JoinSet.png.tcwwasted_info	Device.exe
File renamed	C:\Users\Admin\Pictures\JoinSet.png => C:\Users\Admin\Pictures\JoinSet.png.tcwwasted	Device.exe
File created	C:\Users\Admin\Pictures\RestoreRequest.png.tcwwasted_info	Device.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreRequest.png.tcwwasted	Device.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
1064	takeown.exe
1872	icacls.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Device:bin
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Device.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Device.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Device:bin

Loads dropped DLL 2 IoCs

pid	Process
1464	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe
1464	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1064	takeown.exe
1872	icacls.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1464-56-0x0000000000400000-0x0000000000A09000-memory.dmp	themida
behavioral1/memory/1464-57-0x00000000774C0000-0x0000000077640000-memory.dmp	themida
behavioral1/files/0x000a00000001231b-63.dat	themida
behavioral1/files/0x000a00000001231b-65.dat	themida
behavioral1/memory/1004-67-0x0000000000400000-0x0000000000A09000-memory.dmp	themida
behavioral1/files/0x00060000000055d7-72.dat	themida
behavioral1/files/0x00060000000055d7-74.dat	themida
behavioral1/memory/960-77-0x0000000000400000-0x0000000000A09000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Device:bin
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Device.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Device.exe	Device:bin

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1464	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe
1004	Device:bin
960	Device.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
316	vssadmin.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Device:bin	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1496	vssvc.exe
Token: SeRestorePrivilege	1496	vssvc.exe
Token: SeAuditPrivilege	1496	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1004	1464	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe	28
PID 1464 wrote to memory of 1004	1464	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe	28
PID 1464 wrote to memory of 1004	1464	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe	28
PID 1464 wrote to memory of 1004	1464	df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe	28
PID 1004 wrote to memory of 316	1004	Device:bin	29
PID 1004 wrote to memory of 316	1004	Device:bin	29
PID 1004 wrote to memory of 316	1004	Device:bin	29
PID 1004 wrote to memory of 316	1004	Device:bin	29
PID 1004 wrote to memory of 1064	1004	Device:bin	33
PID 1004 wrote to memory of 1064	1004	Device:bin	33
PID 1004 wrote to memory of 1064	1004	Device:bin	33
PID 1004 wrote to memory of 1064	1004	Device:bin	33
PID 1004 wrote to memory of 1872	1004	Device:bin	35
PID 1004 wrote to memory of 1872	1004	Device:bin	35
PID 1004 wrote to memory of 1872	1004	Device:bin	35
PID 1004 wrote to memory of 1872	1004	Device:bin	35

C:\Users\Admin\AppData\Local\Temp\df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe
"C:\Users\Admin\AppData\Local\Temp\df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Roaming\Device:bin
  C:\Users\Admin\AppData\Roaming\Device:bin -r
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:316
- - C:\Windows\SysWOW64\takeown.exe
    C:\Windows\system32\takeown.exe /F C:\Windows\system32\Device.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1064
- - C:\Windows\SysWOW64\icacls.exe
    C:\Windows\system32\icacls.exe C:\Windows\system32\Device.exe /reset
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\Device.exe
C:\Windows\SysWOW64\Device.exe -s
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Device:bin

Filesize
2.3MB

MD5
93d20353d7135a1086eac5855edafabf

SHA1
7dc81975c33c142aba3f1351c7bc066181a2a8c6

SHA256
df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa

SHA512
f2e8d4132b7d8fb5bce50468ef787e8708570373202c3a0cb626b192e0e0f7262718a9691453cacc49351a5e166677e3681dd387ef72c9dcb72e09257473726f

Download Submit
C:\Users\Admin\AppData\Roaming\Device:bin

Filesize
2.3MB

MD5
93d20353d7135a1086eac5855edafabf

SHA1
7dc81975c33c142aba3f1351c7bc066181a2a8c6

SHA256
df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa

SHA512
f2e8d4132b7d8fb5bce50468ef787e8708570373202c3a0cb626b192e0e0f7262718a9691453cacc49351a5e166677e3681dd387ef72c9dcb72e09257473726f

Download Submit
C:\Windows\SysWOW64\Device.exe

Filesize
2.3MB

MD5
93d20353d7135a1086eac5855edafabf

SHA1
7dc81975c33c142aba3f1351c7bc066181a2a8c6

SHA256
df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa

SHA512
f2e8d4132b7d8fb5bce50468ef787e8708570373202c3a0cb626b192e0e0f7262718a9691453cacc49351a5e166677e3681dd387ef72c9dcb72e09257473726f

Download Submit
C:\Windows\SysWOW64\Device.exe

Filesize
2.3MB

MD5
93d20353d7135a1086eac5855edafabf

SHA1
7dc81975c33c142aba3f1351c7bc066181a2a8c6

SHA256
df35c3aa4105063cb41f093ba12a22d3cb1258f6c2fedd9c8a68f033170ae9fa

SHA512
f2e8d4132b7d8fb5bce50468ef787e8708570373202c3a0cb626b192e0e0f7262718a9691453cacc49351a5e166677e3681dd387ef72c9dcb72e09257473726f

Download Submit
\Users\Admin\AppData\Roaming\Device

Filesize
45KB

MD5
c9a6121252634aa4d4618981de929bbb

SHA1
170b041a5729c4be4281573e1442c6a07e528708

SHA256
ff7b6e0a02b6e1182ce7be8813b57d0d472bda307086bd40a237b76aee0f54ca

SHA512
7510673c3af69a0df48105f75975583d4a2f97bdfa8c72123b0801af6ea304d6a85dd121630c735b6b83a3077fb16e14f7183c4f7679d996f002b02859db7b69

Download Submit
\Users\Admin\AppData\Roaming\Device

Filesize
45KB

MD5
c9a6121252634aa4d4618981de929bbb

SHA1
170b041a5729c4be4281573e1442c6a07e528708

SHA256
ff7b6e0a02b6e1182ce7be8813b57d0d472bda307086bd40a237b76aee0f54ca

SHA512
7510673c3af69a0df48105f75975583d4a2f97bdfa8c72123b0801af6ea304d6a85dd121630c735b6b83a3077fb16e14f7183c4f7679d996f002b02859db7b69

Download Submit
memory/960-77-0x0000000000400000-0x0000000000A09000-memory.dmp

Filesize
6.0MB

Download
memory/960-78-0x00000000774C0000-0x0000000077640000-memory.dmp

Filesize
1.5MB

Download
memory/960-79-0x0000000000400000-0x0000000000A09000-memory.dmp

Filesize
6.0MB

Download
memory/1004-70-0x0000000000400000-0x0000000000A09000-memory.dmp

Filesize
6.0MB

Download
memory/1004-67-0x0000000000400000-0x0000000000A09000-memory.dmp

Filesize
6.0MB

Download
memory/1004-69-0x00000000774C0000-0x0000000077640000-memory.dmp

Filesize
1.5MB

Download
memory/1464-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1464-59-0x0000000000400000-0x0000000000A09000-memory.dmp

Filesize
6.0MB

Download
memory/1464-58-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/1464-57-0x00000000774C0000-0x0000000077640000-memory.dmp

Filesize
1.5MB

Download
memory/1464-56-0x0000000000400000-0x0000000000A09000-memory.dmp

Filesize
6.0MB

Download
memory/1464-55-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads