MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821
SHA3-384 hash: 244f3fa4f052335a16e689ce2b7b2a55b72d1bca5364bed5e50e14805a54746ed7323a5ab08f266b0eead849ac75bf46
SHA1 hash: c40c8848808da12ef78c68de1e6477b862161a43
MD5 hash: d01fc079881dc0d33a88e4f8df1ae7ce
humanhash: grey-bluebird-alanine-island
File name:lock.exe
Download: download sample
Signature WastedLocker
File size:115'088 bytes
First seen:2020-08-01 09:49:37 UTC
Last seen:2020-08-01 10:28:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9c327049e4d21fa04a589d4faa342332
ssdeep 1536:bx+5/P/P/WoP/lA8AUpU7/lDyJ4S/P/P/XklEbXgKAxJnQ/P/0x9hAUJ4G9:4PVA8RpicvklEOXx9KUJ48
TLSH C2B327C16F63DC8DDE73A63D10797AA90730629F5B3E869EA28858C13FF25D20B11B51
Reporter @maliciousc0de
Tags:Ransomware signed WastedLocker

Intelligence


File Origin
# of uploads :
2
# of downloads :
56
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Threat name:
WastedLocker
Detection:
malicious
Classification:
rans.evad
Score:
84 / 100
Signature
Creates files in alternative data streams (ADS)
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Yara detected WastedLocker
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255515 Sample: lock.exe Startdate: 01/08/2020 Architecture: WINDOWS Score: 84 40 Yara detected WastedLocker 2->40 42 May disable shadow drive data (uses vssadmin) 2->42 44 Machine Learning detection for sample 2->44 46 2 other signatures 2->46 8 lock.exe 3 2->8         started        process3 file4 28 C:\Users\user\AppData\Roaming\Power:bin, PE32 8->28 dropped 30 C:\Users\user\AppData\Roaming\Power, PE32 8->30 dropped 48 Detected unpacking (changes PE section rights) 8->48 50 Detected unpacking (overwrites its own PE header) 8->50 52 Creates files in alternative data streams (ADS) 8->52 12 Power:bin 501 8->12         started        signatures5 process6 file7 32 C:\Windows\SysWOW64\Power.exe, PE32 12->32 dropped 34 C:\...\CiST0000.000.tcwwasted_info, DOS 12->34 dropped 36 98__Cellular_PerSi...vxml.tcwwasted_info, COM 12->36 dropped 38 8 other files (none is malicious) 12->38 dropped 54 Detected unpacking (changes PE section rights) 12->54 56 Detected unpacking (overwrites its own PE header) 12->56 58 May disable shadow drive data (uses vssadmin) 12->58 60 Deletes shadow drive data (may be related to ransomware) 12->60 16 vssadmin.exe 1 12->16         started        18 takeown.exe 1 12->18         started        20 icacls.exe 1 12->20         started        signatures8 process9 process10 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 20->26         started       
Threat name:
Win32.Ransomware.WastedLocker
Status:
Malicious
First seen:
2020-07-06 17:40:19 UTC
AV detection:
26 of 31 (83.87%)
Threat level
  5/5
Result
Malware family:
wastedlocker
Score:
  10/10
Tags:
persistence exploit ransomware family:wastedlocker discovery
Behaviour
Views/modifies file attributes
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Modifies service
Drops file in System32 directory
Modifies file permissions
Loads dropped DLL
Deletes itself
Possible privilege escalation attempt
Modifies extensions of user files
Executes dropped EXE
Deletes shadow copies
WastedLocker

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments