General

  • Target

    tmp

  • Size

    484KB

  • Sample

    220520-x17d2affcl

  • MD5

    8b062fa952cc294d7db09794e2d44ce0

  • SHA1

    ce13e42217f7d0e950dd8ae5ee5ec8d5be6af177

  • SHA256

    71d0c896720e01be1b6b095fc8917bcac38f8bc8ed3caba8bf9c2a4fcdde1747

  • SHA512

    a6643699544db21955c927e9a7cdfd1c056c7078e27d9c68ff68865c240ff3dfd0f8aecd7f4926b9746eaa989b3cbef681e5ffd19c643cd02a7faba2534ed26d

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
!!!All of your files are encrypted!!! To decrypt them send e-mail to this address: DecryptionCenter@gmail.com In case of no answer in 24h, send e-mail to this address: DecryptionCenter@outlook.com All your files will be lost on Sunday, June 19, 2022 9:21:06 PM. Your SYSTEM ID : 3269259F !!!Deleting "Cpriv.Loki" causes permanent data loss.
Emails

DecryptionCenter@gmail.com

DecryptionCenter@outlook.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\info.hta

Ransom Note
All your files have been encrypted by Loki locker! All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email DecryptionCenter@gmail.com You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay Double . In case of no answer in 24 hours (1 Day) write to this email DecryptionCenter@outlook.com Your unique ID is : 3269259F You only have LIMITED time to get back your files! If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED. You will lose some of your data on day 2 in the timer. You can buy more time for pay. Just email us. THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) What is our decryption guarantee? Before paying you can send us up to for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! DO NOT pay any money before decrypting the test files. DO NOT trust any intermediary. they wont help you and you may be victim of scam. just email us , we help you in any steps. DO NOT reply to other emails. ONLY this two emails can help you. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

DecryptionCenter@gmail.com

DecryptionCenter@outlook.com

Targets

    • Target

      tmp

    • Size

      484KB

    • MD5

      8b062fa952cc294d7db09794e2d44ce0

    • SHA1

      ce13e42217f7d0e950dd8ae5ee5ec8d5be6af177

    • SHA256

      71d0c896720e01be1b6b095fc8917bcac38f8bc8ed3caba8bf9c2a4fcdde1747

    • SHA512

      a6643699544db21955c927e9a7cdfd1c056c7078e27d9c68ff68865c240ff3dfd0f8aecd7f4926b9746eaa989b3cbef681e5ffd19c643cd02a7faba2534ed26d

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Modifies Windows Defender Real-time Protection settings

    • suricata: ET MALWARE Loki Locker Ransomware CnC Activity

      suricata: ET MALWARE Loki Locker Ransomware CnC Activity

    • suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup

      suricata: ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup

    • suricata: ET MALWARE Loki Locker Ransomware User-Agent

      suricata: ET MALWARE Loki Locker Ransomware User-Agent

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

2
T1059

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

1
T1089

File Deletion

4
T1107

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Impact

Inhibit System Recovery

5
T1490

Defacement

1
T1491

Tasks