Analysis
-
max time kernel
600s -
max time network
361s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
03-01-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
d4rkw4ve@tutanota.com.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d4rkw4ve@tutanota.com.exe
Resource
win10-en-20211208
General
-
Target
d4rkw4ve@tutanota.com.exe
-
Size
489KB
-
MD5
ad81961ccc571e985d35e6f30d396859
-
SHA1
39dc8ac32563d88a11dee49137a0353b46f3eb38
-
SHA256
630e24cc1c4c95321965ad967e77e1888c48c4b1f653d800c7df08e879814787
-
SHA512
2d08c947b382b8633c1e055a8bbc57ae7b83f9a3a3ea1ac38080c52acc3fb928a2e199588b8cb0160494be03e6d42d4ae414d292e9e3838a6850cde1369aa8d8
Malware Config
Extracted
C:\Restore-My-Files.txt
d4rkw4ve@tutanota.com
dark4wave@yandex.com
Extracted
C:\Users\Admin\AppData\Local\Temp\info.hta
d4rkw4ve@tutanota.com
dark4wave@yandex.com
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d4rkw4ve@tutanota.com.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\WaitExport.tiff d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\Pictures\RedoMeasure.tiff d4rkw4ve@tutanota.com.exe -
Drops startup file 3 IoCs
Processes:
d4rkw4ve@tutanota.com.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe d4rkw4ve@tutanota.com.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat d4rkw4ve@tutanota.com.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d4rkw4ve@tutanota.com.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe" d4rkw4ve@tutanota.com.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe" d4rkw4ve@tutanota.com.exe -
Drops desktop.ini file(s) 29 IoCs
Processes:
d4rkw4ve@tutanota.com.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Public\Desktop\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Public\Libraries\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Public\Documents\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Public\Music\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Public\Videos\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\Videos\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\Links\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\Searches\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Public\Downloads\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Public\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files (x86)\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\Music\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\Documents\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini d4rkw4ve@tutanota.com.exe File opened for modification C:\Users\Public\Pictures\desktop.ini d4rkw4ve@tutanota.com.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
d4rkw4ve@tutanota.com.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\50zcyzhb.Loki" d4rkw4ve@tutanota.com.exe -
Drops file in Program Files directory 64 IoCs
Processes:
d4rkw4ve@tutanota.com.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.VideoTk\PassthroughPS_UV.cso d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-150.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\BackgroundAudio.winmd d4rkw4ve@tutanota.com.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\Restore-My-Files.txt d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\ui-strings.js d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js d4rkw4ve@tutanota.com.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Restore-My-Files.txt d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_contrast-black.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60_altform-unplated.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16_altform-unplated.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\LargeTile.scale-100.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\MedTile.scale-125.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\LargeLogo.scale-150.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-150.png d4rkw4ve@tutanota.com.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\Restore-My-Files.txt d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as80.xsl d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-200.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\fingerscrossed.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\StoreLogo.contrast-white_scale-100.png d4rkw4ve@tutanota.com.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\Restore-My-Files.txt d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\ui-strings.js d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\ui-strings.js d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_contrast-white.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-125.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\angel.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdaorar.dll.mui d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\ui-strings.js d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml d4rkw4ve@tutanota.com.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\Restore-My-Files.txt d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ads_casualgames_728x90.png d4rkw4ve@tutanota.com.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\Restore-My-Files.txt d4rkw4ve@tutanota.com.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\Restore-My-Files.txt d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-125.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-150_contrast-white.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\es-ES.PhoneNumber.SMS.model d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3899_24x24x32.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8794_20x20x32.png d4rkw4ve@tutanota.com.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\Restore-My-Files.txt d4rkw4ve@tutanota.com.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro\Restore-My-Files.txt d4rkw4ve@tutanota.com.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\Restore-My-Files.txt d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-black.png d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ui-strings.js d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui d4rkw4ve@tutanota.com.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\THMBNAIL.PNG d4rkw4ve@tutanota.com.exe -
Drops file in Windows directory 2 IoCs
Processes:
d4rkw4ve@tutanota.com.exedescription ioc process File created C:\Windows\winlogon.exe d4rkw4ve@tutanota.com.exe File opened for modification C:\Windows\winlogon.exe d4rkw4ve@tutanota.com.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2492 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
d4rkw4ve@tutanota.com.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\TileWallpaper = "0" d4rkw4ve@tutanota.com.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\WallpaperStyle = "2" d4rkw4ve@tutanota.com.exe -
Modifies registry class 8 IoCs
Processes:
d4rkw4ve@tutanota.com.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell d4rkw4ve@tutanota.com.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open d4rkw4ve@tutanota.com.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\452zjcpi.exe \"%l\" " d4rkw4ve@tutanota.com.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings d4rkw4ve@tutanota.com.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki d4rkw4ve@tutanota.com.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki" d4rkw4ve@tutanota.com.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command d4rkw4ve@tutanota.com.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki d4rkw4ve@tutanota.com.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d4rkw4ve@tutanota.com.exepid process 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe 3476 d4rkw4ve@tutanota.com.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
d4rkw4ve@tutanota.com.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 3476 d4rkw4ve@tutanota.com.exe Token: SeIncreaseQuotaPrivilege 3416 WMIC.exe Token: SeSecurityPrivilege 3416 WMIC.exe Token: SeTakeOwnershipPrivilege 3416 WMIC.exe Token: SeLoadDriverPrivilege 3416 WMIC.exe Token: SeSystemProfilePrivilege 3416 WMIC.exe Token: SeSystemtimePrivilege 3416 WMIC.exe Token: SeProfSingleProcessPrivilege 3416 WMIC.exe Token: SeIncBasePriorityPrivilege 3416 WMIC.exe Token: SeCreatePagefilePrivilege 3416 WMIC.exe Token: SeBackupPrivilege 3416 WMIC.exe Token: SeRestorePrivilege 3416 WMIC.exe Token: SeShutdownPrivilege 3416 WMIC.exe Token: SeDebugPrivilege 3416 WMIC.exe Token: SeSystemEnvironmentPrivilege 3416 WMIC.exe Token: SeRemoteShutdownPrivilege 3416 WMIC.exe Token: SeUndockPrivilege 3416 WMIC.exe Token: SeManageVolumePrivilege 3416 WMIC.exe Token: 33 3416 WMIC.exe Token: 34 3416 WMIC.exe Token: 35 3416 WMIC.exe Token: 36 3416 WMIC.exe Token: SeBackupPrivilege 3152 vssvc.exe Token: SeRestorePrivilege 3152 vssvc.exe Token: SeAuditPrivilege 3152 vssvc.exe Token: SeIncreaseQuotaPrivilege 3416 WMIC.exe Token: SeSecurityPrivilege 3416 WMIC.exe Token: SeTakeOwnershipPrivilege 3416 WMIC.exe Token: SeLoadDriverPrivilege 3416 WMIC.exe Token: SeSystemProfilePrivilege 3416 WMIC.exe Token: SeSystemtimePrivilege 3416 WMIC.exe Token: SeProfSingleProcessPrivilege 3416 WMIC.exe Token: SeIncBasePriorityPrivilege 3416 WMIC.exe Token: SeCreatePagefilePrivilege 3416 WMIC.exe Token: SeBackupPrivilege 3416 WMIC.exe Token: SeRestorePrivilege 3416 WMIC.exe Token: SeShutdownPrivilege 3416 WMIC.exe Token: SeDebugPrivilege 3416 WMIC.exe Token: SeSystemEnvironmentPrivilege 3416 WMIC.exe Token: SeRemoteShutdownPrivilege 3416 WMIC.exe Token: SeUndockPrivilege 3416 WMIC.exe Token: SeManageVolumePrivilege 3416 WMIC.exe Token: 33 3416 WMIC.exe Token: 34 3416 WMIC.exe Token: 35 3416 WMIC.exe Token: 36 3416 WMIC.exe Token: SeDebugPrivilege 3476 d4rkw4ve@tutanota.com.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
d4rkw4ve@tutanota.com.execmd.execsc.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3476 wrote to memory of 4436 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4436 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4436 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 4436 wrote to memory of 4480 4436 cmd.exe schtasks.exe PID 4436 wrote to memory of 4480 4436 cmd.exe schtasks.exe PID 4436 wrote to memory of 4480 4436 cmd.exe schtasks.exe PID 3476 wrote to memory of 4500 3476 d4rkw4ve@tutanota.com.exe csc.exe PID 3476 wrote to memory of 4500 3476 d4rkw4ve@tutanota.com.exe csc.exe PID 3476 wrote to memory of 4500 3476 d4rkw4ve@tutanota.com.exe csc.exe PID 4500 wrote to memory of 4568 4500 csc.exe cvtres.exe PID 4500 wrote to memory of 4568 4500 csc.exe cvtres.exe PID 4500 wrote to memory of 4568 4500 csc.exe cvtres.exe PID 3476 wrote to memory of 4760 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4760 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4760 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4780 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4780 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4780 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4804 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4804 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4804 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4828 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4828 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4828 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4860 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4860 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4860 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4896 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4896 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4896 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4964 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4964 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 4964 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 5024 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 5024 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 3476 wrote to memory of 5024 3476 d4rkw4ve@tutanota.com.exe cmd.exe PID 4760 wrote to memory of 2492 4760 cmd.exe vssadmin.exe PID 4760 wrote to memory of 2492 4760 cmd.exe vssadmin.exe PID 4760 wrote to memory of 2492 4760 cmd.exe vssadmin.exe PID 5024 wrote to memory of 4260 5024 cmd.exe netsh.exe PID 5024 wrote to memory of 4260 5024 cmd.exe netsh.exe PID 5024 wrote to memory of 4260 5024 cmd.exe netsh.exe PID 4964 wrote to memory of 3824 4964 cmd.exe netsh.exe PID 4964 wrote to memory of 3824 4964 cmd.exe netsh.exe PID 4964 wrote to memory of 3824 4964 cmd.exe netsh.exe PID 4804 wrote to memory of 3416 4804 cmd.exe WMIC.exe PID 4804 wrote to memory of 3416 4804 cmd.exe WMIC.exe PID 4804 wrote to memory of 3416 4804 cmd.exe WMIC.exe PID 3476 wrote to memory of 2324 3476 d4rkw4ve@tutanota.com.exe mshta.exe PID 3476 wrote to memory of 2324 3476 d4rkw4ve@tutanota.com.exe mshta.exe PID 3476 wrote to memory of 2324 3476 d4rkw4ve@tutanota.com.exe mshta.exe PID 3476 wrote to memory of 2288 3476 d4rkw4ve@tutanota.com.exe mshta.exe PID 3476 wrote to memory of 2288 3476 d4rkw4ve@tutanota.com.exe mshta.exe PID 3476 wrote to memory of 2288 3476 d4rkw4ve@tutanota.com.exe mshta.exe PID 3476 wrote to memory of 1256 3476 d4rkw4ve@tutanota.com.exe mshta.exe PID 3476 wrote to memory of 1256 3476 d4rkw4ve@tutanota.com.exe mshta.exe PID 3476 wrote to memory of 1256 3476 d4rkw4ve@tutanota.com.exe mshta.exe PID 3476 wrote to memory of 3648 3476 d4rkw4ve@tutanota.com.exe mshta.exe PID 3476 wrote to memory of 3648 3476 d4rkw4ve@tutanota.com.exe mshta.exe PID 3476 wrote to memory of 3648 3476 d4rkw4ve@tutanota.com.exe mshta.exe PID 3476 wrote to memory of 2336 3476 d4rkw4ve@tutanota.com.exe mshta.exe PID 3476 wrote to memory of 2336 3476 d4rkw4ve@tutanota.com.exe mshta.exe PID 3476 wrote to memory of 2336 3476 d4rkw4ve@tutanota.com.exe mshta.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
d4rkw4ve@tutanota.com.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: d4rkw4ve@tutanota.com\r\nWrite this ID in the title of your message: 1607E57B\r\nIn case of no answer in 24 hours write us to this e-mail: dark4wave@yandex.com" d4rkw4ve@tutanota.com.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker" d4rkw4ve@tutanota.com.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4rkw4ve@tutanota.com.exe"C:\Users\Admin\AppData\Local\Temp\d4rkw4ve@tutanota.com.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uvt5v2ad\uvt5v2ad.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA738.tmp" "c:\ProgramData\CSCD7D9D7DD0D34F968BC25FA8464381EE.TMP"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\452zjcpi.exeMD5
6456f1b47ac39df354a59db0c443f59a
SHA1b40af78de5e5be12df5c36c7785b2015102494ff
SHA256a99a166762c3f9b4e678828edbfd49e6acb32058fee7ea6f8b1abf89a73e6eb3
SHA512f226bce3d9df69f2de7c5cc52b9c86818d192ecfe33e6426bf0e83ff7e86550ade0c46698feba8fb617facacf0899f3f2e98bcb3a3453a186c3e06f3ed313ee9
-
C:\Users\Admin\AppData\Local\Temp\RESA738.tmpMD5
7a70a289f304044ef16b1306999dadec
SHA148690b8b0274940796dc1aa6e0b18e17c502ad37
SHA25629feaec6359970a80021d56227faa7981a06b436c3302681fe65076a15587d27
SHA512bdd85680faec149c395080c09eb2b82442ff213ce412ece6b535e2bfbb29093fb33e2255ed9e090faed77161b03d5eb93ec85c90e2f44315e868d51619b94a53
-
C:\Users\Admin\AppData\Local\Temp\info.htaMD5
b522d3b331849a376373afe80ba5d01d
SHA1d91732c6739dffe7abe5baf92278d8e90ec7f2ba
SHA256a444c957d451a810e3b18578e0dc23ddf479f02b233984cbb728316c9407e8bb
SHA512265d3bd0a41cfe7f40a903d1247b4d6ab6614bf4cbfb8d1e9e0c7afa9d4fdf3b59c83d9db4c80976e2123ef7ceba1919da9c2ec7f1e0b26935c8d018097cde2a
-
\??\c:\ProgramData\CSCD7D9D7DD0D34F968BC25FA8464381EE.TMPMD5
8abbdc6d926579b927ea394808f2c44f
SHA13144a2a1c3c9982a3a606a070983f98cea1a9f8e
SHA2562ae57feafcc8edafdf71de27cd5b21620a4fd8f35d642122cfd572606dfb3568
SHA51246b870c1de81d7694be07303017bf4b78dd03d12d82424caafdc431cae9ac39351c09f736a268d5e93ef8b8177878ccad64927e27699276fff86fee5958fbd73
-
\??\c:\Users\Admin\AppData\Local\Temp\ug5eoeim.icoMD5
dbc49b5f7714255217080c2e81f05a99
SHA14de2ef415d66d2bb8b389ba140a468b125388e19
SHA2566d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c
SHA51229a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb
-
\??\c:\Users\Admin\AppData\Local\Temp\uvt5v2ad\uvt5v2ad.0.csMD5
69ffa9cc03972f30e15f26cd9eb7dbb2
SHA103f489b2ec66958fea4b20ba75494298a72439fa
SHA256a5cdc42c009f51f7ba43c4ca635a801958baad7523847e3ca0e34135e3eb93c1
SHA5120eceed327c153917cad590a37754348808cb13d1cc5785e743deb97d00ccfeee62ba2e126108a6491380a03201b23e801feba3a2875b9a2f31e5376114fdf6de
-
\??\c:\Users\Admin\AppData\Local\Temp\uvt5v2ad\uvt5v2ad.cmdlineMD5
62e73cf5bbdc9bea434d4a0827542765
SHA1b81732c223be653f2a717d7a31c0977f18988467
SHA2564bb572e47c368089993926ca332669cdc1fcdb886bb2b59b062e475791ab85f2
SHA512c4cc4000b25c1c694fbf481bebe9485809f2341215c7d2641830faa6fc4ef4aa44ae678693cfa1089173cbd2c3c0ffcbe444c9813cb3de6bc0f6f6d49a59f967
-
memory/1256-145-0x0000000000000000-mapping.dmp
-
memory/2288-144-0x0000000000000000-mapping.dmp
-
memory/2324-143-0x0000000000000000-mapping.dmp
-
memory/2336-147-0x0000000000000000-mapping.dmp
-
memory/2492-139-0x0000000000000000-mapping.dmp
-
memory/3416-142-0x0000000000000000-mapping.dmp
-
memory/3476-119-0x0000000004F70000-0x0000000004F92000-memory.dmpFilesize
136KB
-
memory/3476-118-0x0000000005240000-0x00000000052B6000-memory.dmpFilesize
472KB
-
memory/3476-117-0x0000000005000000-0x0000000005066000-memory.dmpFilesize
408KB
-
memory/3476-116-0x00000000050A0000-0x0000000005132000-memory.dmpFilesize
584KB
-
memory/3476-115-0x0000000000740000-0x00000000007C4000-memory.dmpFilesize
528KB
-
memory/3476-120-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/3648-146-0x0000000000000000-mapping.dmp
-
memory/3824-141-0x0000000000000000-mapping.dmp
-
memory/4260-140-0x0000000000000000-mapping.dmp
-
memory/4436-121-0x0000000000000000-mapping.dmp
-
memory/4480-122-0x0000000000000000-mapping.dmp
-
memory/4500-123-0x0000000000000000-mapping.dmp
-
memory/4568-127-0x0000000000000000-mapping.dmp
-
memory/4760-131-0x0000000000000000-mapping.dmp
-
memory/4780-132-0x0000000000000000-mapping.dmp
-
memory/4804-133-0x0000000000000000-mapping.dmp
-
memory/4828-134-0x0000000000000000-mapping.dmp
-
memory/4860-135-0x0000000000000000-mapping.dmp
-
memory/4896-136-0x0000000000000000-mapping.dmp
-
memory/4964-137-0x0000000000000000-mapping.dmp
-
memory/5024-138-0x0000000000000000-mapping.dmp