Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-05-2022 18:58
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220414-en
General
-
Target
tmp.exe
-
Size
484KB
-
MD5
8b062fa952cc294d7db09794e2d44ce0
-
SHA1
ce13e42217f7d0e950dd8ae5ee5ec8d5be6af177
-
SHA256
71d0c896720e01be1b6b095fc8917bcac38f8bc8ed3caba8bf9c2a4fcdde1747
-
SHA512
a6643699544db21955c927e9a7cdfd1c056c7078e27d9c68ff68865c240ff3dfd0f8aecd7f4926b9746eaa989b3cbef681e5ffd19c643cd02a7faba2534ed26d
Malware Config
Extracted
C:\Restore-My-Files.txt
DecryptionCenter@gmail.com
DecryptionCenter@outlook.com
Extracted
C:\Users\Admin\AppData\Local\Temp\info.hta
DecryptionCenter@gmail.com
DecryptionCenter@outlook.com
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
-
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
-
suricata: ET MALWARE Loki Locker Ransomware User-Agent
suricata: ET MALWARE Loki Locker Ransomware User-Agent
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 5636 bcdedit.exe 5588 bcdedit.exe -
Processes:
wbadmin.exepid process 5600 wbadmin.exe -
Processes:
wbadmin.exepid process 3592 wbadmin.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation tmp.exe -
Drops startup file 3 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe tmp.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat tmp.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe tmp.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe" tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe" tmp.exe -
Drops desktop.ini file(s) 28 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Users\Admin\3D Objects\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Searches\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Videos\desktop.ini tmp.exe File opened for modification C:\Users\Public\Music\desktop.ini tmp.exe File opened for modification C:\Users\Public\Pictures\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Music\desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI tmp.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini tmp.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini tmp.exe File opened for modification C:\Users\Public\Downloads\desktop.ini tmp.exe File opened for modification C:\Users\Public\Libraries\desktop.ini tmp.exe File opened for modification C:\Users\Public\desktop.ini tmp.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini tmp.exe File opened for modification C:\Users\Public\Documents\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Documents\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini tmp.exe File opened for modification C:\Users\Public\Desktop\desktop.ini tmp.exe File opened for modification C:\Program Files\desktop.ini tmp.exe File opened for modification C:\Program Files (x86)\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Links\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini tmp.exe File opened for modification C:\Users\Public\Videos\desktop.ini tmp.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4j311ty1.Loki" tmp.exe -
Drops file in Program Files directory 64 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\View3d\3DViewerProductDescription-universal.xml tmp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-400.png tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR tmp.exe File created C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\3DViewerProductDescription-universal.xml tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\SmallTile.scale-100.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\progress.gif tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\nl.pak tmp.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml tmp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-100.png tmp.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogo.png tmp.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\ui-strings.js tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-40_altform-lightunplated.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\logo.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Microsoft.Graphics.Canvas.winmd tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Undo.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\scan-2x.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\checkmark-2x.png tmp.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt tmp.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css tmp.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200_contrast-high.png tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\LoanAmortization.xltx tmp.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\3DViewerProductDescription-universal.xml tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\IRIS.INF tmp.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png tmp.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\Restore-My-Files.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\Restore-My-Files.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\152.png tmp.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\Restore-My-Files.txt tmp.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui tmp.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\s_thumbnailview_18.svg tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\ui-strings.js tmp.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200_contrast-white.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleAppStoreLogo.scale-125.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png tmp.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\Restore-My-Files.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32.png tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\AppStore_icon.svg tmp.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansDemiBold.ttf tmp.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppUpdate.svg tmp.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-150_contrast-black.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-96_altform-unplated.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Moustache.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-30_altform-unplated.png tmp.exe -
Drops file in Windows directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Windows\winlogon.exe tmp.exe File opened for modification C:\Windows\winlogon.exe tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3688 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
tmp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\WallpaperStyle = "2" tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\TileWallpaper = "0" tmp.exe -
Modifies registry class 8 IoCs
Processes:
tmp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki" tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\kwiwnuqg.exe \"%l\" " tmp.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings tmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tmp.exepid process 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe 4668 tmp.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
tmp.exeWMIC.exevssvc.exewbengine.exedescription pid process Token: SeDebugPrivilege 4668 tmp.exe Token: SeIncreaseQuotaPrivilege 2244 WMIC.exe Token: SeSecurityPrivilege 2244 WMIC.exe Token: SeTakeOwnershipPrivilege 2244 WMIC.exe Token: SeLoadDriverPrivilege 2244 WMIC.exe Token: SeSystemProfilePrivilege 2244 WMIC.exe Token: SeSystemtimePrivilege 2244 WMIC.exe Token: SeProfSingleProcessPrivilege 2244 WMIC.exe Token: SeIncBasePriorityPrivilege 2244 WMIC.exe Token: SeCreatePagefilePrivilege 2244 WMIC.exe Token: SeBackupPrivilege 2244 WMIC.exe Token: SeRestorePrivilege 2244 WMIC.exe Token: SeShutdownPrivilege 2244 WMIC.exe Token: SeDebugPrivilege 2244 WMIC.exe Token: SeSystemEnvironmentPrivilege 2244 WMIC.exe Token: SeRemoteShutdownPrivilege 2244 WMIC.exe Token: SeUndockPrivilege 2244 WMIC.exe Token: SeManageVolumePrivilege 2244 WMIC.exe Token: 33 2244 WMIC.exe Token: 34 2244 WMIC.exe Token: 35 2244 WMIC.exe Token: 36 2244 WMIC.exe Token: SeBackupPrivilege 5632 vssvc.exe Token: SeRestorePrivilege 5632 vssvc.exe Token: SeAuditPrivilege 5632 vssvc.exe Token: SeBackupPrivilege 4656 wbengine.exe Token: SeRestorePrivilege 4656 wbengine.exe Token: SeSecurityPrivilege 4656 wbengine.exe Token: SeIncreaseQuotaPrivilege 2244 WMIC.exe Token: SeSecurityPrivilege 2244 WMIC.exe Token: SeTakeOwnershipPrivilege 2244 WMIC.exe Token: SeLoadDriverPrivilege 2244 WMIC.exe Token: SeSystemProfilePrivilege 2244 WMIC.exe Token: SeSystemtimePrivilege 2244 WMIC.exe Token: SeProfSingleProcessPrivilege 2244 WMIC.exe Token: SeIncBasePriorityPrivilege 2244 WMIC.exe Token: SeCreatePagefilePrivilege 2244 WMIC.exe Token: SeBackupPrivilege 2244 WMIC.exe Token: SeRestorePrivilege 2244 WMIC.exe Token: SeShutdownPrivilege 2244 WMIC.exe Token: SeDebugPrivilege 2244 WMIC.exe Token: SeSystemEnvironmentPrivilege 2244 WMIC.exe Token: SeRemoteShutdownPrivilege 2244 WMIC.exe Token: SeUndockPrivilege 2244 WMIC.exe Token: SeManageVolumePrivilege 2244 WMIC.exe Token: 33 2244 WMIC.exe Token: 34 2244 WMIC.exe Token: 35 2244 WMIC.exe Token: 36 2244 WMIC.exe Token: SeDebugPrivilege 4668 tmp.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
tmp.execmd.execsc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4668 wrote to memory of 5720 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 5720 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 5696 4668 tmp.exe csc.exe PID 4668 wrote to memory of 5696 4668 tmp.exe csc.exe PID 5720 wrote to memory of 5940 5720 cmd.exe schtasks.exe PID 5720 wrote to memory of 5940 5720 cmd.exe schtasks.exe PID 5696 wrote to memory of 6024 5696 csc.exe cvtres.exe PID 5696 wrote to memory of 6024 5696 csc.exe cvtres.exe PID 4668 wrote to memory of 532 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 532 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 1944 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 1944 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 5216 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 5216 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 6112 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 6112 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 5040 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 5040 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 3944 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 3944 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 5348 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 5348 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 2472 4668 tmp.exe cmd.exe PID 4668 wrote to memory of 2472 4668 tmp.exe cmd.exe PID 532 wrote to memory of 3688 532 cmd.exe vssadmin.exe PID 532 wrote to memory of 3688 532 cmd.exe vssadmin.exe PID 6112 wrote to memory of 3592 6112 cmd.exe wbadmin.exe PID 6112 wrote to memory of 3592 6112 cmd.exe wbadmin.exe PID 3944 wrote to memory of 5636 3944 cmd.exe bcdedit.exe PID 3944 wrote to memory of 5636 3944 cmd.exe bcdedit.exe PID 5216 wrote to memory of 2244 5216 cmd.exe WMIC.exe PID 5216 wrote to memory of 2244 5216 cmd.exe WMIC.exe PID 1944 wrote to memory of 5600 1944 cmd.exe wbadmin.exe PID 1944 wrote to memory of 5600 1944 cmd.exe wbadmin.exe PID 5348 wrote to memory of 3656 5348 cmd.exe netsh.exe PID 5348 wrote to memory of 3656 5348 cmd.exe netsh.exe PID 5040 wrote to memory of 5588 5040 cmd.exe bcdedit.exe PID 5040 wrote to memory of 5588 5040 cmd.exe bcdedit.exe PID 2472 wrote to memory of 4684 2472 cmd.exe netsh.exe PID 2472 wrote to memory of 4684 2472 cmd.exe netsh.exe PID 4668 wrote to memory of 5712 4668 tmp.exe mshta.exe PID 4668 wrote to memory of 5712 4668 tmp.exe mshta.exe PID 4668 wrote to memory of 5712 4668 tmp.exe mshta.exe PID 4668 wrote to memory of 6016 4668 tmp.exe mshta.exe PID 4668 wrote to memory of 6016 4668 tmp.exe mshta.exe PID 4668 wrote to memory of 6016 4668 tmp.exe mshta.exe PID 4668 wrote to memory of 6048 4668 tmp.exe mshta.exe PID 4668 wrote to memory of 6048 4668 tmp.exe mshta.exe PID 4668 wrote to memory of 6048 4668 tmp.exe mshta.exe PID 4668 wrote to memory of 5892 4668 tmp.exe mshta.exe PID 4668 wrote to memory of 5892 4668 tmp.exe mshta.exe PID 4668 wrote to memory of 5892 4668 tmp.exe mshta.exe PID 4668 wrote to memory of 6100 4668 tmp.exe mshta.exe PID 4668 wrote to memory of 6100 4668 tmp.exe mshta.exe PID 4668 wrote to memory of 6100 4668 tmp.exe mshta.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker" tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: DecryptionCenter@gmail.com\r\nWrite this ID in the title of your message: 1095E964\r\nIn case of no answer in 24 hours write us to this e-mail: DecryptionCenter@outlook.com" tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\duug14l2\duug14l2.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E79.tmp" "c:\ProgramData\CSCC35B4BAE327346C49246E3A5B5D8F9B8.TMP"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP3⤵
- Deletes System State backups
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\kwiwnuqg.exeFilesize
32KB
MD58fcafe5ae7f217364afc3c12f1ebb0e1
SHA15046cb978406e83ec9636c36337f8c880f4faf81
SHA256b6cc8a850d90237fd2180b17573b2bd4f51e295b97eebbafa1171347ec30e386
SHA51264b13f092a82062a87583cdb9aca26ad376627111ea22b72a7e43525d8066f88e3b6d8c77fb48b6c3db1bff15131cab4d377fbb8761b5b332a64b3504a010fd7
-
C:\Users\Admin\AppData\Local\Temp\RES6E79.tmpFilesize
29KB
MD53d8c7682276a8037f2127218269ad6a6
SHA10ec2007353db9cf776065cae9281e9e82a55b6b8
SHA2561b14a330f9f9ef6a72e7c265df268fd68aeeb4724c5d43e0a2b384ca4f0d8e1f
SHA51208fe9d6d5d7e53eb020de248b6ee5bcf87927b06d3efbb33c76bb8ee6b8df387d575dcc2170b1e8e0e4866c6ca3a9d2a80985755b3e6854eab614280219316d2
-
C:\Users\Admin\AppData\Local\Temp\info.htaFilesize
3KB
MD5cdb00d793ff4f68766d673e3af67c608
SHA12f2e0f76fe8c934abcd27af2c67d55ad564e10c0
SHA256c2ab7e7d6ca328c9031d2bb893abd9c5df0156a3fe802229cc46b164cfb6bda3
SHA5121b290173f8cecc8c516afcc53289374105b6bfd9ff85f92e76473929077cf7696c1721e8704f2a6339071b49f5a11ff93b8fe10822004635794fb7f3daa30a80
-
\??\c:\ProgramData\CSCC35B4BAE327346C49246E3A5B5D8F9B8.TMPFilesize
28KB
MD542958c0a5905226d3f206f01437ba394
SHA1ccfc155322bcbfa588f84b717b8874e965defe8f
SHA25603cfaf6afae600e874b441eb6083bddcb9eb54a1b2b7694607c1f26287583ebb
SHA5122b0f99c52497b52fa7f9eea639ef9497091854d3b67c257496c13d2633632179a038b3cc9bbe133cae8038ca81ee9015ced44e22e7042944404b5636a6e58d06
-
\??\c:\Users\Admin\AppData\Local\Temp\duug14l2\duug14l2.0.csFilesize
1KB
MD575a66536976086c8098b23442037b427
SHA1fd27d3d01a981b479b880194fe50af1f85914284
SHA256cca7fb993f399a6ce14901b64398567ad373c5e4468eb9a78aaad45881f9b59d
SHA5120bc2e1a80763b0296d85aad64f0515fd851e56787efac87410c49850944ec2632464cfff860b4fba946e876d7ec13a17579fe8c5c09ac55d70e7c5d5b31e182e
-
\??\c:\Users\Admin\AppData\Local\Temp\duug14l2\duug14l2.cmdlineFilesize
236B
MD58f39974be88d22024bd19b38ee685f4c
SHA1bce3ffe28017ceb46fa86942b165ed8a4065645a
SHA256ba5d988309b0dc50b74022f3d7b3466c25e4ab150c48d8f409064a9af372cd64
SHA512e514517a7028b2bb79c14f1b3e74e475f860e061d6615caa90926a38c489f5180961f7d8b43d6e22fdb449856f56180e1712a833136f88786ea5d4b8b9bd1036
-
\??\c:\Users\Admin\AppData\Local\Temp\dvydvcdb.icoFilesize
27KB
MD5dbc49b5f7714255217080c2e81f05a99
SHA14de2ef415d66d2bb8b389ba140a468b125388e19
SHA2566d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c
SHA51229a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb
-
memory/532-143-0x0000000000000000-mapping.dmp
-
memory/1944-144-0x0000000000000000-mapping.dmp
-
memory/2244-154-0x0000000000000000-mapping.dmp
-
memory/2472-150-0x0000000000000000-mapping.dmp
-
memory/3592-152-0x0000000000000000-mapping.dmp
-
memory/3656-156-0x0000000000000000-mapping.dmp
-
memory/3688-151-0x0000000000000000-mapping.dmp
-
memory/3944-148-0x0000000000000000-mapping.dmp
-
memory/4668-131-0x0000000003430000-0x00000000034A6000-memory.dmpFilesize
472KB
-
memory/4668-132-0x00007FFA0E0F0000-0x00007FFA0EBB1000-memory.dmpFilesize
10.8MB
-
memory/4668-130-0x00000000009A0000-0x0000000000A22000-memory.dmpFilesize
520KB
-
memory/4684-158-0x0000000000000000-mapping.dmp
-
memory/5040-147-0x0000000000000000-mapping.dmp
-
memory/5216-145-0x0000000000000000-mapping.dmp
-
memory/5348-149-0x0000000000000000-mapping.dmp
-
memory/5588-157-0x0000000000000000-mapping.dmp
-
memory/5600-155-0x0000000000000000-mapping.dmp
-
memory/5636-153-0x0000000000000000-mapping.dmp
-
memory/5696-134-0x0000000000000000-mapping.dmp
-
memory/5712-159-0x0000000000000000-mapping.dmp
-
memory/5720-133-0x0000000000000000-mapping.dmp
-
memory/5892-162-0x0000000000000000-mapping.dmp
-
memory/5940-135-0x0000000000000000-mapping.dmp
-
memory/6016-160-0x0000000000000000-mapping.dmp
-
memory/6024-139-0x0000000000000000-mapping.dmp
-
memory/6048-161-0x0000000000000000-mapping.dmp
-
memory/6100-163-0x0000000000000000-mapping.dmp
-
memory/6112-146-0x0000000000000000-mapping.dmp