Overview

overview

10

Static

static

locker.exe

windows10_x64

10

Resubmissions

05-06-2021 10:47

210605-skygsg584e 10

05-06-2021 00:09

210605-x97dqrb7je 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    locker.exe

  • Size

    448KB

  • Sample

    210605-skygsg584e

  • MD5

    306c47fcb51611bee1ef804c95c7007f

  • SHA1

    9cb58078b3fe2119329e482561d0c7cb740e937c

  • SHA256

    877c612cf42d85b943010437599b828383ecdf02a17e2b017367db34637e5463

  • SHA512

    3ca64189450cf3c3e9867d79c66ee428a5b72b1f45c06243a4a6ab64a2dfd8970d19dc1fba6404468650afac5341a0affae61e05de501180ec6ead20c333f720

Score
10/10
evasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\PROTECT_INFO.TXT

Ransom Note
############## YOUR FILES WERE ENCRYPTED ############## ########### AND MARKED BY EXTENSION .nermer ############ -- YOUR FILES ARE SAFE! ONLY MODIFIED :: ChaCha + AES WE STRONGLY RECOMMEND you NOT to use any Decryption Tools. These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. -- To get RSA private key you have to contact us via the link below, located in the TOR private network. Using this link you can get all the necessary support and make payment. You just have to download and install the TOR browser (google it) via official site >> http://dqybwoze7ow3xlamurpfppai4pd6lwybwix2nbhyhcnpsuj3yv32mnyd.onion/index.php << -- If you have any problems with TOR browser, email us: >><< and send us your id: >> {3C7F9CA2-6615-2C1C-12351A9CCDD18D74} << -- HOW to understand that we are NOT scammers? You can ask SUPPORT for the TEST-decryption for ONE file! -- After the successful payment and decrypting your files, we will give you FULL instructions HOW to IMPROVE your security system. We ready to answer all your questions! -- ################ LIST OF ENCRYPTED FILES ############### C:\Boot\BCD 0 C:\Boot\BCD.LOG 0 C:\Boot\BCD.LOG1 0 C:\Boot\BCD.LOG2 0 C:\Boot\bg-BG\bootmgr.exe.mui 77728 C:\Boot\da-DK\bootmgr.exe.mui 75672 C:\Boot\updaterevokesipolicy.p7b 4662 C:\bootmgr 395220 C:\Boot\da-DK\memtest.exe.mui 45472 C:\BOOTNXT 1 C:\Boot\en-GB\bootmgr.exe.mui 74144 C:\Boot\de-DE\bootmgr.exe.mui 79264 C:\Boot\cs-CZ\bootmgr.exe.mui 76704 C:\Boot\de-DE\memtest.exe.mui 45984 C:\Boot\el-GR\bootmgr.exe.mui 80288 C:\Boot\el-GR\memtest.exe.mui 46496 C:\Boot\cs-CZ\memtest.exe.mui 45472 C:\Boot\es-ES\bootmgr.exe.mui 77728 C:\Boot\es-MX\bootmgr.exe.mui 77720 C:\Boot\en-US\bootmgr.exe.mui 74144 C:\Boot\es-ES\memtest.exe.mui 45984 C:\Boot\fi-FI\bootmgr.exe.mui 76696 C:\Boot\et-EE\bootmgr.exe.mui 75160 C:\Boot\fr-CA\bootmgr.exe.mui 79264 C:\Boot\fi-FI\memtest.exe.mui 45472 C:\Boot\en-US\memtest.exe.mui 44960 C:\vcredist2010_x64.log-MSI_vc_red.msi.txt 389302 C:\Boot\hr-HR\bootmgr.exe.mui 76696 C:\Boot\fr-FR\bootmgr.exe.mui 79264 C:\Boot\fr-FR\memtest.exe.mui 45984 C:\Boot\hu-HU\bootmgr.exe.mui 78752 C:\Boot\it-IT\bootmgr.exe.mui 77208 C:\Boot\ja-JP\bootmgr.exe.mui 67488 C:\Boot\it-IT\memtest.exe.mui 45472 C:\Boot\hu-HU\memtest.exe.mui 45976 C:\Boot\ja-JP\memtest.exe.mui 42904 C:\vcredist2010_x64.log.html 88550 C:\Boot\lt-LT\bootmgr.exe.mui 75672 C:\Boot\lv-LV\bootmgr.exe.mui 75680 C:\Boot\Fonts\chs_boot.ttf 3695719 C:\Boot\ko-KR\bootmgr.exe.mui 66976 C:\Boot\ko-KR\memtest.exe.mui 42912 C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log 171538 C:\Boot\pl-PL\bootmgr.exe.mui 77728 C:\Boot\pl-PL\memtest.exe.mui 45984 C:\Boot\nl-NL\bootmgr.exe.mui 77728 C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log 199520 C:\Boot\nb-NO\bootmgr.exe.mui 75672 C:\Boot\nb-NO\memtest.exe.mui 45472 C:\Boot\pt-PT\bootmgr.exe.mui 76696 C:\Boot\nl-NL\memtest.exe.mui 45472 C:\Boot\pt-PT\memtest.exe.mui 45984 C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log 173922 C:\Boot\ru-RU\bootmgr.exe.mui 77208 C:\Boot\ro-RO\bootmgr.exe.mui 76184 C:\Boot\ru-RU\memtest.exe.mui 44960 C:\Boot\qps-ploc\bootmgr.exe.mui 83360 C:\Boot\pt-BR\bootmgr.exe.mui 76704 C:\Boot\pt-BR\memtest.exe.mui 45472 C:\Boot\qps-ploc\memtest.exe.mui 54176 C:\Boot\sl-SI\bootmgr.exe.mui 76704 C:\Boot\sk-SK\bootmgr.exe.mui 77216 C:\Boot\sr-Latn-RS\bootmgr.exe.mui 77216 C:\Boot\sv-SE\bootmgr.exe.mui 76192 C:\Boot\sv-SE\memtest.exe.mui 44952 C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log 195058 C:\Boot\uk-UA\bootmgr.exe.mui 77216 C:\Boot\tr-TR\bootmgr.exe.mui 75168 C:\Boot\zh-CN\bootmgr.exe.mui 63904 C:\Boot\tr-TR\memtest.exe.mui 45472 C:\Boot\zh-CN\memtest.exe.mui 42400 C:\Boot\zh-TW\bootmgr.exe.mui 63904 C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log 122728 C:\odt\config.xml 688 C:\Boot\zh-TW\memtest.exe.mui 42392 C:\Boot\Resources\en-US\bootres.dll.mui 12192 C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log 133606 C:\Boot\Fonts\cht_boot.ttf 3878410 C:\Boot\Fonts\jpn_boot.ttf 1985867 C:\Users\Admin\ntuser.dat.LOG1 0 C:\Users\Admin\ntuser.dat.LOG2 0 C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf 0 C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms 0 C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms 0 C:\Users\Default\NTUSER.DAT.LOG1 40960 C:\Users\Default\NTUSER.DAT.LOG2 0 C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf 65536 C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms 524288 C:\Recovery\WindowsRE\boot.sdi 3170304 C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms 524288 C:\Recovery\WindowsRE\ReAgent.xml 1082 C:\Boot\Fonts\kor_boot.ttf 2373000 C:\Boot\Fonts\malgunn_boot.ttf 174959 C:\Boot\Fonts\malgun_boot.ttf 177414 C:\Boot\Fonts\meiryon_boot.ttf 143754 C:\Boot\Fonts\meiryo_boot.ttf 145419 C:\Boot\Fonts\msjhn_boot.ttf 162331 C:\Boot\Fonts\msjh_boot.ttf 164347 C:\Boot\Fonts\msyhn_boot.ttf 154427 C:\Boot\Fonts\msyh_boot.ttf 156245 C:\Boot\Fonts\segmono_boot.ttf 44859 C:\Boot\Fonts\segoen_slboot.ttf 85862 C:\Boot\Fonts\segoe_slboot.ttf 86178 C:\Boot\Fonts\wgl4_boot.ttf 49091 C:\Users\Admin\Desktop\BackupStep.3g2 678913 C:\Users\Admin\Desktop\CloseEnable.wmv 840011 C:\Users\Admin\Desktop\CompressReceive.mp2 540829 C:\Users\Admin\Desktop\ConvertMerge.m1v 770969 C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp 50 C:\Users\Admin\Desktop\ExpandRepair.csv 402745 C:\Users\Admin\Desktop\GrantConvertFrom.pot 379731 C:\Users\Admin\Desktop\ImportRemove.xps 494801 C:\Users\Admin\Desktop\InstallResolve.mpg 586857 C:\Users\Admin\Desktop\MeasureImport.asx 701927 C:\Users\Admin\Desktop\MoveEnable.TTS 609871 C:\Users\Admin\Desktop\MoveEnter.wmx 724941 C:\Users\Admin\Desktop\MoveResize.xps 655899 C:\Users\Admin\Desktop\OutMove.xlsm 425759 C:\Users\Admin\Desktop\PingUpdate.xml 747955 C:\Users\Admin\Desktop\ReadRequest.xml 471787 C:\Users\Admin\Desktop\RenameWatch.ADTS 632885 C:\Users\Admin\Desktop\ResizeProtect.docm 517815 C:\Users\Admin\Desktop\RevokeRestart.mp2v 356717 C:\Users\Admin\Desktop\SendUnblock.potx 816997 C:\Users\Admin\Desktop\ShowEdit.vst 448773 C:\Users\Admin\Desktop\SubmitClear.M2TS 1219752 C:\Users\Admin\Desktop\SwitchRename.mhtml 333703 C:\Users\Admin\Desktop\UnlockConfirm.html 886039 C:\Users\Admin\Desktop\UnregisterReceive.xml 563843 C:\Users\Admin\Desktop\UpdateMount.jpg 793983 C:\Users\Admin\Desktop\UpdateRead.jfif 310689 C:\Users\Admin\Desktop\UpdateShow.potm 863025 C:\Users\Admin\Documents\ApproveDebug.vstx 483834 C:\Users\Admin\Documents\Are.docx 11525 C:\Users\Admin\Documents\ClearMount.xlsb 967668 C:\Users\Admin\Documents\ConnectPop.doc 521052 C:\Users\Admin\Documents\ConvertFromFormat.xml 390789 C:\Users\Admin\Documents\ConvertToImport.xltx 558270 C:\Users\Admin\Documents\ConvertToMerge.ppsm 428007 C:\Users\Admin\Documents\CopyFind.wps 465225 C:\Users\Admin\Documents\CopyGet.pdf 334962 C:\Users\Admin\Documents\DisconnectUnpublish.xlsm 818796 C:\Users\Admin\Documents\EditRemove.docx 781578 C:\Users\Admin\Documents\EnterHide.pps 1321223 C:\Users\Admin\Documents\ExitConvert.vdw 595488 C:\Users\Admin\Documents\Files.docx 11551 C:\Users\Admin\Documents\FindUnprotect.txt 800187 C:\Users\Admin\Documents\GetExport.mhtml 614097 C:\Users\Admin\Documents\HideConvertFrom.vdx 856014 C:\Users\Admin\Documents\LimitRegister.xltm 576879 C:\Users\Admin\Documents\MergeLimit.potx 353571 C:\Users\Admin\Documents\MountClose.txt 632706 C:\Users\Admin\Documents\MoveReceive.vdw 893232 C:\Users\Admin\Documents\Opened.docx 11538 C:\Users\Admin\Documents\OptimizeSave.csv 446616 C:\Users\Admin\Downloads\BackupSplit.otf 1216512 C:\Users\Admin\Downloads\ClearUninstall.M2TS 884736 C:\Users\Admin\Documents\PopInvoke.ppt 651315 C:\Users\Admin\Documents\ProtectOpen.vsx 874623 C:\Users\Admin\Downloads\CloseSuspend.mpeg 1188864 C:\Users\Admin\Downloads\CloseTest.m4a 470016 C:\Users\Admin\Documents\PublishOpen.odp 762969 C:\Users\Admin\Documents\ReadSelect.csv 707142 C:\Users\Admin\Downloads\ConfirmComplete.doc 801792 C:\Users\Admin\Documents\Recently.docx 11533 C:\Users\Admin\Downloads\ConnectComplete.xsl 663552 C:\Users\Admin\Documents\RenamePush.vsd 911841 C:\Users\Admin\Downloads\DebugConvertTo.nfo 1271808 C:\Users\Admin\Documents\SearchGrant.ppsx 930450 C:\Users\Admin\Documents\SelectAssert.ppt 502443 C:\Users\Admin\Downloads\ExportSync.aiff 1105920 C:\Users\Admin\Documents\SetOut.odt 725751 C:\Users\Admin\Documents\ShowRemove.pot 409398 C:\Users\Admin\Downloads\FormatCompare.asf 1244160 C:\Users\Admin\Downloads\InvokeDeny.gif 857088 C:\Users\Admin\Downloads\InvokeMount.tiff 442368 C:\Users\Admin\Documents\ShowSave.pptm 837405 C:\Users\Admin\Documents\SubmitResolve.ppt 372180 C:\Users\Admin\Downloads\LimitSkip.pcx 497664 C:\Users\Admin\Documents\These.docx 11462 C:\Users\Admin\Downloads\LockApprove.emz 774144 C:\Users\Admin\Documents\UninstallDeny.xlt 949059 C:\Users\Admin\Documents\UninstallResize.docx 744360 C:\Users\Admin\Documents\UnlockBackup.csv 539661 C:\Users\Admin\Downloads\PingSkip.mpeg3 967680 C:\Users\Admin\Documents\UnpublishLimit.doc 688533 C:\Users\Admin\Downloads\ReadLimit.mpeg 1133568 C:\Users\Admin\Downloads\RegisterAdd.tmp 718848 C:\Users\Admin\Documents\UnpublishRepair.docx 669924 C:\Users\Admin\Downloads\ResetPush.m1v 746496 C:\Users\Admin\Downloads\ResizeSet.emf 580608 C:\Users\Admin\Downloads\ResolveMerge.gif 608256 C:\Users\Admin\Downloads\RevokeInstall.ppsx 1161216 C:\Users\Admin\Downloads\SkipBlock.xht 525312 C:\Users\Admin\Downloads\SplitRead.ogg 635904 C:\Users\Admin\Downloads\StepLimit.m4a 940032 C:\Users\Admin\Downloads\StopSet.TTS 1050624 C:\Users\Admin\Downloads\UnblockFormat.vsdm 995328 C:\Users\Admin\Downloads\UseConnect.M2V 691200 C:\Users\Admin\Downloads\UseSubmit.html 912384 C:\Users\Admin\Music\CompareRegister.tif 649950 C:\Users\Admin\Music\ConfirmSync.aif 467964 C:\Users\Admin\Favorites\Bing.url 208 C:\Users\Admin\Music\ConnectImport.wmf 337974 C:\Users\Admin\Music\ConnectRevoke.zip 779940 C:\Users\Admin\Music\CopyEnter.mpeg 805938 C:\Users\Admin\Music\DisableSend.html 623952 C:\Users\Admin\Music\ExportHide.jpg 389970 C:\Users\Admin\Music\ExportPing.jpeg 675948 C:\Users\Admin\Music\FormatSearch.3gpp 493962 C:\Users\Admin\Music\GetUnlock.mpeg3 597954 C:\Users\Admin\Music\GroupComplete.fon 571956 C:\Users\Admin\Music\InitializeSave.eprtx 441966 C:\Users\Admin\Music\ReadExit.wmf 701946 C:\Users\Admin\Music\SearchExit.mht 285978 C:\Users\Admin\Music\SendConnect.wdp 727944 C:\Users\Admin\Music\SplitCompare.m3u 415968 C:\Users\Admin\Music\UndoInstall.M2TS 363972 C:\Users\Admin\Music\UninstallMerge.pdf 1117794 C:\Users\Admin\Music\UnlockEnter.xht 545958 C:\Users\Admin\Music\UpdateAdd.midi 519960 C:\Users\Admin\Music\UseDisable.pptx 311976 C:\Users\Admin\Pictures\ApproveEdit.dxf 688870 C:\Users\Admin\Pictures\BlockInitialize.gif 519302 C:\Users\Admin\Pictures\CompleteSearch.cr2 731262 C:\Users\Admin\Pictures\CompleteSelect.png 328538 C:\Users\Admin\Pictures\ConfirmRestore.tif 837242 C:\Users\Admin\Pictures\ConvertFromPublish.svgz 879634 C:\Users\Admin\Pictures\ConvertToRevoke.bmp 498106 C:\Users\Admin\Pictures\EditRemove.bmp 476910 C:\Users\Admin\Pictures\FormatShow.tif 455714 C:\Users\Admin\Pictures\ImportUninstall.tiff 582890 C:\Users\Admin\Pictures\JoinRedo.eps 434518 C:\Users\Admin\Pictures\LockCompress.jpg 752458 C:\Users\Admin\Pictures\LockConfirm.pcx 625282 C:\Users\Admin\Pictures\MoveResolve.raw 794850 C:\Users\Admin\Pictures\PopUnregister.tif 773654 C:\Users\Admin\Pictures\ResumeRestore.cr2 710066 C:\Users\Admin\Pictures\RevokeInitialize.png 349734 C:\Users\Admin\Pictures\RevokeMerge.tif 307342 C:\Users\Admin\Pictures\RevokeTest.tif 392126 C:\Users\Admin\Pictures\StartUnregister.svgz 413322 C:\Users\Admin\Pictures\StopBackup.png 604086 C:\Users\Admin\Pictures\SubmitUndo.tif 540498 C:\Users\Admin\Pictures\TestProtect.pcx 1208128 C:\Users\Admin\Pictures\TraceOut.jpg 667674 C:\Users\Admin\Pictures\UnlockEdit.crw 561694 C:\Users\Admin\Pictures\UseLimit.tiff 646478 C:\Users\Admin\Pictures\UseUnblock.pcx 858438 C:\Users\Admin\Pictures\UseUndo.png 816046 C:\Users\Admin\Pictures\Wallpaper.jpg 24811 C:\Users\Admin\Searches\Everywhere.search-ms 248 C:\Users\Admin\Searches\Indexed Locations.search-ms 248 C:\Users\Admin\Searches\winrt--{S-1-5-21-1594587808-2047097707-2163810515-1000}-.searchconnector-ms 859 C:\Users\Public\Libraries\RecordedTV.library-ms 999 C:\Recovery\WindowsRE\Winre.wim 344829634 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget 3 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink 7 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail 4 C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml 114227 C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml 768
URLs

http://dqybwoze7ow3xlamurpfppai4pd6lwybwix2nbhyhcnpsuj3yv32mnyd.onion/index.php

Targets

    • Target

      locker.exe

    • Size

      448KB

    • MD5

      306c47fcb51611bee1ef804c95c7007f

    • SHA1

      9cb58078b3fe2119329e482561d0c7cb740e937c

    • SHA256

      877c612cf42d85b943010437599b828383ecdf02a17e2b017367db34637e5463

    • SHA512

      3ca64189450cf3c3e9867d79c66ee428a5b72b1f45c06243a4a6ab64a2dfd8970d19dc1fba6404468650afac5341a0affae61e05de501180ec6ead20c333f720

    Score
    10/10
    evasionransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

3
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Tasks