Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28-04-2022 20:09
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220414-en
General
-
Target
tmp.exe
-
Size
484KB
-
MD5
8b062fa952cc294d7db09794e2d44ce0
-
SHA1
ce13e42217f7d0e950dd8ae5ee5ec8d5be6af177
-
SHA256
71d0c896720e01be1b6b095fc8917bcac38f8bc8ed3caba8bf9c2a4fcdde1747
-
SHA512
a6643699544db21955c927e9a7cdfd1c056c7078e27d9c68ff68865c240ff3dfd0f8aecd7f4926b9746eaa989b3cbef681e5ffd19c643cd02a7faba2534ed26d
Malware Config
Extracted
C:\Restore-My-Files.txt
DecryptionCenter@gmail.com
DecryptionCenter@outlook.com
Extracted
C:\Users\Admin\AppData\Local\Temp\info.hta
DecryptionCenter@gmail.com
DecryptionCenter@outlook.com
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
-
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
-
suricata: ET MALWARE Loki Locker Ransomware User-Agent
suricata: ET MALWARE Loki Locker Ransomware User-Agent
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4628 bcdedit.exe 216 bcdedit.exe -
Processes:
wbadmin.exepid process 2084 wbadmin.exe -
Processes:
wbadmin.exepid process 1408 wbadmin.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation tmp.exe -
Drops startup file 3 IoCs
Processes:
tmp.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe tmp.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat tmp.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe" tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe" tmp.exe -
Drops desktop.ini file(s) 28 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Users\Public\AccountPictures\desktop.ini tmp.exe File opened for modification C:\Users\Public\Downloads\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini tmp.exe File opened for modification C:\Program Files\desktop.ini tmp.exe File opened for modification C:\Users\Public\Desktop\desktop.ini tmp.exe File opened for modification C:\Users\Public\Libraries\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini tmp.exe File opened for modification C:\Users\Public\Documents\desktop.ini tmp.exe File opened for modification C:\Users\Public\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Links\desktop.ini tmp.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Videos\desktop.ini tmp.exe File opened for modification C:\Users\Public\Music\desktop.ini tmp.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini tmp.exe File opened for modification C:\Users\Public\Videos\desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI tmp.exe File opened for modification C:\Program Files (x86)\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Documents\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Music\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Searches\desktop.ini tmp.exe File opened for modification C:\Users\Public\Pictures\desktop.ini tmp.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjunlxjw.Loki" tmp.exe -
Drops file in Program Files directory 64 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48.png tmp.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FBIBLIO.DLL tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-lightunplated.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png tmp.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp2.scale-125.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalMedTile.scale-200_contrast-white.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-125.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-200_contrast-black.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-black_scale-200.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd tmp.exe File created C:\Program Files\Common Files\microsoft shared\VC\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-64_altform-lightunplated.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Tongue.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\WideTile.scale-100.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxManifest.xml tmp.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcor.dll.mui tmp.exe File created C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-100.png tmp.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\styles\wefgallerywinrt.css tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-16_altform-lightunplated.png tmp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-200.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-100.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-100.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\back-icon.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png tmp.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf tmp.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-125.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\ui-strings.js tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\az_get.svg tmp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-200.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\AppStore_icon.svg tmp.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat tmp.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\show_third_party_software_licenses.bat tmp.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreWideTile.scale-100.png tmp.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Bold.otf tmp.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js tmp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-200.png tmp.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui tmp.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\SmallTile.scale-125.png tmp.exe -
Drops file in Windows directory 5 IoCs
Processes:
tmp.exewbadmin.exedescription ioc process File created C:\Windows\winlogon.exe tmp.exe File opened for modification C:\Windows\winlogon.exe tmp.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3808 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
tmp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\WallpaperStyle = "2" tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\TileWallpaper = "0" tmp.exe -
Modifies registry class 8 IoCs
Processes:
tmp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\z5zwlrde.exe \"%l\" " tmp.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki" tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command tmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tmp.exepid process 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe 1372 tmp.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
tmp.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 1372 tmp.exe Token: SeBackupPrivilege 208 vssvc.exe Token: SeRestorePrivilege 208 vssvc.exe Token: SeAuditPrivilege 208 vssvc.exe Token: SeIncreaseQuotaPrivilege 328 WMIC.exe Token: SeSecurityPrivilege 328 WMIC.exe Token: SeTakeOwnershipPrivilege 328 WMIC.exe Token: SeLoadDriverPrivilege 328 WMIC.exe Token: SeSystemProfilePrivilege 328 WMIC.exe Token: SeSystemtimePrivilege 328 WMIC.exe Token: SeProfSingleProcessPrivilege 328 WMIC.exe Token: SeIncBasePriorityPrivilege 328 WMIC.exe Token: SeCreatePagefilePrivilege 328 WMIC.exe Token: SeBackupPrivilege 328 WMIC.exe Token: SeRestorePrivilege 328 WMIC.exe Token: SeShutdownPrivilege 328 WMIC.exe Token: SeDebugPrivilege 328 WMIC.exe Token: SeSystemEnvironmentPrivilege 328 WMIC.exe Token: SeRemoteShutdownPrivilege 328 WMIC.exe Token: SeUndockPrivilege 328 WMIC.exe Token: SeManageVolumePrivilege 328 WMIC.exe Token: 33 328 WMIC.exe Token: 34 328 WMIC.exe Token: 35 328 WMIC.exe Token: 36 328 WMIC.exe Token: SeBackupPrivilege 1356 wbengine.exe Token: SeRestorePrivilege 1356 wbengine.exe Token: SeSecurityPrivilege 1356 wbengine.exe Token: SeIncreaseQuotaPrivilege 328 WMIC.exe Token: SeSecurityPrivilege 328 WMIC.exe Token: SeTakeOwnershipPrivilege 328 WMIC.exe Token: SeLoadDriverPrivilege 328 WMIC.exe Token: SeSystemProfilePrivilege 328 WMIC.exe Token: SeSystemtimePrivilege 328 WMIC.exe Token: SeProfSingleProcessPrivilege 328 WMIC.exe Token: SeIncBasePriorityPrivilege 328 WMIC.exe Token: SeCreatePagefilePrivilege 328 WMIC.exe Token: SeBackupPrivilege 328 WMIC.exe Token: SeRestorePrivilege 328 WMIC.exe Token: SeShutdownPrivilege 328 WMIC.exe Token: SeDebugPrivilege 328 WMIC.exe Token: SeSystemEnvironmentPrivilege 328 WMIC.exe Token: SeRemoteShutdownPrivilege 328 WMIC.exe Token: SeUndockPrivilege 328 WMIC.exe Token: SeManageVolumePrivilege 328 WMIC.exe Token: 33 328 WMIC.exe Token: 34 328 WMIC.exe Token: 35 328 WMIC.exe Token: 36 328 WMIC.exe Token: SeDebugPrivilege 1372 tmp.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
tmp.execmd.execsc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1372 wrote to memory of 876 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 876 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 1292 1372 tmp.exe csc.exe PID 1372 wrote to memory of 1292 1372 tmp.exe csc.exe PID 876 wrote to memory of 4044 876 cmd.exe schtasks.exe PID 876 wrote to memory of 4044 876 cmd.exe schtasks.exe PID 1292 wrote to memory of 4392 1292 csc.exe cvtres.exe PID 1292 wrote to memory of 4392 1292 csc.exe cvtres.exe PID 1372 wrote to memory of 2792 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 2792 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 3304 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 3304 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 4060 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 4060 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 4760 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 4760 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 3880 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 3880 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 4764 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 4764 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 3372 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 3372 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 2340 1372 tmp.exe cmd.exe PID 1372 wrote to memory of 2340 1372 tmp.exe cmd.exe PID 2792 wrote to memory of 3808 2792 cmd.exe vssadmin.exe PID 2792 wrote to memory of 3808 2792 cmd.exe vssadmin.exe PID 3304 wrote to memory of 2084 3304 cmd.exe wbadmin.exe PID 3304 wrote to memory of 2084 3304 cmd.exe wbadmin.exe PID 4764 wrote to memory of 4628 4764 cmd.exe bcdedit.exe PID 4764 wrote to memory of 4628 4764 cmd.exe bcdedit.exe PID 4060 wrote to memory of 328 4060 cmd.exe WMIC.exe PID 4060 wrote to memory of 328 4060 cmd.exe WMIC.exe PID 3880 wrote to memory of 216 3880 cmd.exe bcdedit.exe PID 3880 wrote to memory of 216 3880 cmd.exe bcdedit.exe PID 4760 wrote to memory of 1408 4760 cmd.exe wbadmin.exe PID 4760 wrote to memory of 1408 4760 cmd.exe wbadmin.exe PID 3372 wrote to memory of 4052 3372 cmd.exe netsh.exe PID 3372 wrote to memory of 4052 3372 cmd.exe netsh.exe PID 2340 wrote to memory of 4772 2340 cmd.exe netsh.exe PID 2340 wrote to memory of 4772 2340 cmd.exe netsh.exe PID 1372 wrote to memory of 5028 1372 tmp.exe mshta.exe PID 1372 wrote to memory of 5028 1372 tmp.exe mshta.exe PID 1372 wrote to memory of 5028 1372 tmp.exe mshta.exe PID 1372 wrote to memory of 3808 1372 tmp.exe mshta.exe PID 1372 wrote to memory of 3808 1372 tmp.exe mshta.exe PID 1372 wrote to memory of 3808 1372 tmp.exe mshta.exe PID 1372 wrote to memory of 328 1372 tmp.exe mshta.exe PID 1372 wrote to memory of 328 1372 tmp.exe mshta.exe PID 1372 wrote to memory of 328 1372 tmp.exe mshta.exe PID 1372 wrote to memory of 3292 1372 tmp.exe mshta.exe PID 1372 wrote to memory of 3292 1372 tmp.exe mshta.exe PID 1372 wrote to memory of 3292 1372 tmp.exe mshta.exe PID 1372 wrote to memory of 3096 1372 tmp.exe mshta.exe PID 1372 wrote to memory of 3096 1372 tmp.exe mshta.exe PID 1372 wrote to memory of 3096 1372 tmp.exe mshta.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker" tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: DecryptionCenter@gmail.com\r\nWrite this ID in the title of your message: 80B7D473\r\nIn case of no answer in 24 hours write us to this e-mail: DecryptionCenter@outlook.com" tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z3clf3pj\z3clf3pj.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19B2.tmp" "c:\ProgramData\CSCC4B5ECF2E09B44A7BB84836E8E6D7B94.TMP"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP3⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\z5zwlrde.exeFilesize
32KB
MD51c5051c9e064f3dfb0088a3d852281a0
SHA1e7bcf4b0ec8bb459cffaf8c691ca36a18b403da8
SHA256a6d1a4fb561ebd5bfc0eac7b22978bb0b0f2004a42fb52a11364e6b1ae25d1a2
SHA51267dc59d6cb157d507cb01fe3a746994cc597bdab134950da9c020af71d204c3235b8fb899437c00a2dad58ad4acc9428f2915faab697e9a829df5450a8b8dd74
-
C:\Users\Admin\AppData\Local\Temp\RES19B2.tmpFilesize
29KB
MD556e8a9728a42943903552b125f94dc95
SHA1764c0ddf259e8a514941edb00c645aaea150a99f
SHA256ab97366ea67260f1d07a54520d40fb161c4dac1aea625d0c2c345b893172e7cb
SHA512f16fdaf4f371c069394fcdf0bd2a0e2dc4252ffbdbefab038f3f8ae26d9003be5aca950ad237a5f46fbf731c79eb65d293e2e253b1240f36b4503f29297696a2
-
C:\Users\Admin\AppData\Local\Temp\info.htaFilesize
3KB
MD5f31024709650ffcc3e0576849d068b1c
SHA1894a3226eba49173fdf7adfe9d0a41ac9879c392
SHA2563e358980a2ea52465feaaaa7668befa90ca26b520a51d1ce28541c534a4615c3
SHA5122c5e33b52ade0899fb7467ee733eb3d8add0e7b4d077bca9942cee37164f37b82f23f820e367a3993db21b91317d42aae8e63cceff6b16dbdcea7831dd8d44ce
-
\??\c:\ProgramData\CSCC4B5ECF2E09B44A7BB84836E8E6D7B94.TMPFilesize
28KB
MD5d8780092762a525157b7bd01d55adeec
SHA1f78ff65954c9e8090bd31aeb222d0c0010df7178
SHA2567f215eb4e5694aed3bff7d9855d2718281dec8ac3d80d6db6773d66f45f64e4e
SHA512388e1b85f06f7f87675b68df76a50639fcf3b677d7207ec134f420f5af36729bd05472636ebfdfce3920048aa88a8c7366b279549323481587e45cfeffa63acf
-
\??\c:\Users\Admin\AppData\Local\Temp\0ia4orha.icoFilesize
27KB
MD5dbc49b5f7714255217080c2e81f05a99
SHA14de2ef415d66d2bb8b389ba140a468b125388e19
SHA2566d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c
SHA51229a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb
-
\??\c:\Users\Admin\AppData\Local\Temp\z3clf3pj\z3clf3pj.0.csFilesize
1KB
MD58f062ded0c36d22e73ce2fb77df8304a
SHA1ae89a5daf9ee054c2f3e2add2d00446ae894b478
SHA256b3e950f1dd0336ad0de7fc4650245dd7eff1b172663442393a8876baa86b03ab
SHA5126eac41dfaad2622b7d6aba41da2e32df8f4af39414f6859b11a98f963e33613fb526d095405f18f053e0500264d2c97f76c3022d4764570ed9d6b7a2eb2db9a1
-
\??\c:\Users\Admin\AppData\Local\Temp\z3clf3pj\z3clf3pj.cmdlineFilesize
236B
MD52065791ac23528d813061be1cd2eb55d
SHA115e7c5bef2c287abec9edd0c08efb7d64078fbc7
SHA2567d2a5b7d17ae9b684b9a6c135dc9a8ccb0fcdb4a3455494123f1ac445bd9f233
SHA51291873c61910a2c77044a27a2e5717cfd5d44ca0d92990ad127617c024b04f7179c4c4bb5944eb9db50cf4e49ee407097972b09dfbcd934d4426c1690e54d65d8
-
memory/216-155-0x0000000000000000-mapping.dmp
-
memory/328-161-0x0000000000000000-mapping.dmp
-
memory/328-154-0x0000000000000000-mapping.dmp
-
memory/876-133-0x0000000000000000-mapping.dmp
-
memory/1292-134-0x0000000000000000-mapping.dmp
-
memory/1372-132-0x00007FFD52380000-0x00007FFD52E41000-memory.dmpFilesize
10.8MB
-
memory/1372-131-0x000000001CF00000-0x000000001CF76000-memory.dmpFilesize
472KB
-
memory/1372-130-0x0000000000900000-0x0000000000982000-memory.dmpFilesize
520KB
-
memory/1408-156-0x0000000000000000-mapping.dmp
-
memory/2084-152-0x0000000000000000-mapping.dmp
-
memory/2340-150-0x0000000000000000-mapping.dmp
-
memory/2792-143-0x0000000000000000-mapping.dmp
-
memory/3096-163-0x0000000000000000-mapping.dmp
-
memory/3292-162-0x0000000000000000-mapping.dmp
-
memory/3304-144-0x0000000000000000-mapping.dmp
-
memory/3372-149-0x0000000000000000-mapping.dmp
-
memory/3808-151-0x0000000000000000-mapping.dmp
-
memory/3808-160-0x0000000000000000-mapping.dmp
-
memory/3880-147-0x0000000000000000-mapping.dmp
-
memory/4044-135-0x0000000000000000-mapping.dmp
-
memory/4052-157-0x0000000000000000-mapping.dmp
-
memory/4060-145-0x0000000000000000-mapping.dmp
-
memory/4392-139-0x0000000000000000-mapping.dmp
-
memory/4628-153-0x0000000000000000-mapping.dmp
-
memory/4760-146-0x0000000000000000-mapping.dmp
-
memory/4764-148-0x0000000000000000-mapping.dmp
-
memory/4772-158-0x0000000000000000-mapping.dmp
-
memory/5028-159-0x0000000000000000-mapping.dmp