Analysis
-
max time kernel
108s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-09-2022 15:03
Static task
static1
Behavioral task
behavioral1
Sample
locker.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
locker.exe
Resource
win10v2004-20220812-en
General
-
Target
locker.exe
-
Size
178KB
-
MD5
8d27d0c897ce21f1036bf659fc663cf2
-
SHA1
afe3d0fb48092aeca4dcd3989a076e87fdbe69b2
-
SHA256
139a8bb2c5537190e747d2f651b423147018fd9a9a21bb36281d4ce1c61727c1
-
SHA512
531873e8faaf801a447f70848969865750f41fd5ff15bd8c47015e766a9bb8cc1fbb8dcae16ddbf1e4f9dbc5750af593ef8fdcf94cd1a61efa00c7790cda4374
-
SSDEEP
3072:/gq2DKdMbv1S/n6rHBJK3V9LBSLrKa+HQXvMES/D3Yw7yZyYpEaI:/84X/19LUPMcMEw3kTI
Malware Config
Extracted
C:\warning !!!! Readme bl00dy Gang.txt
filedecryptionsupport@msgsafe.io
https://t.me/bl00dy_Ransomware_Gang
Signatures
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
locker.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\PingComplete.tiff locker.exe File renamed C:\Users\Admin\Pictures\UnregisterRevoke.png => C:\Users\Admin\Pictures\UnregisterRevoke.png.bl00dy locker.exe File renamed C:\Users\Admin\Pictures\AddUpdate.tif => C:\Users\Admin\Pictures\AddUpdate.tif.bl00dy locker.exe File renamed C:\Users\Admin\Pictures\BackupFind.tiff => C:\Users\Admin\Pictures\BackupFind.tiff.bl00dy locker.exe File renamed C:\Users\Admin\Pictures\GroupSwitch.crw => C:\Users\Admin\Pictures\GroupSwitch.crw.bl00dy locker.exe File renamed C:\Users\Admin\Pictures\LimitRead.png => C:\Users\Admin\Pictures\LimitRead.png.bl00dy locker.exe File renamed C:\Users\Admin\Pictures\SubmitStep.tiff => C:\Users\Admin\Pictures\SubmitStep.tiff.bl00dy locker.exe File opened for modification C:\Users\Admin\Pictures\BackupFind.tiff locker.exe File renamed C:\Users\Admin\Pictures\ExitExpand.tif => C:\Users\Admin\Pictures\ExitExpand.tif.bl00dy locker.exe File renamed C:\Users\Admin\Pictures\PingComplete.tiff => C:\Users\Admin\Pictures\PingComplete.tiff.bl00dy locker.exe File opened for modification C:\Users\Admin\Pictures\SubmitStep.tiff locker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 46 IoCs
Processes:
locker.exedescription ioc process File opened for modification C:\Users\Public\Downloads\desktop.ini locker.exe File opened for modification C:\Users\Public\Videos\desktop.ini locker.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8PENRVY0\desktop.ini locker.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini locker.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini locker.exe File opened for modification C:\Users\Public\Desktop\desktop.ini locker.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini locker.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini locker.exe File opened for modification C:\Users\Public\Music\desktop.ini locker.exe File opened for modification C:\Users\Public\Pictures\desktop.ini locker.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI locker.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini locker.exe File opened for modification C:\Users\Admin\Music\desktop.ini locker.exe File opened for modification C:\Users\Admin\Searches\desktop.ini locker.exe File opened for modification C:\Users\Public\Libraries\desktop.ini locker.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini locker.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini locker.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini locker.exe File opened for modification C:\Users\Admin\Documents\desktop.ini locker.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini locker.exe File opened for modification C:\Users\Admin\Videos\desktop.ini locker.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini locker.exe File opened for modification C:\Users\Public\desktop.ini locker.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini locker.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini locker.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini locker.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini locker.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RUC7JGOV\desktop.ini locker.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini locker.exe File opened for modification C:\Users\Public\Documents\desktop.ini locker.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini locker.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini locker.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini locker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini locker.exe File opened for modification C:\Program Files (x86)\desktop.ini locker.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini locker.exe File opened for modification C:\Users\Admin\Links\desktop.ini locker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini locker.exe File opened for modification C:\Program Files\desktop.ini locker.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini locker.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini locker.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NWV1K27G\desktop.ini locker.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OF1EYD7L\desktop.ini locker.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini locker.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini locker.exe -
Drops file in Program Files directory 64 IoCs
Processes:
locker.exedescription ioc process File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01060_.WMF locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Flow.eftx locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC locker.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\warning !!!! Readme bl00dy Gang.txt locker.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\warning !!!! Readme bl00dy Gang.txt locker.exe File created C:\Program Files\Java\jre7\lib\management\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\INCOMING.ICO locker.exe File created C:\Program Files\Mozilla Firefox\fonts\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FLAP.WMF locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARVERTBB.POC locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187817.WMF locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL022.XML locker.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\PREVIEW.GIF locker.exe File opened for modification C:\Program Files\Java\jre7\lib\javafx.properties locker.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_OFF.GIF locker.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\meta-index locker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\FLASH.NET.XML locker.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png locker.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14581_.GIF locker.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Panama locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106222.WMF locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG locker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml locker.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18242_.WMF locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF locker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belem locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_OFF.GIF locker.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR31F.GIF locker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml locker.exe File created C:\Program Files\Microsoft Games\FreeCell\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04332_.WMF locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186360.WMF locker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar locker.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFL.ICO locker.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo locker.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml locker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas locker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF locker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden locker.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00135_.GIF locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090089.WMF locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF locker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf locker.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01191_.WMF locker.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\LEVEL.ELM locker.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html locker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185806.WMF locker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0221903.WMF locker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties locker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
locker.exepid process 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe 736 locker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 2040 vssvc.exe Token: SeRestorePrivilege 2040 vssvc.exe Token: SeAuditPrivilege 2040 vssvc.exe Token: SeIncreaseQuotaPrivilege 1712 WMIC.exe Token: SeSecurityPrivilege 1712 WMIC.exe Token: SeTakeOwnershipPrivilege 1712 WMIC.exe Token: SeLoadDriverPrivilege 1712 WMIC.exe Token: SeSystemProfilePrivilege 1712 WMIC.exe Token: SeSystemtimePrivilege 1712 WMIC.exe Token: SeProfSingleProcessPrivilege 1712 WMIC.exe Token: SeIncBasePriorityPrivilege 1712 WMIC.exe Token: SeCreatePagefilePrivilege 1712 WMIC.exe Token: SeBackupPrivilege 1712 WMIC.exe Token: SeRestorePrivilege 1712 WMIC.exe Token: SeShutdownPrivilege 1712 WMIC.exe Token: SeDebugPrivilege 1712 WMIC.exe Token: SeSystemEnvironmentPrivilege 1712 WMIC.exe Token: SeRemoteShutdownPrivilege 1712 WMIC.exe Token: SeUndockPrivilege 1712 WMIC.exe Token: SeManageVolumePrivilege 1712 WMIC.exe Token: 33 1712 WMIC.exe Token: 34 1712 WMIC.exe Token: 35 1712 WMIC.exe Token: SeIncreaseQuotaPrivilege 1712 WMIC.exe Token: SeSecurityPrivilege 1712 WMIC.exe Token: SeTakeOwnershipPrivilege 1712 WMIC.exe Token: SeLoadDriverPrivilege 1712 WMIC.exe Token: SeSystemProfilePrivilege 1712 WMIC.exe Token: SeSystemtimePrivilege 1712 WMIC.exe Token: SeProfSingleProcessPrivilege 1712 WMIC.exe Token: SeIncBasePriorityPrivilege 1712 WMIC.exe Token: SeCreatePagefilePrivilege 1712 WMIC.exe Token: SeBackupPrivilege 1712 WMIC.exe Token: SeRestorePrivilege 1712 WMIC.exe Token: SeShutdownPrivilege 1712 WMIC.exe Token: SeDebugPrivilege 1712 WMIC.exe Token: SeSystemEnvironmentPrivilege 1712 WMIC.exe Token: SeRemoteShutdownPrivilege 1712 WMIC.exe Token: SeUndockPrivilege 1712 WMIC.exe Token: SeManageVolumePrivilege 1712 WMIC.exe Token: 33 1712 WMIC.exe Token: 34 1712 WMIC.exe Token: 35 1712 WMIC.exe Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe Token: SeSecurityPrivilege 1768 WMIC.exe Token: SeTakeOwnershipPrivilege 1768 WMIC.exe Token: SeLoadDriverPrivilege 1768 WMIC.exe Token: SeSystemProfilePrivilege 1768 WMIC.exe Token: SeSystemtimePrivilege 1768 WMIC.exe Token: SeProfSingleProcessPrivilege 1768 WMIC.exe Token: SeIncBasePriorityPrivilege 1768 WMIC.exe Token: SeCreatePagefilePrivilege 1768 WMIC.exe Token: SeBackupPrivilege 1768 WMIC.exe Token: SeRestorePrivilege 1768 WMIC.exe Token: SeShutdownPrivilege 1768 WMIC.exe Token: SeDebugPrivilege 1768 WMIC.exe Token: SeSystemEnvironmentPrivilege 1768 WMIC.exe Token: SeRemoteShutdownPrivilege 1768 WMIC.exe Token: SeUndockPrivilege 1768 WMIC.exe Token: SeManageVolumePrivilege 1768 WMIC.exe Token: 33 1768 WMIC.exe Token: 34 1768 WMIC.exe Token: 35 1768 WMIC.exe Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
locker.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 736 wrote to memory of 1656 736 locker.exe cmd.exe PID 736 wrote to memory of 1656 736 locker.exe cmd.exe PID 736 wrote to memory of 1656 736 locker.exe cmd.exe PID 736 wrote to memory of 1656 736 locker.exe cmd.exe PID 1656 wrote to memory of 1712 1656 cmd.exe WMIC.exe PID 1656 wrote to memory of 1712 1656 cmd.exe WMIC.exe PID 1656 wrote to memory of 1712 1656 cmd.exe WMIC.exe PID 736 wrote to memory of 1704 736 locker.exe cmd.exe PID 736 wrote to memory of 1704 736 locker.exe cmd.exe PID 736 wrote to memory of 1704 736 locker.exe cmd.exe PID 736 wrote to memory of 1704 736 locker.exe cmd.exe PID 1704 wrote to memory of 1768 1704 cmd.exe WMIC.exe PID 1704 wrote to memory of 1768 1704 cmd.exe WMIC.exe PID 1704 wrote to memory of 1768 1704 cmd.exe WMIC.exe PID 736 wrote to memory of 1332 736 locker.exe cmd.exe PID 736 wrote to memory of 1332 736 locker.exe cmd.exe PID 736 wrote to memory of 1332 736 locker.exe cmd.exe PID 736 wrote to memory of 1332 736 locker.exe cmd.exe PID 1332 wrote to memory of 1204 1332 cmd.exe WMIC.exe PID 1332 wrote to memory of 1204 1332 cmd.exe WMIC.exe PID 1332 wrote to memory of 1204 1332 cmd.exe WMIC.exe PID 736 wrote to memory of 1940 736 locker.exe cmd.exe PID 736 wrote to memory of 1940 736 locker.exe cmd.exe PID 736 wrote to memory of 1940 736 locker.exe cmd.exe PID 736 wrote to memory of 1940 736 locker.exe cmd.exe PID 1940 wrote to memory of 1528 1940 cmd.exe WMIC.exe PID 1940 wrote to memory of 1528 1940 cmd.exe WMIC.exe PID 1940 wrote to memory of 1528 1940 cmd.exe WMIC.exe PID 736 wrote to memory of 1828 736 locker.exe cmd.exe PID 736 wrote to memory of 1828 736 locker.exe cmd.exe PID 736 wrote to memory of 1828 736 locker.exe cmd.exe PID 736 wrote to memory of 1828 736 locker.exe cmd.exe PID 1828 wrote to memory of 1808 1828 cmd.exe WMIC.exe PID 1828 wrote to memory of 1808 1828 cmd.exe WMIC.exe PID 1828 wrote to memory of 1808 1828 cmd.exe WMIC.exe PID 736 wrote to memory of 996 736 locker.exe cmd.exe PID 736 wrote to memory of 996 736 locker.exe cmd.exe PID 736 wrote to memory of 996 736 locker.exe cmd.exe PID 736 wrote to memory of 996 736 locker.exe cmd.exe PID 996 wrote to memory of 1056 996 cmd.exe WMIC.exe PID 996 wrote to memory of 1056 996 cmd.exe WMIC.exe PID 996 wrote to memory of 1056 996 cmd.exe WMIC.exe PID 736 wrote to memory of 592 736 locker.exe cmd.exe PID 736 wrote to memory of 592 736 locker.exe cmd.exe PID 736 wrote to memory of 592 736 locker.exe cmd.exe PID 736 wrote to memory of 592 736 locker.exe cmd.exe PID 592 wrote to memory of 1996 592 cmd.exe WMIC.exe PID 592 wrote to memory of 1996 592 cmd.exe WMIC.exe PID 592 wrote to memory of 1996 592 cmd.exe WMIC.exe PID 736 wrote to memory of 1456 736 locker.exe cmd.exe PID 736 wrote to memory of 1456 736 locker.exe cmd.exe PID 736 wrote to memory of 1456 736 locker.exe cmd.exe PID 736 wrote to memory of 1456 736 locker.exe cmd.exe PID 1456 wrote to memory of 1776 1456 cmd.exe WMIC.exe PID 1456 wrote to memory of 1776 1456 cmd.exe WMIC.exe PID 1456 wrote to memory of 1776 1456 cmd.exe WMIC.exe PID 736 wrote to memory of 1712 736 locker.exe cmd.exe PID 736 wrote to memory of 1712 736 locker.exe cmd.exe PID 736 wrote to memory of 1712 736 locker.exe cmd.exe PID 736 wrote to memory of 1712 736 locker.exe cmd.exe PID 1712 wrote to memory of 844 1712 cmd.exe WMIC.exe PID 1712 wrote to memory of 844 1712 cmd.exe WMIC.exe PID 1712 wrote to memory of 844 1712 cmd.exe WMIC.exe PID 736 wrote to memory of 1768 736 locker.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\locker.exe"C:\Users\Admin\AppData\Local\Temp\locker.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{309BDB4B-09FA-4B2E-A35D-461EB97EED0F}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{309BDB4B-09FA-4B2E-A35D-461EB97EED0F}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{29A0A02F-1E9E-4A50-93C4-1D938C11D8A3}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{29A0A02F-1E9E-4A50-93C4-1D938C11D8A3}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63518277-314E-424C-927F-BE5311012F87}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63518277-314E-424C-927F-BE5311012F87}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE926DAD-1617-4795-B527-6BF393D8C84F}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE926DAD-1617-4795-B527-6BF393D8C84F}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA815155-F367-44DF-81BC-9261FA314804}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA815155-F367-44DF-81BC-9261FA314804}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40CED04A-6E3E-4F2B-A898-3A91BC30C720}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40CED04A-6E3E-4F2B-A898-3A91BC30C720}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84A94E09-FA64-4706-922F-1A42644841C7}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84A94E09-FA64-4706-922F-1A42644841C7}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5310782C-4B83-44EF-A20A-4EF0D7F0F1CB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5310782C-4B83-44EF-A20A-4EF0D7F0F1CB}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1F9BEBD-4E70-454E-8D24-DD4AE488E0DD}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1F9BEBD-4E70-454E-8D24-DD4AE488E0DD}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5511917A-F208-4E79-AEC9-AE6599F02876}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5511917A-F208-4E79-AEC9-AE6599F02876}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4B689505-5AE8-4A90-B1F2-497F7F0C4150}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4B689505-5AE8-4A90-B1F2-497F7F0C4150}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B3B653C1-A05E-459A-BD91-502AA66C0CEE}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B3B653C1-A05E-459A-BD91-502AA66C0CEE}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1E48722-B271-4CCD-AEF4-7F12F6FADC6A}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1E48722-B271-4CCD-AEF4-7F12F6FADC6A}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F9276E2F-ACFF-4708-BCB1-F0A9011CD438}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F9276E2F-ACFF-4708-BCB1-F0A9011CD438}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A3C8AB8E-8532-4D1E-9214-4210D792EC6A}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A3C8AB8E-8532-4D1E-9214-4210D792EC6A}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E76C29A-2DC1-410F-80E4-1E8FD3F45D65}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E76C29A-2DC1-410F-80E4-1E8FD3F45D65}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5B20EEB1-2BE5-498F-A1E2-70CDF5EC36A8}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5B20EEB1-2BE5-498F-A1E2-70CDF5EC36A8}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{473003D3-A154-4F7C-9D8C-00BACFEAC351}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{473003D3-A154-4F7C-9D8C-00BACFEAC351}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/592-67-0x0000000000000000-mapping.dmp
-
memory/736-54-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB
-
memory/808-78-0x0000000000000000-mapping.dmp
-
memory/844-72-0x0000000000000000-mapping.dmp
-
memory/968-87-0x0000000000000000-mapping.dmp
-
memory/972-84-0x0000000000000000-mapping.dmp
-
memory/996-65-0x0000000000000000-mapping.dmp
-
memory/1056-66-0x0000000000000000-mapping.dmp
-
memory/1172-82-0x0000000000000000-mapping.dmp
-
memory/1204-60-0x0000000000000000-mapping.dmp
-
memory/1204-75-0x0000000000000000-mapping.dmp
-
memory/1260-79-0x0000000000000000-mapping.dmp
-
memory/1328-77-0x0000000000000000-mapping.dmp
-
memory/1332-59-0x0000000000000000-mapping.dmp
-
memory/1352-74-0x0000000000000000-mapping.dmp
-
memory/1380-81-0x0000000000000000-mapping.dmp
-
memory/1444-89-0x0000000000000000-mapping.dmp
-
memory/1456-69-0x0000000000000000-mapping.dmp
-
memory/1456-86-0x0000000000000000-mapping.dmp
-
memory/1528-62-0x0000000000000000-mapping.dmp
-
memory/1656-55-0x0000000000000000-mapping.dmp
-
memory/1660-90-0x0000000000000000-mapping.dmp
-
memory/1684-80-0x0000000000000000-mapping.dmp
-
memory/1704-57-0x0000000000000000-mapping.dmp
-
memory/1712-71-0x0000000000000000-mapping.dmp
-
memory/1712-88-0x0000000000000000-mapping.dmp
-
memory/1712-56-0x0000000000000000-mapping.dmp
-
memory/1760-85-0x0000000000000000-mapping.dmp
-
memory/1768-58-0x0000000000000000-mapping.dmp
-
memory/1768-73-0x0000000000000000-mapping.dmp
-
memory/1776-70-0x0000000000000000-mapping.dmp
-
memory/1808-64-0x0000000000000000-mapping.dmp
-
memory/1828-63-0x0000000000000000-mapping.dmp
-
memory/1844-76-0x0000000000000000-mapping.dmp
-
memory/1940-61-0x0000000000000000-mapping.dmp
-
memory/1992-83-0x0000000000000000-mapping.dmp
-
memory/1996-68-0x0000000000000000-mapping.dmp