Overview

overview

10

Static

static

locker.exe

windows7_x64

10

locker.exe

windows10_x64

10

Resubmissions

05/06/2021, 10:47

210605-skygsg584e 10

05/06/2021, 00:09

210605-x97dqrb7je 10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    05/06/2021, 00:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    locker.exe

  • Size

    448KB

  • MD5

    306c47fcb51611bee1ef804c95c7007f

  • SHA1

    9cb58078b3fe2119329e482561d0c7cb740e937c

  • SHA256

    877c612cf42d85b943010437599b828383ecdf02a17e2b017367db34637e5463

  • SHA512

    3ca64189450cf3c3e9867d79c66ee428a5b72b1f45c06243a4a6ab64a2dfd8970d19dc1fba6404468650afac5341a0affae61e05de501180ec6ead20c333f720

Score
10/10
evasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\PROTECT_INFO.TXT

Ransom Note
############## YOUR FILES WERE ENCRYPTED ############## ########### AND MARKED BY EXTENSION .nermer ############ -- YOUR FILES ARE SAFE! ONLY MODIFIED :: ChaCha + AES WE STRONGLY RECOMMEND you NOT to use any Decryption Tools. These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. -- To get RSA private key you have to contact us via the link below, located in the TOR private network. Using this link you can get all the necessary support and make payment. You just have to download and install the TOR browser (google it) via official site >> http://dqybwoze7ow3xlamurpfppai4pd6lwybwix2nbhyhcnpsuj3yv32mnyd.onion/index.php << -- If you have any problems with TOR browser, email us: >><< and send us your id: >> {DBA855CF-0F6E-69E5-32CBAF58DA4269A7} << -- HOW to understand that we are NOT scammers? You can ask SUPPORT for the TEST-decryption for ONE file! -- After the successful payment and decrypting your files, we will give you FULL instructions HOW to IMPROVE your security system. We ready to answer all your questions! -- ################ LIST OF ENCRYPTED FILES ############### C:\vcredist2010_x64.log-MSI_vc_red.msi.txt 373058 C:\vcredist2010_x64.log.html 88746 C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log 169678 C:\Users\Default\NTUSER.DAT.LOG 1024 C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log 197660 C:\Users\Admin\deployment.properties 1646 C:\Users\Admin\ntuser.dat.LOG1 0 C:\Users\Admin\ntuser.dat.LOG2 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms 0 C:\Users\Default\NTUSER.DAT.LOG1 189440 C:\Users\Default\NTUSER.DAT.LOG2 0 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 65536 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms 524288 C:\Recovery\34107922-98a6-11eb-a15f-ea91f6580701\boot.sdi 3170304 C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log 171946 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms 524288 C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log 192956 C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log 120794 C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log 131672 C:\Users\Admin\Contacts\Admin.contact 68374 C:\Users\Public\Libraries\RecordedTV.library-ms 876 C:\Users\Admin\Desktop\AddRemove.raw 753942 C:\Users\Admin\Desktop\BlockOut.aif 805938 C:\Users\Admin\Desktop\ExpandInstall.png 649950 C:\Users\Admin\Desktop\ExpandSend.svgz 597954 C:\Users\Admin\Desktop\HideRename.mpa 571956 C:\Users\Admin\Desktop\InvokeSubmit.mp3 493962 C:\Users\Admin\Desktop\LockSwitch.xlsm 675948 C:\Users\Admin\Desktop\MountJoin.gif 779940 C:\Users\Admin\Desktop\OutResolve.pptx 545958 C:\Users\Admin\Desktop\PushSearch.mhtml 1117794 C:\Users\Admin\Desktop\ReadPing.emz 441966 C:\Users\Admin\Desktop\RegisterConfirm.rar 337974 C:\Users\Admin\Desktop\RemoveClose.mov 519960 C:\Users\Admin\Desktop\RemoveSave.ppsx 623952 C:\Users\Admin\Desktop\ResolveDismount.dwg 285978 C:\Users\Admin\Desktop\ResolveOpen.dotm 363972 C:\Users\Admin\Desktop\RevokeRegister.mpe 727944 C:\Users\Admin\Desktop\SplitAssert.tif 467964 C:\Users\Admin\Desktop\SplitSelect.xsl 389970 C:\Users\Admin\Desktop\StartUndo.snd 701946 C:\Users\Admin\Documents\ApproveStart.mht 1112004 C:\Users\Admin\Documents\Are.docx 11525 C:\Users\Admin\Downloads\BackupMerge.mpeg2 786643 C:\Users\Admin\Documents\CheckpointRestore.vssm 632316 C:\Users\Admin\Documents\CloseShow.xla 1155612 C:\Users\Admin\Documents\ConnectRedo.vdx 545100 C:\Users\Admin\Downloads\ClearFormat.M2TS 945963 C:\Users\Admin\Documents\ConvertFromConnect.mht 719532 C:\Users\Admin\Downloads\CloseSkip.mpg 687068 C:\Users\Admin\Documents\ConvertToPublish.txt 501492 C:\Users\Admin\Documents\EnterExit.vsw 1242828 C:\Users\Admin\Downloads\CompleteConvert.cfg 766728 C:\Users\Admin\Downloads\ConnectComplete.htm 886218 C:\Users\Admin\Documents\ExitHide.docx 763140 C:\Users\Admin\Documents\Files.docx 11551 C:\Users\Admin\Documents\GrantSend.mpp 588708 C:\Users\Admin\Documents\HideExpand.pptm 1024788 C:\Users\Admin\Downloads\ConvertFromApprove.dxf 806558 C:\Users\Admin\Downloads\ConvertToResume.kix 846388 C:\Users\Admin\Downloads\EditPublish.mhtml 706983 C:\Users\Admin\Downloads\EnableConnect.dxf 468003 C:\Users\Admin\Downloads\EnterClear.mp3 607408 C:\Users\Admin\Downloads\ExportBlock.xps 388343 C:\Users\Admin\Documents\HideInitialize.ppsm 1962400 C:\Users\Admin\Downloads\HideWatch.xht 527748 C:\Users\Admin\Documents\InitializeDisconnect.mpp 850356 C:\Users\Admin\Downloads\ImportHide.odp 1005708 C:\Users\Admin\Downloads\InstallSuspend.xlsx 985793 C:\Users\Admin\Documents\InitializeResume.dotx 1286436 C:\Users\Admin\Downloads\InstallUnpublish.html 408258 C:\Users\Admin\Documents\LockExpand.potx 937572 C:\Users\Admin\Downloads\LockEnter.mhtml 726898 C:\Users\Admin\Documents\MoveLock.mpp 675924 C:\Users\Admin\Downloads\MergeStart.htm 746813 C:\Users\Admin\Downloads\OutSearch.mp4 368428 C:\Users\Admin\Downloads\PublishResume.TTS 587493 C:\Users\Admin\Downloads\ReceiveTest.midi 866303 C:\Users\Admin\Documents\Opened.docx 11538 C:\Users\Admin\Downloads\RepairMeasure.edrwx 1065453 C:\Users\Admin\Documents\ReceiveResolve.dotx 1373652 C:\Users\Admin\Downloads\RestoreRemove.ppt 647238 C:\Users\Admin\Documents\Recently.docx 11533 C:\Users\Admin\Documents\RemoveDisable.mpp 1068396 C:\Users\Admin\Downloads\SaveResume.docx 667153 C:\Users\Admin\Documents\RestartDisable.ppt 1417260 C:\Users\Admin\Downloads\SaveSplit.xls 627323 C:\Users\Admin\Documents\SearchPop.odt 981180 C:\Users\Admin\Downloads\SplitClear.dot 1045538 C:\Users\Admin\Documents\SearchUnblock.docx 1199220 C:\Users\Admin\Documents\ShowTest.vsx 1330044 C:\Users\Admin\Downloads\StopInitialize.xlsx 965878 C:\Users\Admin\Documents\SkipReceive.vdw 893964 C:\Users\Admin\Downloads\SwitchStart.gif 1025623 C:\Users\Admin\Downloads\UpdateStep.mht 487918 C:\Users\Admin\Documents\These.docx 11462 C:\Users\Admin\Documents\WatchCompress.mpp 806748 C:\Users\Admin\Music\AddLimit.mpv2 554568 C:\Users\Admin\Music\AddSync.pptm 594180 C:\Users\Admin\Music\AssertProtect.htm 415926 C:\Users\Admin\Music\ClearReceive.lock 633792 C:\Users\Admin\Music\CloseResume.MTS 495150 C:\Users\Admin\Music\ConvertFromRestart.au 514956 C:\Users\Admin\Music\DebugOpen.M2T 574374 C:\Users\Admin\Music\FormatBackup.xlsx 713016 C:\Users\Admin\Music\FormatConvertTo.ppsm 475344 C:\Users\Admin\Music\FormatSelect.easmx 752628 C:\Users\Admin\Music\InstallExit.mhtml 772434 C:\Users\Admin\Music\InstallPing.js 297090 C:\Users\Admin\Pictures\ConfirmPop.raw 1551891 C:\Users\Admin\Music\InstallStop.xps 435732 C:\Users\Admin\Music\LimitTrace.shtml 336702 C:\Users\Admin\Pictures\ConnectGet.dwg 713031 C:\Users\Admin\Music\LimitUninstall.wmx 455538 C:\Users\Admin\Pictures\ConvertToTrace.cr2 629145 C:\Users\Admin\Pictures\CopyResume.dwg 1216347 C:\Users\Admin\Pictures\DenyDisconnect.eps 796917 C:\Users\Admin\Music\MountDisconnect.zip 653598 C:\Users\Admin\Music\MoveDeny.ADT 732822 C:\Users\Admin\Music\PublishSearch.avi 673404 C:\Users\Admin\Pictures\EditRedo.tif 2432712 C:\Users\Admin\Pictures\ExportDeny.svgz 1384119 C:\Users\Admin\Pictures\ExportSync.svg 880803 C:\Users\Admin\Music\ReadRevoke.wmv 376314 C:\Users\Admin\Pictures\InitializeApprove.tiff 1048575 C:\Users\Admin\Music\RestartLock.xlsm 792240 C:\Users\Admin\Pictures\MoveInstall.pcx 1300233 C:\Users\Admin\Music\SearchDisable.mp3 812046 C:\Users\Admin\Music\SelectDisconnect.cr2 1168946 C:\Users\Admin\Pictures\PopEnable.png 1468005 C:\Users\Admin\Music\SendExit.aiff 831852 C:\Users\Admin\Music\SendImport.xsl 316896 C:\Users\Admin\Music\SkipMerge.vsd 396120 C:\Users\Admin\Music\TestRestore.tiff 613986 C:\Users\Admin\Music\TestSubmit.aif 356508 C:\Users\Admin\Pictures\ProtectStop.raw 1635777 C:\Users\Admin\Music\UnblockUndo.xml 851658 C:\Users\Admin\Pictures\RevokeRequest.cr2 1132461 C:\Users\Admin\Pictures\UnpublishAssert.tif 1719663 C:\Users\Admin\Music\UseAdd.temp 534762 C:\Users\Admin\Pictures\UseMove.dxf 964689 C:\Users\Admin\Pictures\Wallpaper.jpg 24811 C:\Users\Admin\Searches\Everywhere.search-ms 248 C:\Users\Admin\Searches\Indexed Locations.search-ms 248 C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg 879394 C:\Users\Public\Pictures\Sample Pictures\Desert.jpg 845941 C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg 595284 C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg 775702 C:\Users\Public\Pictures\Sample Pictures\Koala.jpg 780831 C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv 9699328 C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg 561276 C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg 777835 C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg 620888 C:\Users\Admin\Favorites\Links for United States\GobiernoUSA.gov.url 134 C:\Users\Admin\Favorites\Links for United States\USA.gov.url 134 C:\Users\Admin\Favorites\Links\Suggested Sites.url 302 C:\Users\Admin\Favorites\Links\Web Slice Gallery.url 226 C:\Users\Admin\Favorites\MSN Websites\MSN Autos.url 133 C:\Users\Admin\Favorites\Microsoft Websites\IE Add-on site.url 133 C:\Users\Admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url 133 C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Home.url 133 C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Work.url 133 C:\Users\Admin\Favorites\Microsoft Websites\Microsoft Store.url 134 C:\Users\Admin\Favorites\MSN Websites\MSN Entertainment.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN Money.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN Sports.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN.url 133 C:\Users\Admin\Favorites\MSN Websites\MSNBC News.url 133 C:\Users\Admin\Favorites\Windows Live\Get Windows Live.url 133 C:\Users\Admin\Favorites\Windows Live\Windows Live Gallery.url 133 C:\Users\Admin\Favorites\Windows Live\Windows Live Mail.url 133 C:\Users\Admin\Favorites\Windows Live\Windows Live Spaces.url 133 C:\Users\Public\Music\Sample Music\Kalimba.mp3 8414449 C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 4113874 C:\Users\Public\Music\Sample Music\Sleep Away.mp3 4842585 C:\Users\Public\Videos\Sample Videos\Wildlife.wmv 26246026 C:\Recovery\34107922-98a6-11eb-a15f-ea91f6580701\Winre.wim 169213970 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget 3 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink 7 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail 4
URLs

http://dqybwoze7ow3xlamurpfppai4pd6lwybwix2nbhyhcnpsuj3yv32mnyd.onion/index.php

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\locker.exe
    "C:\Users\Admin\AppData\Local\Temp\locker.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:788
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • Interacts with shadow copies
      PID:1236
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • Interacts with shadow copies
      PID:768
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1544
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1632
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1524
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1016
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1968
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1700
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1456
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1468
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1060
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1732
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1740
    • C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1944
    • C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1812
    • C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:1016
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1896
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\locker.exe >> NUL
      2⤵
      • Deletes itself
      PID:1448
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1260
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:212
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PROTECT_INFO.TXT
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:1576

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/788-60-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

      Filesize

      8KB

      Download