lockbit | 71d0c896720e01be1b6b095fc8917bcac38f8bc8ed3caba8bf9c2a4fcdde1747

General

Target

tmp.exe
Size

484KB
MD5

8b062fa952cc294d7db09794e2d44ce0
SHA1

ce13e42217f7d0e950dd8ae5ee5ec8d5be6af177
SHA256

71d0c896720e01be1b6b095fc8917bcac38f8bc8ed3caba8bf9c2a4fcdde1747
SHA512

a6643699544db21955c927e9a7cdfd1c056c7078e27d9c68ff68865c240ff3dfd0f8aecd7f4926b9746eaa989b3cbef681e5ffd19c643cd02a7faba2534ed26d

Score

10^/10

lockbit evasion persistence ransomware suricata trojan

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

!!!All of your files are encrypted!!! To decrypt them send e-mail to this address: DecryptionCenter@gmail.com In case of no answer in 24h, send e-mail to this address: DecryptionCenter@outlook.com All your files will be lost on Saturday, May 28, 2022 10:10:24 PM. Your SYSTEM ID : 9C7AFFE0 !!!Deleting "Cpriv.Loki" causes permanent data loss.

Emails

DecryptionCenter@gmail.com

DecryptionCenter@outlook.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\info.hta

Ransom Note

All your files have been encrypted by Loki locker! All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email DecryptionCenter@gmail.com You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay Double . In case of no answer in 24 hours (1 Day) write to this email DecryptionCenter@outlook.com Your unique ID is : 9C7AFFE0 You only have LIMITED time to get back your files! If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED. You will lose some of your data on day 2 in the timer. You can buy more time for pay. Just email us. THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) What is our decryption guarantee? Before paying you can send us up to for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! DO NOT pay any money before decrypting the test files. DO NOT trust any intermediary. they wont help you and you may be victim of scam. just email us , we help you in any steps. DO NOT reply to other emails. ONLY this two emails can help you. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

DecryptionCenter@gmail.com

DecryptionCenter@outlook.com

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
suricata
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
suricata
suricata: ET MALWARE Loki Locker Ransomware User-Agent
suricata: ET MALWARE Loki Locker Ransomware User-Agent
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1420 bcdedit.exe
968 bcdedit.exe
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3068 wbadmin.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1388 wbadmin.exe
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

tmp.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\ConvertToRequest.tiff tmp.exe

pid	process
1420	bcdedit.exe
968	bcdedit.exe

pid	process
3068	wbadmin.exe

pid	process
1388	wbadmin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ConvertToRequest.tiff	tmp.exe

Drops startup file 3 IoCs

Processes:

tmp.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	tmp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat	tmp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	tmp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe"	tmp.exe

Drops desktop.ini file(s) 38 IoCs

Processes:

tmp.exe

description	ioc	process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	tmp.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	tmp.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\desktop.ini	tmp.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	tmp.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	tmp.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	tmp.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	tmp.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	tmp.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	tmp.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	tmp.exe
File opened for modification	C:\Program Files\desktop.ini	tmp.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	tmp.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	tmp.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	tmp.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	tmp.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gz544dmx.Loki"	tmp.exe

Drops file in Program Files directory 64 IoCs

Processes:

tmp.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar	tmp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml	tmp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240175.WMF	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.DPV	tmp.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\RADIAL.ELM	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18184_.WMF	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15060_.GIF	tmp.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT	tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Default.dotx	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar	tmp.exe
File opened for modification	C:\Program Files\SwitchInstall.mpa	tmp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png	tmp.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLINTL32.REST.IDX_DLL	tmp.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js	tmp.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml	tmp.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8	tmp.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\NETWORK.ELM	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif	tmp.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Manila	tmp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png	tmp.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui	tmp.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png	tmp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo	tmp.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\Restore-My-Files.txt	tmp.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	tmp.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL	tmp.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105506.WMF	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00641_.WMF	tmp.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hi.pak	tmp.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VISSHE.DLL	tmp.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar	tmp.exe
File created	C:\Program Files\Java\jre7\lib\management\Restore-My-Files.txt	tmp.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\SONORA.ELM	tmp.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar	tmp.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Moscow	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\VVIEWRES.DLL	tmp.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\Restore-My-Files.txt	tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00390_.WMF	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18238_.WMF	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp	tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Sts2.css	tmp.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui	tmp.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png	tmp.exe

Drops file in Windows directory 5 IoCs

Processes:

tmp.exewbadmin.exe

description	ioc	process
File created	C:\Windows\winlogon.exe	tmp.exe
File opened for modification	C:\Windows\winlogon.exe	tmp.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2804 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3012 vssadmin.exe

pid	process
2804	schtasks.exe

pid	process
3012	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

tmp.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\WallpaperStyle = "2"	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\TileWallpaper = "0"	tmp.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 7 IoCs

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\sl5ykzhl.exe \"%l\" "	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Loki	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell	tmp.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

tmp.exe

pid	process
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

tmp.exeWMIC.exevssvc.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	1468	tmp.exe
Token: SeIncreaseQuotaPrivilege	3044	WMIC.exe
Token: SeSecurityPrivilege	3044	WMIC.exe
Token: SeTakeOwnershipPrivilege	3044	WMIC.exe
Token: SeLoadDriverPrivilege	3044	WMIC.exe
Token: SeSystemProfilePrivilege	3044	WMIC.exe
Token: SeSystemtimePrivilege	3044	WMIC.exe
Token: SeProfSingleProcessPrivilege	3044	WMIC.exe
Token: SeIncBasePriorityPrivilege	3044	WMIC.exe
Token: SeCreatePagefilePrivilege	3044	WMIC.exe
Token: SeBackupPrivilege	3044	WMIC.exe
Token: SeRestorePrivilege	3044	WMIC.exe
Token: SeShutdownPrivilege	3044	WMIC.exe
Token: SeDebugPrivilege	3044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3044	WMIC.exe
Token: SeRemoteShutdownPrivilege	3044	WMIC.exe
Token: SeUndockPrivilege	3044	WMIC.exe
Token: SeManageVolumePrivilege	3044	WMIC.exe
Token: 33	3044	WMIC.exe
Token: 34	3044	WMIC.exe
Token: 35	3044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3044	WMIC.exe
Token: SeSecurityPrivilege	3044	WMIC.exe
Token: SeTakeOwnershipPrivilege	3044	WMIC.exe
Token: SeLoadDriverPrivilege	3044	WMIC.exe
Token: SeSystemProfilePrivilege	3044	WMIC.exe
Token: SeSystemtimePrivilege	3044	WMIC.exe
Token: SeProfSingleProcessPrivilege	3044	WMIC.exe
Token: SeIncBasePriorityPrivilege	3044	WMIC.exe
Token: SeCreatePagefilePrivilege	3044	WMIC.exe
Token: SeBackupPrivilege	3044	WMIC.exe
Token: SeRestorePrivilege	3044	WMIC.exe
Token: SeShutdownPrivilege	3044	WMIC.exe
Token: SeDebugPrivilege	3044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3044	WMIC.exe
Token: SeRemoteShutdownPrivilege	3044	WMIC.exe
Token: SeUndockPrivilege	3044	WMIC.exe
Token: SeManageVolumePrivilege	3044	WMIC.exe
Token: 33	3044	WMIC.exe
Token: 34	3044	WMIC.exe
Token: 35	3044	WMIC.exe
Token: SeBackupPrivilege	636	vssvc.exe
Token: SeRestorePrivilege	636	vssvc.exe
Token: SeAuditPrivilege	636	vssvc.exe
Token: SeBackupPrivilege	1636	wbengine.exe
Token: SeRestorePrivilege	1636	wbengine.exe
Token: SeSecurityPrivilege	1636	wbengine.exe
Token: SeDebugPrivilege	1468	tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.execsc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1468 wrote to memory of 2776	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2776	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2776	1468	tmp.exe	cmd.exe
PID 2776 wrote to memory of 2804	2776	cmd.exe	schtasks.exe
PID 2776 wrote to memory of 2804	2776	cmd.exe	schtasks.exe
PID 2776 wrote to memory of 2804	2776	cmd.exe	schtasks.exe
PID 1468 wrote to memory of 2816	1468	tmp.exe	csc.exe
PID 1468 wrote to memory of 2816	1468	tmp.exe	csc.exe
PID 1468 wrote to memory of 2816	1468	tmp.exe	csc.exe
PID 2816 wrote to memory of 2864	2816	csc.exe	cvtres.exe
PID 2816 wrote to memory of 2864	2816	csc.exe	cvtres.exe
PID 2816 wrote to memory of 2864	2816	csc.exe	cvtres.exe
PID 1468 wrote to memory of 2904	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2904	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2904	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2924	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2924	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2924	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2948	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2948	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2948	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2972	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2972	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2972	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2992	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2992	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2992	1468	tmp.exe	cmd.exe
PID 2904 wrote to memory of 3012	2904	cmd.exe	vssadmin.exe
PID 2904 wrote to memory of 3012	2904	cmd.exe	vssadmin.exe
PID 2904 wrote to memory of 3012	2904	cmd.exe	vssadmin.exe
PID 2948 wrote to memory of 3044	2948	cmd.exe	WMIC.exe
PID 2948 wrote to memory of 3044	2948	cmd.exe	WMIC.exe
PID 2948 wrote to memory of 3044	2948	cmd.exe	WMIC.exe
PID 1468 wrote to memory of 3060	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 3060	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 3060	1468	tmp.exe	cmd.exe
PID 2924 wrote to memory of 3068	2924	cmd.exe	wbadmin.exe
PID 2924 wrote to memory of 3068	2924	cmd.exe	wbadmin.exe
PID 2924 wrote to memory of 3068	2924	cmd.exe	wbadmin.exe
PID 1468 wrote to memory of 2520	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2520	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 2520	1468	tmp.exe	cmd.exe
PID 2972 wrote to memory of 1388	2972	cmd.exe	wbadmin.exe
PID 2972 wrote to memory of 1388	2972	cmd.exe	wbadmin.exe
PID 2972 wrote to memory of 1388	2972	cmd.exe	wbadmin.exe
PID 1468 wrote to memory of 1604	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 1604	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 1604	1468	tmp.exe	cmd.exe
PID 2992 wrote to memory of 968	2992	cmd.exe	bcdedit.exe
PID 2992 wrote to memory of 968	2992	cmd.exe	bcdedit.exe
PID 2992 wrote to memory of 968	2992	cmd.exe	bcdedit.exe
PID 3060 wrote to memory of 1420	3060	cmd.exe	bcdedit.exe
PID 3060 wrote to memory of 1420	3060	cmd.exe	bcdedit.exe
PID 3060 wrote to memory of 1420	3060	cmd.exe	bcdedit.exe
PID 2520 wrote to memory of 856	2520	cmd.exe	netsh.exe
PID 2520 wrote to memory of 856	2520	cmd.exe	netsh.exe
PID 2520 wrote to memory of 856	2520	cmd.exe	netsh.exe
PID 1604 wrote to memory of 2040	1604	cmd.exe	netsh.exe
PID 1604 wrote to memory of 2040	1604	cmd.exe	netsh.exe
PID 1604 wrote to memory of 2040	1604	cmd.exe	netsh.exe
PID 1468 wrote to memory of 2420	1468	tmp.exe	mshta.exe
PID 1468 wrote to memory of 2420	1468	tmp.exe	mshta.exe
PID 1468 wrote to memory of 2420	1468	tmp.exe	mshta.exe
PID 1468 wrote to memory of 2420	1468	tmp.exe	mshta.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: DecryptionCenter@gmail.com\r\nWrite this ID in the title of your message: 9C7AFFE0\r\nIn case of no answer in 24 hours write us to this e-mail: DecryptionCenter@outlook.com"	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:2804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3xbjvmc2\3xbjvmc2.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES651A.tmp" "c:\ProgramData\CSC5577170FC6A344339CDEE72C3326CF4.TMP"
3⤵
PID:2864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:3068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:1388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
2⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
2⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
2⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:2040

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2420

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2436

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2452

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2468

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1476

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

2

T1059

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

5

T1112

Disabling Security Tools

1

T1089

File Deletion

4

T1107

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

5

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sl5ykzhl.exe
Filesize
32KB

MD5
7c24b021f15185741cf57cdf406fe610

SHA1
bd1a3c35dc912596d715f122a2bd2700c2fbe520

SHA256
8940bafca4dcbf28916b8668e701e9bd73e3eed231183d251e633bbd37a6673f

SHA512
c973d08a24b30ef3a9118a0aa1da83fedc1d19de50983d4eb8bdb10a3a032bb75fc87a0880ba6911a443e864eed9984ec6d919fdd1295852f0083b2ceca072e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES651A.tmp
Filesize
29KB

MD5
e51da7488389e66c4bec0d91aca4a345

SHA1
e484fa7749924fc56f87f4fb218c1b6ad4418539

SHA256
0e7e27ab4dbd45480deb849d6960b5f617d3e00ee51f44363b29f54f206a9d0a

SHA512
8e682ea6456cdcc776f99d21a103bef4adfce85ec8606da04466613567ae697452c4ef178c196fef7150f9ce569a2541bafd8e92b98369c448fc913ef1dea4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.hta
Filesize
3KB

MD5
8db85f72f4e7f9f86ee783c9b73e0567

SHA1
ea9e4671753bdf5f7c0a2bead094ed9b77a40191

SHA256
fa852383ca0b8d9ca64778983d84f8f63fc5fef374419816a3f69c15f9cbcb16

SHA512
4db87476cc174ac1027ae4befcb2c437f63cbeb001fa753244df2650d0ee78381d8f010540170036546a9165372c7710829543377a01c5c4ef3b1b16a56b6955

Download Submit
\??\c:\ProgramData\CSC5577170FC6A344339CDEE72C3326CF4.TMP
Filesize
28KB

MD5
27510a4bdadd67fc61441ae058763755

SHA1
5b009df5ab4991e4d46b03e9e536ede9a06955b7

SHA256
d65f7513fc187799e56b1071f09b026e89538b46f9f111f00b9c875909f9717b

SHA512
33746625e4575db261a845471ad4a3397dda3c9323967b0eabfc89afea06add8784f3cf3960e45692c371c5b324cecfa5ee36a3df9dc89abad94836836c9ecf5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3xbjvmc2\3xbjvmc2.0.cs
Filesize
1KB

MD5
e892b0f91f4f9a2f06efac003741105a

SHA1
66bb3e368ccbbd37ada5f8b59cda5a3c49a09e38

SHA256
a7a6d0539520447df19b5a45f4749e4d42824fcf6355cb4de962acb081b9d898

SHA512
d5fde86d1b610e34ce97391f515540b66d3871e5b3e5f129f7d8246bfa36df31e588c0e79eb117ff3b9296607f47c5e77fa963b0a68f5ce88d470c081e95f59b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3xbjvmc2\3xbjvmc2.cmdline
Filesize
236B

MD5
06ca748c7b8adfd8cabfd379404966d4

SHA1
00b9c855fbfa5505d9c0aa107bdb06ee7ea16d5f

SHA256
6786683f1d55921f9f0cf101fc05b3acb0d38850b12b203f0488a9daa316defa

SHA512
170ad42b7cbb4e66a5f39dfd8d9f6fd2410fb0f637b713084e2dc76bb21e795afaacf5e0095258f032dae0a1dfc7c10c8ef8e87ddb7784e35542421a8ef3f02a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qhwlrdvx.ico
Filesize
27KB

MD5
dbc49b5f7714255217080c2e81f05a99

SHA1
4de2ef415d66d2bb8b389ba140a468b125388e19

SHA256
6d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c

SHA512
29a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb

Download Submit
memory/856-82-0x0000000000000000-mapping.dmp

Download
memory/968-79-0x0000000000000000-mapping.dmp

Download
memory/1388-76-0x0000000000000000-mapping.dmp

Download
memory/1420-81-0x0000000000000000-mapping.dmp

Download
memory/1468-54-0x000000013FEA0000-0x000000013FF22000-memory.dmp

Filesize
520KB

Download
memory/1468-55-0x000000001BAA7000-0x000000001BAC6000-memory.dmp

Filesize
124KB

Download
memory/1604-77-0x0000000000000000-mapping.dmp

Download
memory/2040-83-0x0000000000000000-mapping.dmp

Download
memory/2420-86-0x0000000000000000-mapping.dmp

Download
memory/2436-87-0x0000000000000000-mapping.dmp

Download
memory/2452-88-0x0000000000000000-mapping.dmp

Download
memory/2452-91-0x0000000075371000-0x0000000075373000-memory.dmp

Filesize
8KB

Download
memory/2468-89-0x0000000000000000-mapping.dmp

Download
memory/2484-90-0x0000000000000000-mapping.dmp

Download
memory/2520-75-0x0000000000000000-mapping.dmp

Download
memory/2776-56-0x0000000000000000-mapping.dmp

Download
memory/2804-57-0x0000000000000000-mapping.dmp

Download
memory/2816-58-0x0000000000000000-mapping.dmp

Download
memory/2864-62-0x0000000000000000-mapping.dmp

Download
memory/2904-66-0x0000000000000000-mapping.dmp

Download
memory/2924-67-0x0000000000000000-mapping.dmp

Download
memory/2948-68-0x0000000000000000-mapping.dmp

Download
memory/2972-69-0x0000000000000000-mapping.dmp

Download
memory/2992-70-0x0000000000000000-mapping.dmp

Download
memory/3012-71-0x0000000000000000-mapping.dmp

Download
memory/3044-72-0x0000000000000000-mapping.dmp

Download
memory/3060-73-0x0000000000000000-mapping.dmp

Download
memory/3068-78-0x000007FEFB551000-0x000007FEFB553000-memory.dmp

Filesize
8KB

Download
memory/3068-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads