Overview

overview

10

Static

static

locker.exe

windows10_x64

10

Resubmissions

05/06/2021, 10:47

210605-skygsg584e 10

05/06/2021, 00:09

210605-x97dqrb7je 10

Analysis

  • max time kernel
    148s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    05/06/2021, 10:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    locker.exe

  • Size

    448KB

  • MD5

    306c47fcb51611bee1ef804c95c7007f

  • SHA1

    9cb58078b3fe2119329e482561d0c7cb740e937c

  • SHA256

    877c612cf42d85b943010437599b828383ecdf02a17e2b017367db34637e5463

  • SHA512

    3ca64189450cf3c3e9867d79c66ee428a5b72b1f45c06243a4a6ab64a2dfd8970d19dc1fba6404468650afac5341a0affae61e05de501180ec6ead20c333f720

Score
10/10
evasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\PROTECT_INFO.TXT

Ransom Note
############## YOUR FILES WERE ENCRYPTED ############## ########### AND MARKED BY EXTENSION .nermer ############ -- YOUR FILES ARE SAFE! ONLY MODIFIED :: ChaCha + AES WE STRONGLY RECOMMEND you NOT to use any Decryption Tools. These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. -- To get RSA private key you have to contact us via the link below, located in the TOR private network. Using this link you can get all the necessary support and make payment. You just have to download and install the TOR browser (google it) via official site >> http://dqybwoze7ow3xlamurpfppai4pd6lwybwix2nbhyhcnpsuj3yv32mnyd.onion/index.php << -- If you have any problems with TOR browser, email us: >><< and send us your id: >> {3C7F9CA2-6615-2C1C-12351A9CCDD18D74} << -- HOW to understand that we are NOT scammers? You can ask SUPPORT for the TEST-decryption for ONE file! -- After the successful payment and decrypting your files, we will give you FULL instructions HOW to IMPROVE your security system. We ready to answer all your questions! -- ################ LIST OF ENCRYPTED FILES ############### C:\Boot\BCD 0 C:\Boot\BCD.LOG 0 C:\Boot\BCD.LOG1 0 C:\Boot\BCD.LOG2 0 C:\Boot\bg-BG\bootmgr.exe.mui 77728 C:\Boot\da-DK\bootmgr.exe.mui 75672 C:\Boot\updaterevokesipolicy.p7b 4662 C:\bootmgr 395220 C:\Boot\da-DK\memtest.exe.mui 45472 C:\BOOTNXT 1 C:\Boot\en-GB\bootmgr.exe.mui 74144 C:\Boot\de-DE\bootmgr.exe.mui 79264 C:\Boot\cs-CZ\bootmgr.exe.mui 76704 C:\Boot\de-DE\memtest.exe.mui 45984 C:\Boot\el-GR\bootmgr.exe.mui 80288 C:\Boot\el-GR\memtest.exe.mui 46496 C:\Boot\cs-CZ\memtest.exe.mui 45472 C:\Boot\es-ES\bootmgr.exe.mui 77728 C:\Boot\es-MX\bootmgr.exe.mui 77720 C:\Boot\en-US\bootmgr.exe.mui 74144 C:\Boot\es-ES\memtest.exe.mui 45984 C:\Boot\fi-FI\bootmgr.exe.mui 76696 C:\Boot\et-EE\bootmgr.exe.mui 75160 C:\Boot\fr-CA\bootmgr.exe.mui 79264 C:\Boot\fi-FI\memtest.exe.mui 45472 C:\Boot\en-US\memtest.exe.mui 44960 C:\vcredist2010_x64.log-MSI_vc_red.msi.txt 389302 C:\Boot\hr-HR\bootmgr.exe.mui 76696 C:\Boot\fr-FR\bootmgr.exe.mui 79264 C:\Boot\fr-FR\memtest.exe.mui 45984 C:\Boot\hu-HU\bootmgr.exe.mui 78752 C:\Boot\it-IT\bootmgr.exe.mui 77208 C:\Boot\ja-JP\bootmgr.exe.mui 67488 C:\Boot\it-IT\memtest.exe.mui 45472 C:\Boot\hu-HU\memtest.exe.mui 45976 C:\Boot\ja-JP\memtest.exe.mui 42904 C:\vcredist2010_x64.log.html 88550 C:\Boot\lt-LT\bootmgr.exe.mui 75672 C:\Boot\lv-LV\bootmgr.exe.mui 75680 C:\Boot\Fonts\chs_boot.ttf 3695719 C:\Boot\ko-KR\bootmgr.exe.mui 66976 C:\Boot\ko-KR\memtest.exe.mui 42912 C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log 171538 C:\Boot\pl-PL\bootmgr.exe.mui 77728 C:\Boot\pl-PL\memtest.exe.mui 45984 C:\Boot\nl-NL\bootmgr.exe.mui 77728 C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log 199520 C:\Boot\nb-NO\bootmgr.exe.mui 75672 C:\Boot\nb-NO\memtest.exe.mui 45472 C:\Boot\pt-PT\bootmgr.exe.mui 76696 C:\Boot\nl-NL\memtest.exe.mui 45472 C:\Boot\pt-PT\memtest.exe.mui 45984 C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log 173922 C:\Boot\ru-RU\bootmgr.exe.mui 77208 C:\Boot\ro-RO\bootmgr.exe.mui 76184 C:\Boot\ru-RU\memtest.exe.mui 44960 C:\Boot\qps-ploc\bootmgr.exe.mui 83360 C:\Boot\pt-BR\bootmgr.exe.mui 76704 C:\Boot\pt-BR\memtest.exe.mui 45472 C:\Boot\qps-ploc\memtest.exe.mui 54176 C:\Boot\sl-SI\bootmgr.exe.mui 76704 C:\Boot\sk-SK\bootmgr.exe.mui 77216 C:\Boot\sr-Latn-RS\bootmgr.exe.mui 77216 C:\Boot\sv-SE\bootmgr.exe.mui 76192 C:\Boot\sv-SE\memtest.exe.mui 44952 C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log 195058 C:\Boot\uk-UA\bootmgr.exe.mui 77216 C:\Boot\tr-TR\bootmgr.exe.mui 75168 C:\Boot\zh-CN\bootmgr.exe.mui 63904 C:\Boot\tr-TR\memtest.exe.mui 45472 C:\Boot\zh-CN\memtest.exe.mui 42400 C:\Boot\zh-TW\bootmgr.exe.mui 63904 C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log 122728 C:\odt\config.xml 688 C:\Boot\zh-TW\memtest.exe.mui 42392 C:\Boot\Resources\en-US\bootres.dll.mui 12192 C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log 133606 C:\Boot\Fonts\cht_boot.ttf 3878410 C:\Boot\Fonts\jpn_boot.ttf 1985867 C:\Users\Admin\ntuser.dat.LOG1 0 C:\Users\Admin\ntuser.dat.LOG2 0 C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf 0 C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms 0 C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms 0 C:\Users\Default\NTUSER.DAT.LOG1 40960 C:\Users\Default\NTUSER.DAT.LOG2 0 C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf 65536 C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms 524288 C:\Recovery\WindowsRE\boot.sdi 3170304 C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms 524288 C:\Recovery\WindowsRE\ReAgent.xml 1082 C:\Boot\Fonts\kor_boot.ttf 2373000 C:\Boot\Fonts\malgunn_boot.ttf 174959 C:\Boot\Fonts\malgun_boot.ttf 177414 C:\Boot\Fonts\meiryon_boot.ttf 143754 C:\Boot\Fonts\meiryo_boot.ttf 145419 C:\Boot\Fonts\msjhn_boot.ttf 162331 C:\Boot\Fonts\msjh_boot.ttf 164347 C:\Boot\Fonts\msyhn_boot.ttf 154427 C:\Boot\Fonts\msyh_boot.ttf 156245 C:\Boot\Fonts\segmono_boot.ttf 44859 C:\Boot\Fonts\segoen_slboot.ttf 85862 C:\Boot\Fonts\segoe_slboot.ttf 86178 C:\Boot\Fonts\wgl4_boot.ttf 49091 C:\Users\Admin\Desktop\BackupStep.3g2 678913 C:\Users\Admin\Desktop\CloseEnable.wmv 840011 C:\Users\Admin\Desktop\CompressReceive.mp2 540829 C:\Users\Admin\Desktop\ConvertMerge.m1v 770969 C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp 50 C:\Users\Admin\Desktop\ExpandRepair.csv 402745 C:\Users\Admin\Desktop\GrantConvertFrom.pot 379731 C:\Users\Admin\Desktop\ImportRemove.xps 494801 C:\Users\Admin\Desktop\InstallResolve.mpg 586857 C:\Users\Admin\Desktop\MeasureImport.asx 701927 C:\Users\Admin\Desktop\MoveEnable.TTS 609871 C:\Users\Admin\Desktop\MoveEnter.wmx 724941 C:\Users\Admin\Desktop\MoveResize.xps 655899 C:\Users\Admin\Desktop\OutMove.xlsm 425759 C:\Users\Admin\Desktop\PingUpdate.xml 747955 C:\Users\Admin\Desktop\ReadRequest.xml 471787 C:\Users\Admin\Desktop\RenameWatch.ADTS 632885 C:\Users\Admin\Desktop\ResizeProtect.docm 517815 C:\Users\Admin\Desktop\RevokeRestart.mp2v 356717 C:\Users\Admin\Desktop\SendUnblock.potx 816997 C:\Users\Admin\Desktop\ShowEdit.vst 448773 C:\Users\Admin\Desktop\SubmitClear.M2TS 1219752 C:\Users\Admin\Desktop\SwitchRename.mhtml 333703 C:\Users\Admin\Desktop\UnlockConfirm.html 886039 C:\Users\Admin\Desktop\UnregisterReceive.xml 563843 C:\Users\Admin\Desktop\UpdateMount.jpg 793983 C:\Users\Admin\Desktop\UpdateRead.jfif 310689 C:\Users\Admin\Desktop\UpdateShow.potm 863025 C:\Users\Admin\Documents\ApproveDebug.vstx 483834 C:\Users\Admin\Documents\Are.docx 11525 C:\Users\Admin\Documents\ClearMount.xlsb 967668 C:\Users\Admin\Documents\ConnectPop.doc 521052 C:\Users\Admin\Documents\ConvertFromFormat.xml 390789 C:\Users\Admin\Documents\ConvertToImport.xltx 558270 C:\Users\Admin\Documents\ConvertToMerge.ppsm 428007 C:\Users\Admin\Documents\CopyFind.wps 465225 C:\Users\Admin\Documents\CopyGet.pdf 334962 C:\Users\Admin\Documents\DisconnectUnpublish.xlsm 818796 C:\Users\Admin\Documents\EditRemove.docx 781578 C:\Users\Admin\Documents\EnterHide.pps 1321223 C:\Users\Admin\Documents\ExitConvert.vdw 595488 C:\Users\Admin\Documents\Files.docx 11551 C:\Users\Admin\Documents\FindUnprotect.txt 800187 C:\Users\Admin\Documents\GetExport.mhtml 614097 C:\Users\Admin\Documents\HideConvertFrom.vdx 856014 C:\Users\Admin\Documents\LimitRegister.xltm 576879 C:\Users\Admin\Documents\MergeLimit.potx 353571 C:\Users\Admin\Documents\MountClose.txt 632706 C:\Users\Admin\Documents\MoveReceive.vdw 893232 C:\Users\Admin\Documents\Opened.docx 11538 C:\Users\Admin\Documents\OptimizeSave.csv 446616 C:\Users\Admin\Downloads\BackupSplit.otf 1216512 C:\Users\Admin\Downloads\ClearUninstall.M2TS 884736 C:\Users\Admin\Documents\PopInvoke.ppt 651315 C:\Users\Admin\Documents\ProtectOpen.vsx 874623 C:\Users\Admin\Downloads\CloseSuspend.mpeg 1188864 C:\Users\Admin\Downloads\CloseTest.m4a 470016 C:\Users\Admin\Documents\PublishOpen.odp 762969 C:\Users\Admin\Documents\ReadSelect.csv 707142 C:\Users\Admin\Downloads\ConfirmComplete.doc 801792 C:\Users\Admin\Documents\Recently.docx 11533 C:\Users\Admin\Downloads\ConnectComplete.xsl 663552 C:\Users\Admin\Documents\RenamePush.vsd 911841 C:\Users\Admin\Downloads\DebugConvertTo.nfo 1271808 C:\Users\Admin\Documents\SearchGrant.ppsx 930450 C:\Users\Admin\Documents\SelectAssert.ppt 502443 C:\Users\Admin\Downloads\ExportSync.aiff 1105920 C:\Users\Admin\Documents\SetOut.odt 725751 C:\Users\Admin\Documents\ShowRemove.pot 409398 C:\Users\Admin\Downloads\FormatCompare.asf 1244160 C:\Users\Admin\Downloads\InvokeDeny.gif 857088 C:\Users\Admin\Downloads\InvokeMount.tiff 442368 C:\Users\Admin\Documents\ShowSave.pptm 837405 C:\Users\Admin\Documents\SubmitResolve.ppt 372180 C:\Users\Admin\Downloads\LimitSkip.pcx 497664 C:\Users\Admin\Documents\These.docx 11462 C:\Users\Admin\Downloads\LockApprove.emz 774144 C:\Users\Admin\Documents\UninstallDeny.xlt 949059 C:\Users\Admin\Documents\UninstallResize.docx 744360 C:\Users\Admin\Documents\UnlockBackup.csv 539661 C:\Users\Admin\Downloads\PingSkip.mpeg3 967680 C:\Users\Admin\Documents\UnpublishLimit.doc 688533 C:\Users\Admin\Downloads\ReadLimit.mpeg 1133568 C:\Users\Admin\Downloads\RegisterAdd.tmp 718848 C:\Users\Admin\Documents\UnpublishRepair.docx 669924 C:\Users\Admin\Downloads\ResetPush.m1v 746496 C:\Users\Admin\Downloads\ResizeSet.emf 580608 C:\Users\Admin\Downloads\ResolveMerge.gif 608256 C:\Users\Admin\Downloads\RevokeInstall.ppsx 1161216 C:\Users\Admin\Downloads\SkipBlock.xht 525312 C:\Users\Admin\Downloads\SplitRead.ogg 635904 C:\Users\Admin\Downloads\StepLimit.m4a 940032 C:\Users\Admin\Downloads\StopSet.TTS 1050624 C:\Users\Admin\Downloads\UnblockFormat.vsdm 995328 C:\Users\Admin\Downloads\UseConnect.M2V 691200 C:\Users\Admin\Downloads\UseSubmit.html 912384 C:\Users\Admin\Music\CompareRegister.tif 649950 C:\Users\Admin\Music\ConfirmSync.aif 467964 C:\Users\Admin\Favorites\Bing.url 208 C:\Users\Admin\Music\ConnectImport.wmf 337974 C:\Users\Admin\Music\ConnectRevoke.zip 779940 C:\Users\Admin\Music\CopyEnter.mpeg 805938 C:\Users\Admin\Music\DisableSend.html 623952 C:\Users\Admin\Music\ExportHide.jpg 389970 C:\Users\Admin\Music\ExportPing.jpeg 675948 C:\Users\Admin\Music\FormatSearch.3gpp 493962 C:\Users\Admin\Music\GetUnlock.mpeg3 597954 C:\Users\Admin\Music\GroupComplete.fon 571956 C:\Users\Admin\Music\InitializeSave.eprtx 441966 C:\Users\Admin\Music\ReadExit.wmf 701946 C:\Users\Admin\Music\SearchExit.mht 285978 C:\Users\Admin\Music\SendConnect.wdp 727944 C:\Users\Admin\Music\SplitCompare.m3u 415968 C:\Users\Admin\Music\UndoInstall.M2TS 363972 C:\Users\Admin\Music\UninstallMerge.pdf 1117794 C:\Users\Admin\Music\UnlockEnter.xht 545958 C:\Users\Admin\Music\UpdateAdd.midi 519960 C:\Users\Admin\Music\UseDisable.pptx 311976 C:\Users\Admin\Pictures\ApproveEdit.dxf 688870 C:\Users\Admin\Pictures\BlockInitialize.gif 519302 C:\Users\Admin\Pictures\CompleteSearch.cr2 731262 C:\Users\Admin\Pictures\CompleteSelect.png 328538 C:\Users\Admin\Pictures\ConfirmRestore.tif 837242 C:\Users\Admin\Pictures\ConvertFromPublish.svgz 879634 C:\Users\Admin\Pictures\ConvertToRevoke.bmp 498106 C:\Users\Admin\Pictures\EditRemove.bmp 476910 C:\Users\Admin\Pictures\FormatShow.tif 455714 C:\Users\Admin\Pictures\ImportUninstall.tiff 582890 C:\Users\Admin\Pictures\JoinRedo.eps 434518 C:\Users\Admin\Pictures\LockCompress.jpg 752458 C:\Users\Admin\Pictures\LockConfirm.pcx 625282 C:\Users\Admin\Pictures\MoveResolve.raw 794850 C:\Users\Admin\Pictures\PopUnregister.tif 773654 C:\Users\Admin\Pictures\ResumeRestore.cr2 710066 C:\Users\Admin\Pictures\RevokeInitialize.png 349734 C:\Users\Admin\Pictures\RevokeMerge.tif 307342 C:\Users\Admin\Pictures\RevokeTest.tif 392126 C:\Users\Admin\Pictures\StartUnregister.svgz 413322 C:\Users\Admin\Pictures\StopBackup.png 604086 C:\Users\Admin\Pictures\SubmitUndo.tif 540498 C:\Users\Admin\Pictures\TestProtect.pcx 1208128 C:\Users\Admin\Pictures\TraceOut.jpg 667674 C:\Users\Admin\Pictures\UnlockEdit.crw 561694 C:\Users\Admin\Pictures\UseLimit.tiff 646478 C:\Users\Admin\Pictures\UseUnblock.pcx 858438 C:\Users\Admin\Pictures\UseUndo.png 816046 C:\Users\Admin\Pictures\Wallpaper.jpg 24811 C:\Users\Admin\Searches\Everywhere.search-ms 248 C:\Users\Admin\Searches\Indexed Locations.search-ms 248 C:\Users\Admin\Searches\winrt--{S-1-5-21-1594587808-2047097707-2163810515-1000}-.searchconnector-ms 859 C:\Users\Public\Libraries\RecordedTV.library-ms 999 C:\Recovery\WindowsRE\Winre.wim 344829634 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget 3 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink 7 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail 4 C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml 114227 C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml 768
URLs

http://dqybwoze7ow3xlamurpfppai4pd6lwybwix2nbhyhcnpsuj3yv32mnyd.onion/index.php

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 28 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 54 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\locker.exe
    "C:\Users\Admin\AppData\Local\Temp\locker.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:640
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • Interacts with shadow copies
      PID:2752
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • Interacts with shadow copies
      PID:2728
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3168
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3356
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1132
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3868
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2068
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2668
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2116
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2752
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2236
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4060
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1516
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:3668
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1132
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:1648
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2488
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\locker.exe >> NUL
      2⤵
        PID:1516
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3948
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PROTECT_INFO.TXT
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2556
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2668

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads