lockbit | 630e24cc1c4c95321965ad967e77e1888c48c4b1f653d800c7df08e879814787

General

Target

d4rkw4ve@tutanota.com.exe
Size

489KB
MD5

ad81961ccc571e985d35e6f30d396859
SHA1

39dc8ac32563d88a11dee49137a0353b46f3eb38
SHA256

630e24cc1c4c95321965ad967e77e1888c48c4b1f653d800c7df08e879814787
SHA512

2d08c947b382b8633c1e055a8bbc57ae7b83f9a3a3ea1ac38080c52acc3fb928a2e199588b8cb0160494be03e6d42d4ae414d292e9e3838a6850cde1369aa8d8

Score

10^/10

lockbit evasion persistence ransomware trojan

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

!!!All of your files are encrypted!!! To decrypt them send e-mail to this address: d4rkw4ve@tutanota.com In case of no answer in 24h, send e-mail to this address: dark4wave@yandex.com All your files will be lost on Wednesday, February 2, 2022 4:33:45 AM. Your SYSTEM ID : 1607E57B

Emails

d4rkw4ve@tutanota.com

dark4wave@yandex.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\info.hta

Ransom Note

All your files have been encrypted by Loki locker! All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email d4rkw4ve@tutanota.com You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay Double . In case of no answer in 24 hours (1 Day) write to this email dark4wave@yandex.com Your unique ID is : 1607E57B You only have LIMITED time to get back your files! If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED. You will lose some of your data on day 2 in the timer. You can buy more time for pay. Just email us. THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) What is our decryption guarantee? Before paying you can send us up to for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! DO NOT pay any money before decrypting the test files. DO NOT trust any intermediary. they wont help you and you may be victim of scam. just email us , we help you in any steps. DO NOT reply to other emails. ONLY this two emails can help you. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

d4rkw4ve@tutanota.com

dark4wave@yandex.com

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

d4rkw4ve@tutanota.com.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\WaitExport.tiff	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\Pictures\RedoMeasure.tiff	d4rkw4ve@tutanota.com.exe

Drops startup file 3 IoCs

Processes:

d4rkw4ve@tutanota.com.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	d4rkw4ve@tutanota.com.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat	d4rkw4ve@tutanota.com.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d4rkw4ve@tutanota.com.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe"	d4rkw4ve@tutanota.com.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe"	d4rkw4ve@tutanota.com.exe

Drops desktop.ini file(s) 29 IoCs

Processes:

d4rkw4ve@tutanota.com.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Public\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	d4rkw4ve@tutanota.com.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

d4rkw4ve@tutanota.com.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\50zcyzhb.Loki"	d4rkw4ve@tutanota.com.exe

Drops file in Program Files directory 64 IoCs

Processes:

d4rkw4ve@tutanota.com.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.VideoTk\PassthroughPS_UV.cso	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-150.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\BackgroundAudio.winmd	d4rkw4ve@tutanota.com.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\Restore-My-Files.txt	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\ui-strings.js	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js	d4rkw4ve@tutanota.com.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Restore-My-Files.txt	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_contrast-black.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60_altform-unplated.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16_altform-unplated.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\LargeTile.scale-100.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\MedTile.scale-125.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\LargeLogo.scale-150.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-150.png	d4rkw4ve@tutanota.com.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\Restore-My-Files.txt	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as80.xsl	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-200.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\fingerscrossed.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\StoreLogo.contrast-white_scale-100.png	d4rkw4ve@tutanota.com.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\Restore-My-Files.txt	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\ui-strings.js	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\ui-strings.js	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_contrast-white.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-125.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\angel.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdaorar.dll.mui	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\ui-strings.js	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	d4rkw4ve@tutanota.com.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\Restore-My-Files.txt	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ads_casualgames_728x90.png	d4rkw4ve@tutanota.com.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\Restore-My-Files.txt	d4rkw4ve@tutanota.com.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\Restore-My-Files.txt	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-125.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-150_contrast-white.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\es-ES.PhoneNumber.SMS.model	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3899_24x24x32.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8794_20x20x32.png	d4rkw4ve@tutanota.com.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\Restore-My-Files.txt	d4rkw4ve@tutanota.com.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro\Restore-My-Files.txt	d4rkw4ve@tutanota.com.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\Restore-My-Files.txt	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-black.png	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ui-strings.js	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\THMBNAIL.PNG	d4rkw4ve@tutanota.com.exe

Drops file in Windows directory 2 IoCs

Processes:

d4rkw4ve@tutanota.com.exe

description	ioc	process
File created	C:\Windows\winlogon.exe	d4rkw4ve@tutanota.com.exe
File opened for modification	C:\Windows\winlogon.exe	d4rkw4ve@tutanota.com.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4480 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2492 vssadmin.exe

pid	process
4480	schtasks.exe

pid	process
2492	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

d4rkw4ve@tutanota.com.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\TileWallpaper = "0"	d4rkw4ve@tutanota.com.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\WallpaperStyle = "2"	d4rkw4ve@tutanota.com.exe

Modifies registry class 8 IoCs

Processes:

d4rkw4ve@tutanota.com.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell	d4rkw4ve@tutanota.com.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open	d4rkw4ve@tutanota.com.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\452zjcpi.exe \"%l\" "	d4rkw4ve@tutanota.com.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	d4rkw4ve@tutanota.com.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Loki	d4rkw4ve@tutanota.com.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki"	d4rkw4ve@tutanota.com.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command	d4rkw4ve@tutanota.com.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki	d4rkw4ve@tutanota.com.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d4rkw4ve@tutanota.com.exe

pid	process
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe
3476	d4rkw4ve@tutanota.com.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

d4rkw4ve@tutanota.com.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3476	d4rkw4ve@tutanota.com.exe
Token: SeIncreaseQuotaPrivilege	3416	WMIC.exe
Token: SeSecurityPrivilege	3416	WMIC.exe
Token: SeTakeOwnershipPrivilege	3416	WMIC.exe
Token: SeLoadDriverPrivilege	3416	WMIC.exe
Token: SeSystemProfilePrivilege	3416	WMIC.exe
Token: SeSystemtimePrivilege	3416	WMIC.exe
Token: SeProfSingleProcessPrivilege	3416	WMIC.exe
Token: SeIncBasePriorityPrivilege	3416	WMIC.exe
Token: SeCreatePagefilePrivilege	3416	WMIC.exe
Token: SeBackupPrivilege	3416	WMIC.exe
Token: SeRestorePrivilege	3416	WMIC.exe
Token: SeShutdownPrivilege	3416	WMIC.exe
Token: SeDebugPrivilege	3416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3416	WMIC.exe
Token: SeRemoteShutdownPrivilege	3416	WMIC.exe
Token: SeUndockPrivilege	3416	WMIC.exe
Token: SeManageVolumePrivilege	3416	WMIC.exe
Token: 33	3416	WMIC.exe
Token: 34	3416	WMIC.exe
Token: 35	3416	WMIC.exe
Token: 36	3416	WMIC.exe
Token: SeBackupPrivilege	3152	vssvc.exe
Token: SeRestorePrivilege	3152	vssvc.exe
Token: SeAuditPrivilege	3152	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3416	WMIC.exe
Token: SeSecurityPrivilege	3416	WMIC.exe
Token: SeTakeOwnershipPrivilege	3416	WMIC.exe
Token: SeLoadDriverPrivilege	3416	WMIC.exe
Token: SeSystemProfilePrivilege	3416	WMIC.exe
Token: SeSystemtimePrivilege	3416	WMIC.exe
Token: SeProfSingleProcessPrivilege	3416	WMIC.exe
Token: SeIncBasePriorityPrivilege	3416	WMIC.exe
Token: SeCreatePagefilePrivilege	3416	WMIC.exe
Token: SeBackupPrivilege	3416	WMIC.exe
Token: SeRestorePrivilege	3416	WMIC.exe
Token: SeShutdownPrivilege	3416	WMIC.exe
Token: SeDebugPrivilege	3416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3416	WMIC.exe
Token: SeRemoteShutdownPrivilege	3416	WMIC.exe
Token: SeUndockPrivilege	3416	WMIC.exe
Token: SeManageVolumePrivilege	3416	WMIC.exe
Token: 33	3416	WMIC.exe
Token: 34	3416	WMIC.exe
Token: 35	3416	WMIC.exe
Token: 36	3416	WMIC.exe
Token: SeDebugPrivilege	3476	d4rkw4ve@tutanota.com.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

d4rkw4ve@tutanota.com.execmd.execsc.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3476 wrote to memory of 4436	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4436	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4436	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 4436 wrote to memory of 4480	4436	cmd.exe	schtasks.exe
PID 4436 wrote to memory of 4480	4436	cmd.exe	schtasks.exe
PID 4436 wrote to memory of 4480	4436	cmd.exe	schtasks.exe
PID 3476 wrote to memory of 4500	3476	d4rkw4ve@tutanota.com.exe	csc.exe
PID 3476 wrote to memory of 4500	3476	d4rkw4ve@tutanota.com.exe	csc.exe
PID 3476 wrote to memory of 4500	3476	d4rkw4ve@tutanota.com.exe	csc.exe
PID 4500 wrote to memory of 4568	4500	csc.exe	cvtres.exe
PID 4500 wrote to memory of 4568	4500	csc.exe	cvtres.exe
PID 4500 wrote to memory of 4568	4500	csc.exe	cvtres.exe
PID 3476 wrote to memory of 4760	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4760	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4760	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4780	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4780	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4780	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4804	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4804	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4804	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4828	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4828	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4828	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4860	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4860	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4860	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4896	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4896	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4896	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4964	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4964	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 4964	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 5024	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 5024	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 3476 wrote to memory of 5024	3476	d4rkw4ve@tutanota.com.exe	cmd.exe
PID 4760 wrote to memory of 2492	4760	cmd.exe	vssadmin.exe
PID 4760 wrote to memory of 2492	4760	cmd.exe	vssadmin.exe
PID 4760 wrote to memory of 2492	4760	cmd.exe	vssadmin.exe
PID 5024 wrote to memory of 4260	5024	cmd.exe	netsh.exe
PID 5024 wrote to memory of 4260	5024	cmd.exe	netsh.exe
PID 5024 wrote to memory of 4260	5024	cmd.exe	netsh.exe
PID 4964 wrote to memory of 3824	4964	cmd.exe	netsh.exe
PID 4964 wrote to memory of 3824	4964	cmd.exe	netsh.exe
PID 4964 wrote to memory of 3824	4964	cmd.exe	netsh.exe
PID 4804 wrote to memory of 3416	4804	cmd.exe	WMIC.exe
PID 4804 wrote to memory of 3416	4804	cmd.exe	WMIC.exe
PID 4804 wrote to memory of 3416	4804	cmd.exe	WMIC.exe
PID 3476 wrote to memory of 2324	3476	d4rkw4ve@tutanota.com.exe	mshta.exe
PID 3476 wrote to memory of 2324	3476	d4rkw4ve@tutanota.com.exe	mshta.exe
PID 3476 wrote to memory of 2324	3476	d4rkw4ve@tutanota.com.exe	mshta.exe
PID 3476 wrote to memory of 2288	3476	d4rkw4ve@tutanota.com.exe	mshta.exe
PID 3476 wrote to memory of 2288	3476	d4rkw4ve@tutanota.com.exe	mshta.exe
PID 3476 wrote to memory of 2288	3476	d4rkw4ve@tutanota.com.exe	mshta.exe
PID 3476 wrote to memory of 1256	3476	d4rkw4ve@tutanota.com.exe	mshta.exe
PID 3476 wrote to memory of 1256	3476	d4rkw4ve@tutanota.com.exe	mshta.exe
PID 3476 wrote to memory of 1256	3476	d4rkw4ve@tutanota.com.exe	mshta.exe
PID 3476 wrote to memory of 3648	3476	d4rkw4ve@tutanota.com.exe	mshta.exe
PID 3476 wrote to memory of 3648	3476	d4rkw4ve@tutanota.com.exe	mshta.exe
PID 3476 wrote to memory of 3648	3476	d4rkw4ve@tutanota.com.exe	mshta.exe
PID 3476 wrote to memory of 2336	3476	d4rkw4ve@tutanota.com.exe	mshta.exe
PID 3476 wrote to memory of 2336	3476	d4rkw4ve@tutanota.com.exe	mshta.exe
PID 3476 wrote to memory of 2336	3476	d4rkw4ve@tutanota.com.exe	mshta.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

d4rkw4ve@tutanota.com.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: d4rkw4ve@tutanota.com\r\nWrite this ID in the title of your message: 1607E57B\r\nIn case of no answer in 24 hours write us to this e-mail: dark4wave@yandex.com"	d4rkw4ve@tutanota.com.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker"	d4rkw4ve@tutanota.com.exe

C:\Users\Admin\AppData\Local\Temp\d4rkw4ve@tutanota.com.exe
"C:\Users\Admin\AppData\Local\Temp\d4rkw4ve@tutanota.com.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uvt5v2ad\uvt5v2ad.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA738.tmp" "c:\ProgramData\CSCD7D9D7DD0D34F968BC25FA8464381EE.TMP"
3⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
2⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
2⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
2⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:2324

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:2288

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:1256

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:3648

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:2336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

4

T1112

Disabling Security Tools

1

T1089

File Deletion

2

T1107

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\452zjcpi.exe
MD5
6456f1b47ac39df354a59db0c443f59a

SHA1
b40af78de5e5be12df5c36c7785b2015102494ff

SHA256
a99a166762c3f9b4e678828edbfd49e6acb32058fee7ea6f8b1abf89a73e6eb3

SHA512
f226bce3d9df69f2de7c5cc52b9c86818d192ecfe33e6426bf0e83ff7e86550ade0c46698feba8fb617facacf0899f3f2e98bcb3a3453a186c3e06f3ed313ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA738.tmp
MD5
7a70a289f304044ef16b1306999dadec

SHA1
48690b8b0274940796dc1aa6e0b18e17c502ad37

SHA256
29feaec6359970a80021d56227faa7981a06b436c3302681fe65076a15587d27

SHA512
bdd85680faec149c395080c09eb2b82442ff213ce412ece6b535e2bfbb29093fb33e2255ed9e090faed77161b03d5eb93ec85c90e2f44315e868d51619b94a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.hta
MD5
b522d3b331849a376373afe80ba5d01d

SHA1
d91732c6739dffe7abe5baf92278d8e90ec7f2ba

SHA256
a444c957d451a810e3b18578e0dc23ddf479f02b233984cbb728316c9407e8bb

SHA512
265d3bd0a41cfe7f40a903d1247b4d6ab6614bf4cbfb8d1e9e0c7afa9d4fdf3b59c83d9db4c80976e2123ef7ceba1919da9c2ec7f1e0b26935c8d018097cde2a

Download Submit
\??\c:\ProgramData\CSCD7D9D7DD0D34F968BC25FA8464381EE.TMP
MD5
8abbdc6d926579b927ea394808f2c44f

SHA1
3144a2a1c3c9982a3a606a070983f98cea1a9f8e

SHA256
2ae57feafcc8edafdf71de27cd5b21620a4fd8f35d642122cfd572606dfb3568

SHA512
46b870c1de81d7694be07303017bf4b78dd03d12d82424caafdc431cae9ac39351c09f736a268d5e93ef8b8177878ccad64927e27699276fff86fee5958fbd73

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ug5eoeim.ico
MD5
dbc49b5f7714255217080c2e81f05a99

SHA1
4de2ef415d66d2bb8b389ba140a468b125388e19

SHA256
6d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c

SHA512
29a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uvt5v2ad\uvt5v2ad.0.cs
MD5
69ffa9cc03972f30e15f26cd9eb7dbb2

SHA1
03f489b2ec66958fea4b20ba75494298a72439fa

SHA256
a5cdc42c009f51f7ba43c4ca635a801958baad7523847e3ca0e34135e3eb93c1

SHA512
0eceed327c153917cad590a37754348808cb13d1cc5785e743deb97d00ccfeee62ba2e126108a6491380a03201b23e801feba3a2875b9a2f31e5376114fdf6de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uvt5v2ad\uvt5v2ad.cmdline
MD5
62e73cf5bbdc9bea434d4a0827542765

SHA1
b81732c223be653f2a717d7a31c0977f18988467

SHA256
4bb572e47c368089993926ca332669cdc1fcdb886bb2b59b062e475791ab85f2

SHA512
c4cc4000b25c1c694fbf481bebe9485809f2341215c7d2641830faa6fc4ef4aa44ae678693cfa1089173cbd2c3c0ffcbe444c9813cb3de6bc0f6f6d49a59f967

Download Submit
memory/1256-145-0x0000000000000000-mapping.dmp

Download
memory/2288-144-0x0000000000000000-mapping.dmp

Download
memory/2324-143-0x0000000000000000-mapping.dmp

Download
memory/2336-147-0x0000000000000000-mapping.dmp

Download
memory/2492-139-0x0000000000000000-mapping.dmp

Download
memory/3416-142-0x0000000000000000-mapping.dmp

Download
memory/3476-119-0x0000000004F70000-0x0000000004F92000-memory.dmp

Filesize
136KB

Download
memory/3476-118-0x0000000005240000-0x00000000052B6000-memory.dmp

Filesize
472KB

Download
memory/3476-117-0x0000000005000000-0x0000000005066000-memory.dmp

Filesize
408KB

Download
memory/3476-116-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/3476-115-0x0000000000740000-0x00000000007C4000-memory.dmp

Filesize
528KB

Download
memory/3476-120-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/3648-146-0x0000000000000000-mapping.dmp

Download
memory/3824-141-0x0000000000000000-mapping.dmp

Download
memory/4260-140-0x0000000000000000-mapping.dmp

Download
memory/4436-121-0x0000000000000000-mapping.dmp

Download
memory/4480-122-0x0000000000000000-mapping.dmp

Download
memory/4500-123-0x0000000000000000-mapping.dmp

Download
memory/4568-127-0x0000000000000000-mapping.dmp

Download
memory/4760-131-0x0000000000000000-mapping.dmp

Download
memory/4780-132-0x0000000000000000-mapping.dmp

Download
memory/4804-133-0x0000000000000000-mapping.dmp

Download
memory/4828-134-0x0000000000000000-mapping.dmp

Download
memory/4860-135-0x0000000000000000-mapping.dmp

Download
memory/4896-136-0x0000000000000000-mapping.dmp

Download
memory/4964-137-0x0000000000000000-mapping.dmp

Download
memory/5024-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads