MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WastedLocker


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821
SHA3-384 hash: 244f3fa4f052335a16e689ce2b7b2a55b72d1bca5364bed5e50e14805a54746ed7323a5ab08f266b0eead849ac75bf46
SHA1 hash: c40c8848808da12ef78c68de1e6477b862161a43
MD5 hash: d01fc079881dc0d33a88e4f8df1ae7ce
humanhash: grey-bluebird-alanine-island
File name:lock.exe
Download: download sample
Signature WastedLocker
Create hunting rule
File size:115'088 bytes
First seen:2020-08-01 09:49:37 UTC
Last seen:2020-08-04 11:36:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9c327049e4d21fa04a589d4faa342332 (1 x WastedLocker)
ssdeep 1536:bx+5/P/P/WoP/lA8AUpU7/lDyJ4S/P/P/XklEbXgKAxJnQ/P/0x9hAUJ4G9:4PVA8RpicvklEOXx9KUJ48
Threatray 225 similar samples on MalwareBazaar
TLSH C2B327C16F63DC8DDE73A63D10797AA90730629F5B3E869EA28858C13FF25D20B11B51
Reporter vm001cn
Tags:Ransomware signed WastedLocker

Code Signing Certificate

Organisation:QEXAYFGTEHMURVBTPT
Issuer:QEXAYFGTEHMURVBTPT
Algorithm:sha1WithRSA
Valid from:Jun 28 18:53:28 2020 GMT
Valid to:Dec 31 23:59:59 2039 GMT
Serial number: -2B0A7EF8BE27E966BEA9179619B1F55A
Thumbprint Algorithm:SHA256
Thumbprint: 09BC593B59BA4A31939F32F65072F209FEB97DC92CEA5F1364F7CDFBE1D8CAD9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
1'939
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36878/
Detection(s):
PUA.Win.Adware.Browsefox-6628766-0
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Threat name:
WastedLocker
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/406568
Signature
Creates files in alternative data streams (ADS)
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Yara detected WastedLocker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255515 Sample: lock.exe Startdate: 01/08/2020 Architecture: WINDOWS Score: 84 40 Yara detected WastedLocker 2->40 42 May disable shadow drive data (uses vssadmin) 2->42 44 Machine Learning detection for sample 2->44 46 2 other signatures 2->46 8 lock.exe 3 2->8         started        process3 file4 28 C:\Users\user\AppData\Roaming\Power:bin, PE32 8->28 dropped 30 C:\Users\user\AppData\Roaming\Power, PE32 8->30 dropped 48 Detected unpacking (changes PE section rights) 8->48 50 Detected unpacking (overwrites its own PE header) 8->50 52 Creates files in alternative data streams (ADS) 8->52 12 Power:bin 501 8->12         started        signatures5 process6 file7 32 C:\Windows\SysWOW64\Power.exe, PE32 12->32 dropped 34 C:\...\CiST0000.000.tcwwasted_info, DOS 12->34 dropped 36 98__Cellular_PerSi...vxml.tcwwasted_info, COM 12->36 dropped 38 8 other files (none is malicious) 12->38 dropped 54 Detected unpacking (changes PE section rights) 12->54 56 Detected unpacking (overwrites its own PE header) 12->56 58 May disable shadow drive data (uses vssadmin) 12->58 60 Deletes shadow drive data (may be related to ransomware) 12->60 16 vssadmin.exe 1 12->16         started        18 takeown.exe 1 12->18         started        20 icacls.exe 1 12->20         started        signatures8 process9 process10 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 20->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821/
Threat name:
Win32.Ransomware.Wasted
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 17:40:19 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
41 of 48 (85.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bydbevnrflpf3qipjlm25su6xzkjnuuo2ji2zm3wyzwb3h2alaqq._file
Verdict:
suspicious
Similar samples:
1d452b5f3e5d2b6623d0ca35793dfc051e1bf8b237e360906ed055e819235604
WastedLocker
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
WastedLocker
887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d
WastedLocker
8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80
WastedLocker
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
WastedLocker
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772
WastedLocker
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
WastedLocker
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb
WastedLocker
ecb26efe8b9a41b26bd920e537c83517dcc62072ba9675f35511c5fbb7bed6b7
WastedLocker
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
WastedLocker
+ 215 additional samples on MalwareBazaar
Result
Malware family:
wastedlocker
Create hunting rule
Score:
  10/10
Tags:
persistence exploit ransomware family:wastedlocker discovery
Link:
https://tria.ge/reports/200801-ynqmk34srj/
Behaviour
Views/modifies file attributes
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Modifies service
Drops file in System32 directory
Modifies file permissions
Loads dropped DLL
Deletes itself
Possible privilege escalation attempt
Modifies extensions of user files
Executes dropped EXE
Deletes shadow copies
WastedLocker
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/36878/

Comments