Overview

overview

10

Static

static

locker.exe

windows7_x64

10

locker.exe

windows10_x64

10

Resubmissions

05-06-2021 10:47

210605-skygsg584e 10

05-06-2021 00:09

210605-x97dqrb7je 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    locker.exe

  • Size

    448KB

  • Sample

    210605-x97dqrb7je

  • MD5

    306c47fcb51611bee1ef804c95c7007f

  • SHA1

    9cb58078b3fe2119329e482561d0c7cb740e937c

  • SHA256

    877c612cf42d85b943010437599b828383ecdf02a17e2b017367db34637e5463

  • SHA512

    3ca64189450cf3c3e9867d79c66ee428a5b72b1f45c06243a4a6ab64a2dfd8970d19dc1fba6404468650afac5341a0affae61e05de501180ec6ead20c333f720

Score
10/10
evasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\PROTECT_INFO.TXT

Ransom Note
############## YOUR FILES WERE ENCRYPTED ############## ########### AND MARKED BY EXTENSION .nermer ############ -- YOUR FILES ARE SAFE! ONLY MODIFIED :: ChaCha + AES WE STRONGLY RECOMMEND you NOT to use any Decryption Tools. These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. -- To get RSA private key you have to contact us via the link below, located in the TOR private network. Using this link you can get all the necessary support and make payment. You just have to download and install the TOR browser (google it) via official site >> http://dqybwoze7ow3xlamurpfppai4pd6lwybwix2nbhyhcnpsuj3yv32mnyd.onion/index.php << -- If you have any problems with TOR browser, email us: >><< and send us your id: >> {DBA855CF-0F6E-69E5-32CBAF58DA4269A7} << -- HOW to understand that we are NOT scammers? You can ask SUPPORT for the TEST-decryption for ONE file! -- After the successful payment and decrypting your files, we will give you FULL instructions HOW to IMPROVE your security system. We ready to answer all your questions! -- ################ LIST OF ENCRYPTED FILES ############### C:\vcredist2010_x64.log-MSI_vc_red.msi.txt 373058 C:\vcredist2010_x64.log.html 88746 C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log 169678 C:\Users\Default\NTUSER.DAT.LOG 1024 C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log 197660 C:\Users\Admin\deployment.properties 1646 C:\Users\Admin\ntuser.dat.LOG1 0 C:\Users\Admin\ntuser.dat.LOG2 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms 0 C:\Users\Default\NTUSER.DAT.LOG1 189440 C:\Users\Default\NTUSER.DAT.LOG2 0 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 65536 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms 524288 C:\Recovery\34107922-98a6-11eb-a15f-ea91f6580701\boot.sdi 3170304 C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log 171946 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms 524288 C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log 192956 C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log 120794 C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log 131672 C:\Users\Admin\Contacts\Admin.contact 68374 C:\Users\Public\Libraries\RecordedTV.library-ms 876 C:\Users\Admin\Desktop\AddRemove.raw 753942 C:\Users\Admin\Desktop\BlockOut.aif 805938 C:\Users\Admin\Desktop\ExpandInstall.png 649950 C:\Users\Admin\Desktop\ExpandSend.svgz 597954 C:\Users\Admin\Desktop\HideRename.mpa 571956 C:\Users\Admin\Desktop\InvokeSubmit.mp3 493962 C:\Users\Admin\Desktop\LockSwitch.xlsm 675948 C:\Users\Admin\Desktop\MountJoin.gif 779940 C:\Users\Admin\Desktop\OutResolve.pptx 545958 C:\Users\Admin\Desktop\PushSearch.mhtml 1117794 C:\Users\Admin\Desktop\ReadPing.emz 441966 C:\Users\Admin\Desktop\RegisterConfirm.rar 337974 C:\Users\Admin\Desktop\RemoveClose.mov 519960 C:\Users\Admin\Desktop\RemoveSave.ppsx 623952 C:\Users\Admin\Desktop\ResolveDismount.dwg 285978 C:\Users\Admin\Desktop\ResolveOpen.dotm 363972 C:\Users\Admin\Desktop\RevokeRegister.mpe 727944 C:\Users\Admin\Desktop\SplitAssert.tif 467964 C:\Users\Admin\Desktop\SplitSelect.xsl 389970 C:\Users\Admin\Desktop\StartUndo.snd 701946 C:\Users\Admin\Documents\ApproveStart.mht 1112004 C:\Users\Admin\Documents\Are.docx 11525 C:\Users\Admin\Downloads\BackupMerge.mpeg2 786643 C:\Users\Admin\Documents\CheckpointRestore.vssm 632316 C:\Users\Admin\Documents\CloseShow.xla 1155612 C:\Users\Admin\Documents\ConnectRedo.vdx 545100 C:\Users\Admin\Downloads\ClearFormat.M2TS 945963 C:\Users\Admin\Documents\ConvertFromConnect.mht 719532 C:\Users\Admin\Downloads\CloseSkip.mpg 687068 C:\Users\Admin\Documents\ConvertToPublish.txt 501492 C:\Users\Admin\Documents\EnterExit.vsw 1242828 C:\Users\Admin\Downloads\CompleteConvert.cfg 766728 C:\Users\Admin\Downloads\ConnectComplete.htm 886218 C:\Users\Admin\Documents\ExitHide.docx 763140 C:\Users\Admin\Documents\Files.docx 11551 C:\Users\Admin\Documents\GrantSend.mpp 588708 C:\Users\Admin\Documents\HideExpand.pptm 1024788 C:\Users\Admin\Downloads\ConvertFromApprove.dxf 806558 C:\Users\Admin\Downloads\ConvertToResume.kix 846388 C:\Users\Admin\Downloads\EditPublish.mhtml 706983 C:\Users\Admin\Downloads\EnableConnect.dxf 468003 C:\Users\Admin\Downloads\EnterClear.mp3 607408 C:\Users\Admin\Downloads\ExportBlock.xps 388343 C:\Users\Admin\Documents\HideInitialize.ppsm 1962400 C:\Users\Admin\Downloads\HideWatch.xht 527748 C:\Users\Admin\Documents\InitializeDisconnect.mpp 850356 C:\Users\Admin\Downloads\ImportHide.odp 1005708 C:\Users\Admin\Downloads\InstallSuspend.xlsx 985793 C:\Users\Admin\Documents\InitializeResume.dotx 1286436 C:\Users\Admin\Downloads\InstallUnpublish.html 408258 C:\Users\Admin\Documents\LockExpand.potx 937572 C:\Users\Admin\Downloads\LockEnter.mhtml 726898 C:\Users\Admin\Documents\MoveLock.mpp 675924 C:\Users\Admin\Downloads\MergeStart.htm 746813 C:\Users\Admin\Downloads\OutSearch.mp4 368428 C:\Users\Admin\Downloads\PublishResume.TTS 587493 C:\Users\Admin\Downloads\ReceiveTest.midi 866303 C:\Users\Admin\Documents\Opened.docx 11538 C:\Users\Admin\Downloads\RepairMeasure.edrwx 1065453 C:\Users\Admin\Documents\ReceiveResolve.dotx 1373652 C:\Users\Admin\Downloads\RestoreRemove.ppt 647238 C:\Users\Admin\Documents\Recently.docx 11533 C:\Users\Admin\Documents\RemoveDisable.mpp 1068396 C:\Users\Admin\Downloads\SaveResume.docx 667153 C:\Users\Admin\Documents\RestartDisable.ppt 1417260 C:\Users\Admin\Downloads\SaveSplit.xls 627323 C:\Users\Admin\Documents\SearchPop.odt 981180 C:\Users\Admin\Downloads\SplitClear.dot 1045538 C:\Users\Admin\Documents\SearchUnblock.docx 1199220 C:\Users\Admin\Documents\ShowTest.vsx 1330044 C:\Users\Admin\Downloads\StopInitialize.xlsx 965878 C:\Users\Admin\Documents\SkipReceive.vdw 893964 C:\Users\Admin\Downloads\SwitchStart.gif 1025623 C:\Users\Admin\Downloads\UpdateStep.mht 487918 C:\Users\Admin\Documents\These.docx 11462 C:\Users\Admin\Documents\WatchCompress.mpp 806748 C:\Users\Admin\Music\AddLimit.mpv2 554568 C:\Users\Admin\Music\AddSync.pptm 594180 C:\Users\Admin\Music\AssertProtect.htm 415926 C:\Users\Admin\Music\ClearReceive.lock 633792 C:\Users\Admin\Music\CloseResume.MTS 495150 C:\Users\Admin\Music\ConvertFromRestart.au 514956 C:\Users\Admin\Music\DebugOpen.M2T 574374 C:\Users\Admin\Music\FormatBackup.xlsx 713016 C:\Users\Admin\Music\FormatConvertTo.ppsm 475344 C:\Users\Admin\Music\FormatSelect.easmx 752628 C:\Users\Admin\Music\InstallExit.mhtml 772434 C:\Users\Admin\Music\InstallPing.js 297090 C:\Users\Admin\Pictures\ConfirmPop.raw 1551891 C:\Users\Admin\Music\InstallStop.xps 435732 C:\Users\Admin\Music\LimitTrace.shtml 336702 C:\Users\Admin\Pictures\ConnectGet.dwg 713031 C:\Users\Admin\Music\LimitUninstall.wmx 455538 C:\Users\Admin\Pictures\ConvertToTrace.cr2 629145 C:\Users\Admin\Pictures\CopyResume.dwg 1216347 C:\Users\Admin\Pictures\DenyDisconnect.eps 796917 C:\Users\Admin\Music\MountDisconnect.zip 653598 C:\Users\Admin\Music\MoveDeny.ADT 732822 C:\Users\Admin\Music\PublishSearch.avi 673404 C:\Users\Admin\Pictures\EditRedo.tif 2432712 C:\Users\Admin\Pictures\ExportDeny.svgz 1384119 C:\Users\Admin\Pictures\ExportSync.svg 880803 C:\Users\Admin\Music\ReadRevoke.wmv 376314 C:\Users\Admin\Pictures\InitializeApprove.tiff 1048575 C:\Users\Admin\Music\RestartLock.xlsm 792240 C:\Users\Admin\Pictures\MoveInstall.pcx 1300233 C:\Users\Admin\Music\SearchDisable.mp3 812046 C:\Users\Admin\Music\SelectDisconnect.cr2 1168946 C:\Users\Admin\Pictures\PopEnable.png 1468005 C:\Users\Admin\Music\SendExit.aiff 831852 C:\Users\Admin\Music\SendImport.xsl 316896 C:\Users\Admin\Music\SkipMerge.vsd 396120 C:\Users\Admin\Music\TestRestore.tiff 613986 C:\Users\Admin\Music\TestSubmit.aif 356508 C:\Users\Admin\Pictures\ProtectStop.raw 1635777 C:\Users\Admin\Music\UnblockUndo.xml 851658 C:\Users\Admin\Pictures\RevokeRequest.cr2 1132461 C:\Users\Admin\Pictures\UnpublishAssert.tif 1719663 C:\Users\Admin\Music\UseAdd.temp 534762 C:\Users\Admin\Pictures\UseMove.dxf 964689 C:\Users\Admin\Pictures\Wallpaper.jpg 24811 C:\Users\Admin\Searches\Everywhere.search-ms 248 C:\Users\Admin\Searches\Indexed Locations.search-ms 248 C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg 879394 C:\Users\Public\Pictures\Sample Pictures\Desert.jpg 845941 C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg 595284 C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg 775702 C:\Users\Public\Pictures\Sample Pictures\Koala.jpg 780831 C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv 9699328 C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg 561276 C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg 777835 C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg 620888 C:\Users\Admin\Favorites\Links for United States\GobiernoUSA.gov.url 134 C:\Users\Admin\Favorites\Links for United States\USA.gov.url 134 C:\Users\Admin\Favorites\Links\Suggested Sites.url 302 C:\Users\Admin\Favorites\Links\Web Slice Gallery.url 226 C:\Users\Admin\Favorites\MSN Websites\MSN Autos.url 133 C:\Users\Admin\Favorites\Microsoft Websites\IE Add-on site.url 133 C:\Users\Admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url 133 C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Home.url 133 C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Work.url 133 C:\Users\Admin\Favorites\Microsoft Websites\Microsoft Store.url 134 C:\Users\Admin\Favorites\MSN Websites\MSN Entertainment.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN Money.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN Sports.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN.url 133 C:\Users\Admin\Favorites\MSN Websites\MSNBC News.url 133 C:\Users\Admin\Favorites\Windows Live\Get Windows Live.url 133 C:\Users\Admin\Favorites\Windows Live\Windows Live Gallery.url 133 C:\Users\Admin\Favorites\Windows Live\Windows Live Mail.url 133 C:\Users\Admin\Favorites\Windows Live\Windows Live Spaces.url 133 C:\Users\Public\Music\Sample Music\Kalimba.mp3 8414449 C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 4113874 C:\Users\Public\Music\Sample Music\Sleep Away.mp3 4842585 C:\Users\Public\Videos\Sample Videos\Wildlife.wmv 26246026 C:\Recovery\34107922-98a6-11eb-a15f-ea91f6580701\Winre.wim 169213970 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget 3 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink 7 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail 4
URLs

http://dqybwoze7ow3xlamurpfppai4pd6lwybwix2nbhyhcnpsuj3yv32mnyd.onion/index.php

Extracted

Path

C:\Users\Admin\Desktop\PROTECT_INFO.TXT

Ransom Note
############## YOUR FILES WERE ENCRYPTED ############## ########### AND MARKED BY EXTENSION .nermer ############ -- YOUR FILES ARE SAFE! ONLY MODIFIED :: ChaCha + AES WE STRONGLY RECOMMEND you NOT to use any Decryption Tools. These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. -- To get RSA private key you have to contact us via the link below, located in the TOR private network. Using this link you can get all the necessary support and make payment. You just have to download and install the TOR browser (google it) via official site >> http://dqybwoze7ow3xlamurpfppai4pd6lwybwix2nbhyhcnpsuj3yv32mnyd.onion/index.php << -- If you have any problems with TOR browser, email us: >><< and send us your id: >> {13E20776-DF4D-99C4-1333850A2129120C} << -- HOW to understand that we are NOT scammers? You can ask SUPPORT for the TEST-decryption for ONE file! -- After the successful payment and decrypting your files, we will give you FULL instructions HOW to IMPROVE your security system. We ready to answer all your questions! -- ################ LIST OF ENCRYPTED FILES ############### C:\Boot\BCD 0 C:\Boot\BCD.LOG 0 C:\Boot\BCD.LOG1 0 C:\Boot\BCD.LOG2 0 C:\Boot\bg-BG\bootmgr.exe.mui 77728 C:\bootmgr 395220 C:\BOOTNXT 1 C:\vcredist2010_x64.log-MSI_vc_red.msi.txt 388418 C:\Boot\cs-CZ\bootmgr.exe.mui 76704 C:\Boot\updaterevokesipolicy.p7b 4662 C:\vcredist2010_x64.log.html 87838 C:\Boot\cs-CZ\memtest.exe.mui 45472 C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log 171238 C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log 199220 C:\Boot\da-DK\bootmgr.exe.mui 75672 C:\Boot\da-DK\memtest.exe.mui 45472 C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log 173680 C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log 194816 C:\Boot\el-GR\bootmgr.exe.mui 80288 C:\Boot\en-GB\bootmgr.exe.mui 74144 C:\Boot\de-DE\bootmgr.exe.mui 79264 C:\Boot\el-GR\memtest.exe.mui 46496 C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log 122640 C:\Boot\de-DE\memtest.exe.mui 45984 C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log 133518 C:\Boot\en-US\bootmgr.exe.mui 74144 C:\Boot\es-ES\bootmgr.exe.mui 77728 C:\Boot\en-US\memtest.exe.mui 44960 C:\Boot\es-MX\bootmgr.exe.mui 77720 C:\Boot\es-ES\memtest.exe.mui 45984 C:\Boot\et-EE\bootmgr.exe.mui 75160 C:\Boot\fi-FI\bootmgr.exe.mui 76696 C:\Boot\fr-CA\bootmgr.exe.mui 79264 C:\Boot\fi-FI\memtest.exe.mui 45472 C:\Boot\fr-FR\bootmgr.exe.mui 79264 C:\Boot\fr-FR\memtest.exe.mui 45984 C:\Boot\hr-HR\bootmgr.exe.mui 76696 C:\Boot\Fonts\chs_boot.ttf 3695719 C:\Boot\hu-HU\bootmgr.exe.mui 78752 C:\Boot\it-IT\bootmgr.exe.mui 77208 C:\Boot\hu-HU\memtest.exe.mui 45976 C:\Boot\it-IT\memtest.exe.mui 45472 C:\Boot\Fonts\cht_boot.ttf 3878410 C:\Boot\ja-JP\bootmgr.exe.mui 67488 C:\Boot\ja-JP\memtest.exe.mui 42904 C:\Boot\Fonts\jpn_boot.ttf 1985867 C:\Boot\ko-KR\bootmgr.exe.mui 66976 C:\Boot\ko-KR\memtest.exe.mui 42912 C:\Boot\lt-LT\bootmgr.exe.mui 75672 C:\Boot\Fonts\kor_boot.ttf 2373000 C:\Boot\Fonts\malgunn_boot.ttf 174959 C:\Boot\lv-LV\bootmgr.exe.mui 75680 C:\Boot\Fonts\malgun_boot.ttf 177414 C:\Boot\Fonts\meiryon_boot.ttf 143754 C:\Boot\Fonts\meiryo_boot.ttf 145419 C:\Boot\nb-NO\bootmgr.exe.mui 75672 C:\Boot\nl-NL\bootmgr.exe.mui 77728 C:\Boot\Fonts\msjhn_boot.ttf 162331 C:\Boot\nb-NO\memtest.exe.mui 45472 C:\Boot\nl-NL\memtest.exe.mui 45472 C:\Boot\Fonts\msjh_boot.ttf 164347 C:\Boot\pl-PL\bootmgr.exe.mui 77728 C:\Boot\pl-PL\memtest.exe.mui 45984 C:\Boot\Fonts\msyhn_boot.ttf 154427 C:\Boot\qps-ploc\bootmgr.exe.mui 83360 C:\Boot\pt-PT\bootmgr.exe.mui 76696 C:\Boot\Fonts\msyh_boot.ttf 156245 C:\Boot\pt-BR\bootmgr.exe.mui 76704 C:\Boot\Fonts\segmono_boot.ttf 44859 C:\Boot\qps-ploc\memtest.exe.mui 54176 C:\Boot\pt-PT\memtest.exe.mui 45984 C:\Boot\pt-BR\memtest.exe.mui 45472 C:\Boot\Fonts\segoen_slboot.ttf 85862 C:\Boot\Fonts\segoe_slboot.ttf 86178 C:\Boot\ro-RO\bootmgr.exe.mui 76184 C:\Boot\Fonts\wgl4_boot.ttf 49091 C:\Boot\ru-RU\bootmgr.exe.mui 77208 C:\Boot\ru-RU\memtest.exe.mui 44960 C:\Boot\sk-SK\bootmgr.exe.mui 77216 C:\Boot\sl-SI\bootmgr.exe.mui 76704 C:\Boot\sr-Latn-RS\bootmgr.exe.mui 77216 C:\Boot\sv-SE\bootmgr.exe.mui 76192 C:\Boot\tr-TR\bootmgr.exe.mui 75168 C:\Boot\sv-SE\memtest.exe.mui 44952 C:\Boot\tr-TR\memtest.exe.mui 45472 C:\odt\config.xml 688 C:\Boot\uk-UA\bootmgr.exe.mui 77216 C:\Boot\zh-CN\bootmgr.exe.mui 63904 C:\Boot\zh-TW\bootmgr.exe.mui 63904 C:\Boot\zh-CN\memtest.exe.mui 42400 C:\Boot\Resources\en-US\bootres.dll.mui 12192 C:\Boot\zh-TW\memtest.exe.mui 42392 C:\Users\Admin\ntuser.dat.LOG1 0 C:\Users\Admin\ntuser.dat.LOG2 0 C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf 0 C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms 0 C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms 0 C:\Users\Default\NTUSER.DAT.LOG1 40960 C:\Users\Default\NTUSER.DAT.LOG2 0 C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf 65536 C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms 524288 C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms 524288 C:\Recovery\WindowsRE\boot.sdi 3170304 C:\Recovery\WindowsRE\ReAgent.xml 1081 C:\Recovery\WindowsRE\Winre.wim 344829634 C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp 50 C:\Users\Admin\Desktop\AssertEdit.gif 336028 C:\Users\Admin\Desktop\AssertResume.ppt 283660 C:\Users\Admin\Desktop\BlockSync.vsd 257476 C:\Users\Admin\Desktop\ClearAssert.xsl 196380 C:\Users\Admin\Desktop\CloseResize.dwfx 161468 C:\Users\Admin\Desktop\ComparePop.tiff 222564 C:\Users\Admin\Desktop\CompleteSend.rle 248748 C:\Users\Admin\Desktop\ConnectReceive.xhtml 344756 C:\Users\Admin\Desktop\GroupPublish.lock 178924 C:\Users\Admin\Desktop\InitializeCompress.eprtx 126556 C:\Users\Admin\Desktop\InitializePush.ttf 240020 C:\Users\Admin\Desktop\NewInitialize.ADT 309844 C:\Users\Admin\Documents\ApproveUninstall.htm 604188 C:\Users\Admin\Desktop\PopSwitch.mpg 497280 C:\Users\Admin\Documents\Are.docx 11525 C:\Users\Admin\Desktop\ProtectDisconnect.rle 353484 C:\Users\Admin\Documents\AssertWrite.txt 627426 C:\Users\Admin\Desktop\PublishWatch.emz 318572 C:\Users\Admin\Desktop\RemoveRevoke.ram 187652 C:\Users\Admin\Documents\CompareSend.xlsb 511236 C:\Users\Admin\Documents\CompleteSet.csv 243999 C:\Users\Admin\Desktop\RestoreResolve.wax 135284 C:\Users\Admin\Documents\DisconnectGrant.vsd 870805 C:\Users\Admin\Documents\DisconnectSave.docm 313713 C:\Users\Admin\Desktop\ShowPush.rle 170196 C:\Users\Admin\Documents\EnableInstall.html 580950 C:\Users\Admin\Documents\ExpandSubmit.rtf 534474 C:\Users\Admin\Desktop\SplitExport.wps 152740 C:\Users\Admin\Documents\ExportCheckpoint.pot 267237 C:\Users\Admin\Documents\ExportMount.pptm 336951 C:\Users\Admin\Desktop\SuspendRepair.M2T 274932 C:\Users\Admin\Documents\Files.docx 11551 C:\Users\Admin\Desktop\SyncAssert.TS 144012 C:\Users\Admin\Documents\FindGrant.dotm 546093 C:\Users\Admin\Desktop\SyncConvertTo.pot 327300 C:\Users\Admin\Desktop\SyncOpen.M2T 231292 C:\Users\Admin\Documents\FindGroup.xltx 592569 C:\Users\Admin\Desktop\UpdateSubmit.mht 266204 C:\Users\Admin\Desktop\WaitPush.wpl 205108 C:\Users\Admin\Documents\GroupResolve.xlsx 278856 C:\Users\Admin\Documents\HideMount.ppsm 464760 C:\Users\Admin\Documents\InstallDisable.pdf 476379 C:\Users\Admin\Documents\InstallSelect.ppsm 487998 C:\Users\Admin\Documents\InvokeUnblock.dot 418284 C:\Users\Admin\Documents\MountMerge.pot 406665 C:\Users\Admin\Documents\MoveExit.xla 371808 C:\Users\Admin\Documents\NewRequest.odt 302094 C:\Users\Admin\Documents\Opened.docx 11538 C:\Users\Admin\Downloads\AssertRevoke.mhtml 774144 C:\Users\Admin\Documents\OptimizeJoin.dotm 255618 C:\Users\Admin\Downloads\BackupDebug.mpeg 368640 C:\Users\Admin\Documents\OptimizePush.vssm 569331 C:\Users\Admin\Documents\OutPing.docm 429903 C:\Users\Admin\Downloads\CloseGet.jpe 681984 C:\Users\Admin\Documents\PingJoin.odt 220761 C:\Users\Admin\Downloads\CompareSwitch.emz 608256 C:\Users\Admin\Documents\PushUnlock.vsd 360189 C:\Users\Admin\Music\BackupConfirm.vsw 258940 C:\Users\Admin\Downloads\ConfirmLimit.m4a 552960 C:\Users\Admin\Music\BackupRevoke.xps 268356 C:\Users\Admin\Downloads\CopyRename.tif 442368 C:\Users\Admin\Music\CompareGet.rle 296604 C:\Users\Admin\Downloads\DisableLimit.ppsm 405504 C:\Users\Admin\Music\CompareUnprotect.m3u 466092 C:\Users\Admin\Downloads\DismountStart.vsw 294912 C:\Users\Admin\Music\CompleteExport.midi 211860 C:\Users\Admin\Downloads\EnableOut.crw 313344 C:\Users\Admin\Music\ConfirmComplete.mpg 287188 C:\Users\Admin\Music\ConvertToRedo.htm 315436 C:\Users\Admin\Downloads\EnterCheckpoint.jtx 534528 C:\Users\Admin\Music\EditBackup.001 164780 C:\Users\Admin\Music\EnableGet.rle 324852 C:\Users\Admin\Music\ExportReset.fon 193028 C:\Users\Admin\Music\GetDisconnect.DVR-MS 371932 C:\Users\Admin\Downloads\ExitInitialize.xls 847872 C:\Users\Admin\Music\GrantStart.wmv 428428 C:\Users\Admin\Downloads\FormatFind.txt 811008 C:\Users\Admin\Music\HideConvert.rle 437844 C:\Users\Admin\Music\ImportRevoke.mhtml 447260 C:\Users\Admin\Downloads\InitializeFind.vdw 737280 C:\Users\Admin\Music\InitializeConvert.mpeg 362516 C:\Users\Admin\Downloads\LimitDebug.otf 755712 C:\Users\Admin\Music\InitializeInvoke.js 221276 C:\Users\Admin\Music\InvokeCompress.mpeg 183612 C:\Users\Admin\Music\InvokeSubmit.otf 343684 C:\Users\Admin\Downloads\LimitUnregister.bmp 626688 C:\Users\Admin\Music\MeasureGroup.css 456676 C:\Users\Admin\Downloads\MountFormat.3gp 700416 C:\Users\Admin\Music\MoveSubmit.xps 409596 C:\Users\Admin\Music\PingSuspend.doc 249524 C:\Users\Admin\Downloads\MoveEdit.001 1161216 C:\Users\Admin\Music\PushShow.jtx 230692 C:\Users\Admin\Music\RedoRead.iso 174196 C:\Users\Admin\Downloads\PingUnregister.3gp 387072 C:\Users\Admin\Music\RemoveAdd.AAC 353100 C:\Users\Admin\Downloads\RegisterGet.mpe 497664 C:\Users\Admin\Music\ResizeRedo.m4v 475508 C:\Users\Admin\Downloads\RemoveResume.wmv 423936 C:\Users\Admin\Music\StepSelect.txt 334268 C:\Users\Admin\Downloads\RenameSync.xps 663552 C:\Users\Admin\Music\SubmitSplit.wma 390764 C:\Users\Admin\Downloads\RequestStop.eps 350208 C:\Users\Admin\Music\SyncCompare.M2T 277772 C:\Users\Admin\Documents\Recently.docx 11533 C:\Users\Admin\Pictures\AssertUnregister.dwg 419319 C:\Users\Admin\Documents\RemoveSwitch.mhtml 522855 C:\Users\Admin\Documents\RenameWatch.potx 395046 C:\Users\Admin\Pictures\ClearOptimize.wmf 594557 C:\Users\Admin\Pictures\ClearRead.raw 356734 C:\Users\Admin\Documents\RepairUnprotect.xls 441522 C:\Users\Admin\Documents\RestartUninstall.dotm 639045 C:\Users\Admin\Pictures\ClearRestart.wmf 814096 C:\Users\Admin\Documents\SuspendSelect.docx 290475 C:\Users\Admin\Pictures\CloseUnprotect.tiff 269115 C:\Users\Admin\Pictures\EnterUnregister.svgz 431836 C:\Users\Admin\Searches\Everywhere.search-ms 248 C:\Users\Admin\Searches\Indexed Locations.search-ms 248 C:\Users\Admin\Pictures\ExportMerge.cr2 469387 C:\Users\Admin\Searches\winrt--{S-1-5-21-3686645723-710336880-414668232-1000}-.searchconnector-ms 852 C:\Users\Admin\Pictures\GroupFormat.wmf 506938 C:\Users\Admin\Pictures\GroupPush.dib 244081 C:\Users\Admin\Music\UninstallProtect.vstx 400180 C:\Users\Admin\Music\UnregisterRemove.crw 419012 C:\Users\Admin\Pictures\HideTest.png 394285 C:\Users\Admin\Music\UseReset.dotx 381348 C:\Users\Admin\Music\WriteUnprotect.pcx 202444 C:\Users\Admin\Favorites\Bing.url 208 C:\Users\Admin\Pictures\InvokeSubmit.crw 406802 C:\Users\Admin\Downloads\ShowInvoke.mp4 829440 C:\Users\Admin\Pictures\LockStart.dib 331700 C:\Users\Admin\Pictures\MountHide.eps 306666 C:\Users\Admin\Downloads\SplitReset.docm 718848 C:\Users\Admin\Pictures\OpenOptimize.gif 519455 C:\Users\Admin\Downloads\TraceLock.clr 589824 C:\Users\Admin\Pictures\OutOptimize.wmf 281632 C:\Users\Admin\Pictures\PublishEdit.raw 344217 C:\Users\Admin\Downloads\UnregisterSave.kix 479232 C:\Users\Admin\Documents\SwitchConfirm.doc 383427 C:\Users\Admin\Downloads\UseStop.mpp 460800 C:\Users\Admin\Documents\These.docx 11462 C:\Users\Admin\Downloads\UseTrace.otf 571392 C:\Users\Admin\Documents\UninstallSkip.xlt 499617 C:\Users\Admin\Downloads\WatchConvertFrom.htm 792576 C:\Users\Admin\Documents\UnprotectAssert.xlsb 348570 C:\Users\Admin\Documents\UnprotectMerge.vsw 325332 C:\Users\Admin\Pictures\ReadEnter.pcx 369251 C:\Users\Admin\Documents\UnpublishCompress.dotm 453141 C:\Users\Admin\Pictures\ReadInstall.emz 494421 C:\Users\Admin\Documents\UnpublishSelect.rtf 557712 C:\Users\Admin\Documents\UpdateConvertTo.vsdm 232380 C:\Users\Admin\Pictures\RedoUnprotect.dib 381768 C:\Users\Admin\Pictures\ResolveDisable.raw 231564 C:\Users\Admin\Documents\WriteSwitch.vstx 615807 C:\Users\Admin\Pictures\ResolveSelect.wmf 582040 C:\Users\Admin\Pictures\SearchConnect.emz 294149 C:\Users\Admin\Pictures\SetInitialize.wmf 319183 C:\Users\Admin\Pictures\ShowGroup.jpg 557006 C:\Users\Admin\Pictures\SkipUpdate.dxf 206530 C:\Users\Admin\Pictures\TraceTest.gif 569523 C:\Users\Admin\Pictures\UnblockImport.dxf 544489 C:\Users\Admin\Pictures\UpdateGrant.tiff 531972 C:\Users\Admin\Pictures\WaitLock.dxf 481904 C:\Users\Admin\Pictures\Wallpaper.jpg 24811 C:\Users\Admin\Pictures\WatchPublish.crw 456870 C:\Users\Admin\Pictures\WriteStart.jpeg 444353 C:\Users\Admin\Pictures\WriteWait.emf 256598 C:\Users\Public\Libraries\RecordedTV.library-ms 999 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget 3 C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml 114227 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink 7 C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml 768 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail 4
URLs

http://dqybwoze7ow3xlamurpfppai4pd6lwybwix2nbhyhcnpsuj3yv32mnyd.onion/index.php

Targets

    • Target

      locker.exe

    • Size

      448KB

    • MD5

      306c47fcb51611bee1ef804c95c7007f

    • SHA1

      9cb58078b3fe2119329e482561d0c7cb740e937c

    • SHA256

      877c612cf42d85b943010437599b828383ecdf02a17e2b017367db34637e5463

    • SHA512

      3ca64189450cf3c3e9867d79c66ee428a5b72b1f45c06243a4a6ab64a2dfd8970d19dc1fba6404468650afac5341a0affae61e05de501180ec6ead20c333f720

    Score
    10/10
    evasionransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

3
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Tasks