Analysis
-
max time kernel
152s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-04-2022 20:09
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220414-en
General
-
Target
tmp.exe
-
Size
484KB
-
MD5
8b062fa952cc294d7db09794e2d44ce0
-
SHA1
ce13e42217f7d0e950dd8ae5ee5ec8d5be6af177
-
SHA256
71d0c896720e01be1b6b095fc8917bcac38f8bc8ed3caba8bf9c2a4fcdde1747
-
SHA512
a6643699544db21955c927e9a7cdfd1c056c7078e27d9c68ff68865c240ff3dfd0f8aecd7f4926b9746eaa989b3cbef681e5ffd19c643cd02a7faba2534ed26d
Malware Config
Extracted
C:\Restore-My-Files.txt
DecryptionCenter@gmail.com
DecryptionCenter@outlook.com
Extracted
C:\Users\Admin\AppData\Local\Temp\info.hta
DecryptionCenter@gmail.com
DecryptionCenter@outlook.com
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
-
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
-
suricata: ET MALWARE Loki Locker Ransomware User-Agent
suricata: ET MALWARE Loki Locker Ransomware User-Agent
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1420 bcdedit.exe 968 bcdedit.exe -
Processes:
wbadmin.exepid process 3068 wbadmin.exe -
Processes:
wbadmin.exepid process 1388 wbadmin.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
tmp.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ConvertToRequest.tiff tmp.exe -
Drops startup file 3 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe tmp.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat tmp.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe tmp.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe" tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe" tmp.exe -
Drops desktop.ini file(s) 38 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Users\Public\Desktop\desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini tmp.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini tmp.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini tmp.exe File opened for modification C:\Users\Public\Documents\desktop.ini tmp.exe File opened for modification C:\Users\Public\desktop.ini tmp.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Music\desktop.ini tmp.exe File opened for modification C:\Users\Public\Downloads\desktop.ini tmp.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini tmp.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini tmp.exe File opened for modification C:\Users\Public\Videos\desktop.ini tmp.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI tmp.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini tmp.exe File opened for modification C:\Users\Public\Libraries\desktop.ini tmp.exe File opened for modification C:\Users\Public\Music\desktop.ini tmp.exe File opened for modification C:\Users\Public\Pictures\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini tmp.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Videos\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Searches\desktop.ini tmp.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini tmp.exe File opened for modification C:\Program Files\desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Documents\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Links\desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini tmp.exe File opened for modification C:\Program Files (x86)\desktop.ini tmp.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gz544dmx.Loki" tmp.exe -
Drops file in Program Files directory 64 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\rtstreamsource.ax tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar tmp.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml tmp.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240175.WMF tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.DPV tmp.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\RADIAL.ELM tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18184_.WMF tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15060_.GIF tmp.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Default.dotx tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar tmp.exe File opened for modification C:\Program Files\SwitchInstall.mpa tmp.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png tmp.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLINTL32.REST.IDX_DLL tmp.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js tmp.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2 tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml tmp.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\PST8 tmp.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\NETWORK.ELM tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif tmp.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Manila tmp.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png tmp.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui tmp.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo tmp.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\Restore-My-Files.txt tmp.exe File created C:\Program Files (x86)\Windows Defender\it-IT\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar tmp.exe File opened for modification C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL tmp.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105506.WMF tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00641_.WMF tmp.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hi.pak tmp.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VISSHE.DLL tmp.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar tmp.exe File created C:\Program Files\Java\jre7\lib\management\Restore-My-Files.txt tmp.exe File created C:\Program Files\VideoLAN\VLC\plugins\d3d11\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\SONORA.ELM tmp.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar tmp.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Moscow tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\VVIEWRES.DLL tmp.exe File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00390_.WMF tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18238_.WMF tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Sts2.css tmp.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui tmp.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png tmp.exe -
Drops file in Windows directory 5 IoCs
Processes:
tmp.exewbadmin.exedescription ioc process File created C:\Windows\winlogon.exe tmp.exe File opened for modification C:\Windows\winlogon.exe tmp.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3012 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
tmp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\WallpaperStyle = "2" tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\TileWallpaper = "0" tmp.exe -
Processes:
mshta.exemshta.exemshta.exemshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 7 IoCs
Processes:
tmp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\sl5ykzhl.exe \"%l\" " tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki" tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell tmp.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
tmp.exepid process 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe 1468 tmp.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
tmp.exeWMIC.exevssvc.exewbengine.exedescription pid process Token: SeDebugPrivilege 1468 tmp.exe Token: SeIncreaseQuotaPrivilege 3044 WMIC.exe Token: SeSecurityPrivilege 3044 WMIC.exe Token: SeTakeOwnershipPrivilege 3044 WMIC.exe Token: SeLoadDriverPrivilege 3044 WMIC.exe Token: SeSystemProfilePrivilege 3044 WMIC.exe Token: SeSystemtimePrivilege 3044 WMIC.exe Token: SeProfSingleProcessPrivilege 3044 WMIC.exe Token: SeIncBasePriorityPrivilege 3044 WMIC.exe Token: SeCreatePagefilePrivilege 3044 WMIC.exe Token: SeBackupPrivilege 3044 WMIC.exe Token: SeRestorePrivilege 3044 WMIC.exe Token: SeShutdownPrivilege 3044 WMIC.exe Token: SeDebugPrivilege 3044 WMIC.exe Token: SeSystemEnvironmentPrivilege 3044 WMIC.exe Token: SeRemoteShutdownPrivilege 3044 WMIC.exe Token: SeUndockPrivilege 3044 WMIC.exe Token: SeManageVolumePrivilege 3044 WMIC.exe Token: 33 3044 WMIC.exe Token: 34 3044 WMIC.exe Token: 35 3044 WMIC.exe Token: SeIncreaseQuotaPrivilege 3044 WMIC.exe Token: SeSecurityPrivilege 3044 WMIC.exe Token: SeTakeOwnershipPrivilege 3044 WMIC.exe Token: SeLoadDriverPrivilege 3044 WMIC.exe Token: SeSystemProfilePrivilege 3044 WMIC.exe Token: SeSystemtimePrivilege 3044 WMIC.exe Token: SeProfSingleProcessPrivilege 3044 WMIC.exe Token: SeIncBasePriorityPrivilege 3044 WMIC.exe Token: SeCreatePagefilePrivilege 3044 WMIC.exe Token: SeBackupPrivilege 3044 WMIC.exe Token: SeRestorePrivilege 3044 WMIC.exe Token: SeShutdownPrivilege 3044 WMIC.exe Token: SeDebugPrivilege 3044 WMIC.exe Token: SeSystemEnvironmentPrivilege 3044 WMIC.exe Token: SeRemoteShutdownPrivilege 3044 WMIC.exe Token: SeUndockPrivilege 3044 WMIC.exe Token: SeManageVolumePrivilege 3044 WMIC.exe Token: 33 3044 WMIC.exe Token: 34 3044 WMIC.exe Token: 35 3044 WMIC.exe Token: SeBackupPrivilege 636 vssvc.exe Token: SeRestorePrivilege 636 vssvc.exe Token: SeAuditPrivilege 636 vssvc.exe Token: SeBackupPrivilege 1636 wbengine.exe Token: SeRestorePrivilege 1636 wbengine.exe Token: SeSecurityPrivilege 1636 wbengine.exe Token: SeDebugPrivilege 1468 tmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.execmd.execsc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1468 wrote to memory of 2776 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2776 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2776 1468 tmp.exe cmd.exe PID 2776 wrote to memory of 2804 2776 cmd.exe schtasks.exe PID 2776 wrote to memory of 2804 2776 cmd.exe schtasks.exe PID 2776 wrote to memory of 2804 2776 cmd.exe schtasks.exe PID 1468 wrote to memory of 2816 1468 tmp.exe csc.exe PID 1468 wrote to memory of 2816 1468 tmp.exe csc.exe PID 1468 wrote to memory of 2816 1468 tmp.exe csc.exe PID 2816 wrote to memory of 2864 2816 csc.exe cvtres.exe PID 2816 wrote to memory of 2864 2816 csc.exe cvtres.exe PID 2816 wrote to memory of 2864 2816 csc.exe cvtres.exe PID 1468 wrote to memory of 2904 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2904 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2904 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2924 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2924 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2924 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2948 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2948 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2948 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2972 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2972 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2972 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2992 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2992 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2992 1468 tmp.exe cmd.exe PID 2904 wrote to memory of 3012 2904 cmd.exe vssadmin.exe PID 2904 wrote to memory of 3012 2904 cmd.exe vssadmin.exe PID 2904 wrote to memory of 3012 2904 cmd.exe vssadmin.exe PID 2948 wrote to memory of 3044 2948 cmd.exe WMIC.exe PID 2948 wrote to memory of 3044 2948 cmd.exe WMIC.exe PID 2948 wrote to memory of 3044 2948 cmd.exe WMIC.exe PID 1468 wrote to memory of 3060 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 3060 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 3060 1468 tmp.exe cmd.exe PID 2924 wrote to memory of 3068 2924 cmd.exe wbadmin.exe PID 2924 wrote to memory of 3068 2924 cmd.exe wbadmin.exe PID 2924 wrote to memory of 3068 2924 cmd.exe wbadmin.exe PID 1468 wrote to memory of 2520 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2520 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 2520 1468 tmp.exe cmd.exe PID 2972 wrote to memory of 1388 2972 cmd.exe wbadmin.exe PID 2972 wrote to memory of 1388 2972 cmd.exe wbadmin.exe PID 2972 wrote to memory of 1388 2972 cmd.exe wbadmin.exe PID 1468 wrote to memory of 1604 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 1604 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 1604 1468 tmp.exe cmd.exe PID 2992 wrote to memory of 968 2992 cmd.exe bcdedit.exe PID 2992 wrote to memory of 968 2992 cmd.exe bcdedit.exe PID 2992 wrote to memory of 968 2992 cmd.exe bcdedit.exe PID 3060 wrote to memory of 1420 3060 cmd.exe bcdedit.exe PID 3060 wrote to memory of 1420 3060 cmd.exe bcdedit.exe PID 3060 wrote to memory of 1420 3060 cmd.exe bcdedit.exe PID 2520 wrote to memory of 856 2520 cmd.exe netsh.exe PID 2520 wrote to memory of 856 2520 cmd.exe netsh.exe PID 2520 wrote to memory of 856 2520 cmd.exe netsh.exe PID 1604 wrote to memory of 2040 1604 cmd.exe netsh.exe PID 1604 wrote to memory of 2040 1604 cmd.exe netsh.exe PID 1604 wrote to memory of 2040 1604 cmd.exe netsh.exe PID 1468 wrote to memory of 2420 1468 tmp.exe mshta.exe PID 1468 wrote to memory of 2420 1468 tmp.exe mshta.exe PID 1468 wrote to memory of 2420 1468 tmp.exe mshta.exe PID 1468 wrote to memory of 2420 1468 tmp.exe mshta.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker" tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: DecryptionCenter@gmail.com\r\nWrite this ID in the title of your message: 9C7AFFE0\r\nIn case of no answer in 24 hours write us to this e-mail: DecryptionCenter@outlook.com" tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3xbjvmc2\3xbjvmc2.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES651A.tmp" "c:\ProgramData\CSC5577170FC6A344339CDEE72C3326CF4.TMP"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP3⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\sl5ykzhl.exeFilesize
32KB
MD57c24b021f15185741cf57cdf406fe610
SHA1bd1a3c35dc912596d715f122a2bd2700c2fbe520
SHA2568940bafca4dcbf28916b8668e701e9bd73e3eed231183d251e633bbd37a6673f
SHA512c973d08a24b30ef3a9118a0aa1da83fedc1d19de50983d4eb8bdb10a3a032bb75fc87a0880ba6911a443e864eed9984ec6d919fdd1295852f0083b2ceca072e5
-
C:\Users\Admin\AppData\Local\Temp\RES651A.tmpFilesize
29KB
MD5e51da7488389e66c4bec0d91aca4a345
SHA1e484fa7749924fc56f87f4fb218c1b6ad4418539
SHA2560e7e27ab4dbd45480deb849d6960b5f617d3e00ee51f44363b29f54f206a9d0a
SHA5128e682ea6456cdcc776f99d21a103bef4adfce85ec8606da04466613567ae697452c4ef178c196fef7150f9ce569a2541bafd8e92b98369c448fc913ef1dea4f0
-
C:\Users\Admin\AppData\Local\Temp\info.htaFilesize
3KB
MD58db85f72f4e7f9f86ee783c9b73e0567
SHA1ea9e4671753bdf5f7c0a2bead094ed9b77a40191
SHA256fa852383ca0b8d9ca64778983d84f8f63fc5fef374419816a3f69c15f9cbcb16
SHA5124db87476cc174ac1027ae4befcb2c437f63cbeb001fa753244df2650d0ee78381d8f010540170036546a9165372c7710829543377a01c5c4ef3b1b16a56b6955
-
\??\c:\ProgramData\CSC5577170FC6A344339CDEE72C3326CF4.TMPFilesize
28KB
MD527510a4bdadd67fc61441ae058763755
SHA15b009df5ab4991e4d46b03e9e536ede9a06955b7
SHA256d65f7513fc187799e56b1071f09b026e89538b46f9f111f00b9c875909f9717b
SHA51233746625e4575db261a845471ad4a3397dda3c9323967b0eabfc89afea06add8784f3cf3960e45692c371c5b324cecfa5ee36a3df9dc89abad94836836c9ecf5
-
\??\c:\Users\Admin\AppData\Local\Temp\3xbjvmc2\3xbjvmc2.0.csFilesize
1KB
MD5e892b0f91f4f9a2f06efac003741105a
SHA166bb3e368ccbbd37ada5f8b59cda5a3c49a09e38
SHA256a7a6d0539520447df19b5a45f4749e4d42824fcf6355cb4de962acb081b9d898
SHA512d5fde86d1b610e34ce97391f515540b66d3871e5b3e5f129f7d8246bfa36df31e588c0e79eb117ff3b9296607f47c5e77fa963b0a68f5ce88d470c081e95f59b
-
\??\c:\Users\Admin\AppData\Local\Temp\3xbjvmc2\3xbjvmc2.cmdlineFilesize
236B
MD506ca748c7b8adfd8cabfd379404966d4
SHA100b9c855fbfa5505d9c0aa107bdb06ee7ea16d5f
SHA2566786683f1d55921f9f0cf101fc05b3acb0d38850b12b203f0488a9daa316defa
SHA512170ad42b7cbb4e66a5f39dfd8d9f6fd2410fb0f637b713084e2dc76bb21e795afaacf5e0095258f032dae0a1dfc7c10c8ef8e87ddb7784e35542421a8ef3f02a
-
\??\c:\Users\Admin\AppData\Local\Temp\qhwlrdvx.icoFilesize
27KB
MD5dbc49b5f7714255217080c2e81f05a99
SHA14de2ef415d66d2bb8b389ba140a468b125388e19
SHA2566d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c
SHA51229a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb
-
memory/856-82-0x0000000000000000-mapping.dmp
-
memory/968-79-0x0000000000000000-mapping.dmp
-
memory/1388-76-0x0000000000000000-mapping.dmp
-
memory/1420-81-0x0000000000000000-mapping.dmp
-
memory/1468-54-0x000000013FEA0000-0x000000013FF22000-memory.dmpFilesize
520KB
-
memory/1468-55-0x000000001BAA7000-0x000000001BAC6000-memory.dmpFilesize
124KB
-
memory/1604-77-0x0000000000000000-mapping.dmp
-
memory/2040-83-0x0000000000000000-mapping.dmp
-
memory/2420-86-0x0000000000000000-mapping.dmp
-
memory/2436-87-0x0000000000000000-mapping.dmp
-
memory/2452-88-0x0000000000000000-mapping.dmp
-
memory/2452-91-0x0000000075371000-0x0000000075373000-memory.dmpFilesize
8KB
-
memory/2468-89-0x0000000000000000-mapping.dmp
-
memory/2484-90-0x0000000000000000-mapping.dmp
-
memory/2520-75-0x0000000000000000-mapping.dmp
-
memory/2776-56-0x0000000000000000-mapping.dmp
-
memory/2804-57-0x0000000000000000-mapping.dmp
-
memory/2816-58-0x0000000000000000-mapping.dmp
-
memory/2864-62-0x0000000000000000-mapping.dmp
-
memory/2904-66-0x0000000000000000-mapping.dmp
-
memory/2924-67-0x0000000000000000-mapping.dmp
-
memory/2948-68-0x0000000000000000-mapping.dmp
-
memory/2972-69-0x0000000000000000-mapping.dmp
-
memory/2992-70-0x0000000000000000-mapping.dmp
-
memory/3012-71-0x0000000000000000-mapping.dmp
-
memory/3044-72-0x0000000000000000-mapping.dmp
-
memory/3060-73-0x0000000000000000-mapping.dmp
-
memory/3068-78-0x000007FEFB551000-0x000007FEFB553000-memory.dmpFilesize
8KB
-
memory/3068-74-0x0000000000000000-mapping.dmp