9fc79081e2f45a341ff9ab054413d6b5e561daaec27fdd6aefaffc77cf7509b4

General

Target

locker.exe
Size

178KB
MD5

8d27d0c897ce21f1036bf659fc663cf2
SHA1

afe3d0fb48092aeca4dcd3989a076e87fdbe69b2
SHA256

139a8bb2c5537190e747d2f651b423147018fd9a9a21bb36281d4ce1c61727c1
SHA512

531873e8faaf801a447f70848969865750f41fd5ff15bd8c47015e766a9bb8cc1fbb8dcae16ddbf1e4f9dbc5750af593ef8fdcf94cd1a61efa00c7790cda4374
SSDEEP

3072:/gq2DKdMbv1S/n6rHBJK3V9LBSLrKa+HQXvMES/D3Yw7yZyYpEaI:/84X/19LUPMcMEw3kTI

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\warning !!!! Readme bl00dy Gang.txt

Ransom Note

GREETINGS FROM BL00DY RANSOMWARE GANG What happened ? Your entire company network is penetrated and encrypted. All files on servers and computers locked and not usable Dont panic All files are decryptable We will recover all your files to normal What Bl00dy Gang take / steal from your company network ? We download your company important files / documents / databases/ mails / accounts We publish it to the public if you dont cooperate . What BL00DY Gang needs from YOU ? We expect nothing except appreciating our work PAY US in this way you appreciate our work How to contact the BL00DY Gang for ransom negotiations ? filedecryptionsupport@msgsafe.io Telegram hall of shame , where all company private data will be PUBLISHED?? https://t.me/bl00dy_Ransomware_Gang What Quarantees ? we are not a politically motivated group and we do not need anything other than your money. If you pay, we provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We will help protect your company from any other attacks ; we will give you tips to secure company network We always keep our promises. !!! BEWARE !!! If you have Backups and try to restore from backups . All entire company files / databases / everything will be posted online DON'T try to rename or modify encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! - Don't try because you will damage all the files Any changes in encrypted files may entail damage of the private key and, as result, the loss all data. Do not report to Police or FBI , they dont care about your business .They will tell you not to pay and you will lose all your files. Recovery Company Cannot help You . things will get rather worse . speak for yourself.

Emails

filedecryptionsupport@msgsafe.io

URLs

https://t.me/bl00dy_Ransomware_Gang

Signatures

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

locker.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\PingComplete.tiff	locker.exe
File renamed	C:\Users\Admin\Pictures\UnregisterRevoke.png => C:\Users\Admin\Pictures\UnregisterRevoke.png.bl00dy	locker.exe
File renamed	C:\Users\Admin\Pictures\AddUpdate.tif => C:\Users\Admin\Pictures\AddUpdate.tif.bl00dy	locker.exe
File renamed	C:\Users\Admin\Pictures\BackupFind.tiff => C:\Users\Admin\Pictures\BackupFind.tiff.bl00dy	locker.exe
File renamed	C:\Users\Admin\Pictures\GroupSwitch.crw => C:\Users\Admin\Pictures\GroupSwitch.crw.bl00dy	locker.exe
File renamed	C:\Users\Admin\Pictures\LimitRead.png => C:\Users\Admin\Pictures\LimitRead.png.bl00dy	locker.exe
File renamed	C:\Users\Admin\Pictures\SubmitStep.tiff => C:\Users\Admin\Pictures\SubmitStep.tiff.bl00dy	locker.exe
File opened for modification	C:\Users\Admin\Pictures\BackupFind.tiff	locker.exe
File renamed	C:\Users\Admin\Pictures\ExitExpand.tif => C:\Users\Admin\Pictures\ExitExpand.tif.bl00dy	locker.exe
File renamed	C:\Users\Admin\Pictures\PingComplete.tiff => C:\Users\Admin\Pictures\PingComplete.tiff.bl00dy	locker.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitStep.tiff	locker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 46 IoCs

Processes:

locker.exe

description	ioc	process
File opened for modification	C:\Users\Public\Downloads\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8PENRVY0\desktop.ini	locker.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	locker.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	locker.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	locker.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	locker.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\desktop.ini	locker.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RUC7JGOV\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	locker.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	locker.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	locker.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	locker.exe
File opened for modification	C:\Program Files\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NWV1K27G\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OF1EYD7L\desktop.ini	locker.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	locker.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	locker.exe

Drops file in Program Files directory 64 IoCs

Processes:

locker.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\warning !!!! Readme bl00dy Gang.txt	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01060_.WMF	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Flow.eftx	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC	locker.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\warning !!!! Readme bl00dy Gang.txt	locker.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\warning !!!! Readme bl00dy Gang.txt	locker.exe
File created	C:\Program Files\Java\jre7\lib\management\warning !!!! Readme bl00dy Gang.txt	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\INCOMING.ICO	locker.exe
File created	C:\Program Files\Mozilla Firefox\fonts\warning !!!! Readme bl00dy Gang.txt	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FLAP.WMF	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARVERTBB.POC	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187817.WMF	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL022.XML	locker.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\PREVIEW.GIF	locker.exe
File opened for modification	C:\Program Files\Java\jre7\lib\javafx.properties	locker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_OFF.GIF	locker.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\warning !!!! Readme bl00dy Gang.txt	locker.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\meta-index	locker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\FLASH.NET.XML	locker.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png	locker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14581_.GIF	locker.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Panama	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106222.WMF	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG	locker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml	locker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18242_.WMF	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF	locker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belem	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_OFF.GIF	locker.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\warning !!!! Readme bl00dy Gang.txt	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR31F.GIF	locker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml	locker.exe
File created	C:\Program Files\Microsoft Games\FreeCell\warning !!!! Readme bl00dy Gang.txt	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04332_.WMF	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186360.WMF	locker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar	locker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFL.ICO	locker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo	locker.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	locker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas	locker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF	locker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden	locker.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00135_.GIF	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090089.WMF	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF	locker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf	locker.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01191_.WMF	locker.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\LEVEL.ELM	locker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html	locker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185806.WMF	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0221903.WMF	locker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties	locker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

locker.exe

pid	process
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe
736	locker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	2040	vssvc.exe
Token: SeRestorePrivilege	2040	vssvc.exe
Token: SeAuditPrivilege	2040	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe
Token: 35	1712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe
Token: 35	1712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1768	WMIC.exe
Token: SeSecurityPrivilege	1768	WMIC.exe
Token: SeTakeOwnershipPrivilege	1768	WMIC.exe
Token: SeLoadDriverPrivilege	1768	WMIC.exe
Token: SeSystemProfilePrivilege	1768	WMIC.exe
Token: SeSystemtimePrivilege	1768	WMIC.exe
Token: SeProfSingleProcessPrivilege	1768	WMIC.exe
Token: SeIncBasePriorityPrivilege	1768	WMIC.exe
Token: SeCreatePagefilePrivilege	1768	WMIC.exe
Token: SeBackupPrivilege	1768	WMIC.exe
Token: SeRestorePrivilege	1768	WMIC.exe
Token: SeShutdownPrivilege	1768	WMIC.exe
Token: SeDebugPrivilege	1768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1768	WMIC.exe
Token: SeRemoteShutdownPrivilege	1768	WMIC.exe
Token: SeUndockPrivilege	1768	WMIC.exe
Token: SeManageVolumePrivilege	1768	WMIC.exe
Token: 33	1768	WMIC.exe
Token: 34	1768	WMIC.exe
Token: 35	1768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1768	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

locker.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 736 wrote to memory of 1656	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1656	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1656	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1656	736	locker.exe	cmd.exe
PID 1656 wrote to memory of 1712	1656	cmd.exe	WMIC.exe
PID 1656 wrote to memory of 1712	1656	cmd.exe	WMIC.exe
PID 1656 wrote to memory of 1712	1656	cmd.exe	WMIC.exe
PID 736 wrote to memory of 1704	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1704	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1704	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1704	736	locker.exe	cmd.exe
PID 1704 wrote to memory of 1768	1704	cmd.exe	WMIC.exe
PID 1704 wrote to memory of 1768	1704	cmd.exe	WMIC.exe
PID 1704 wrote to memory of 1768	1704	cmd.exe	WMIC.exe
PID 736 wrote to memory of 1332	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1332	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1332	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1332	736	locker.exe	cmd.exe
PID 1332 wrote to memory of 1204	1332	cmd.exe	WMIC.exe
PID 1332 wrote to memory of 1204	1332	cmd.exe	WMIC.exe
PID 1332 wrote to memory of 1204	1332	cmd.exe	WMIC.exe
PID 736 wrote to memory of 1940	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1940	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1940	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1940	736	locker.exe	cmd.exe
PID 1940 wrote to memory of 1528	1940	cmd.exe	WMIC.exe
PID 1940 wrote to memory of 1528	1940	cmd.exe	WMIC.exe
PID 1940 wrote to memory of 1528	1940	cmd.exe	WMIC.exe
PID 736 wrote to memory of 1828	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1828	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1828	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1828	736	locker.exe	cmd.exe
PID 1828 wrote to memory of 1808	1828	cmd.exe	WMIC.exe
PID 1828 wrote to memory of 1808	1828	cmd.exe	WMIC.exe
PID 1828 wrote to memory of 1808	1828	cmd.exe	WMIC.exe
PID 736 wrote to memory of 996	736	locker.exe	cmd.exe
PID 736 wrote to memory of 996	736	locker.exe	cmd.exe
PID 736 wrote to memory of 996	736	locker.exe	cmd.exe
PID 736 wrote to memory of 996	736	locker.exe	cmd.exe
PID 996 wrote to memory of 1056	996	cmd.exe	WMIC.exe
PID 996 wrote to memory of 1056	996	cmd.exe	WMIC.exe
PID 996 wrote to memory of 1056	996	cmd.exe	WMIC.exe
PID 736 wrote to memory of 592	736	locker.exe	cmd.exe
PID 736 wrote to memory of 592	736	locker.exe	cmd.exe
PID 736 wrote to memory of 592	736	locker.exe	cmd.exe
PID 736 wrote to memory of 592	736	locker.exe	cmd.exe
PID 592 wrote to memory of 1996	592	cmd.exe	WMIC.exe
PID 592 wrote to memory of 1996	592	cmd.exe	WMIC.exe
PID 592 wrote to memory of 1996	592	cmd.exe	WMIC.exe
PID 736 wrote to memory of 1456	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1456	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1456	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1456	736	locker.exe	cmd.exe
PID 1456 wrote to memory of 1776	1456	cmd.exe	WMIC.exe
PID 1456 wrote to memory of 1776	1456	cmd.exe	WMIC.exe
PID 1456 wrote to memory of 1776	1456	cmd.exe	WMIC.exe
PID 736 wrote to memory of 1712	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1712	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1712	736	locker.exe	cmd.exe
PID 736 wrote to memory of 1712	736	locker.exe	cmd.exe
PID 1712 wrote to memory of 844	1712	cmd.exe	WMIC.exe
PID 1712 wrote to memory of 844	1712	cmd.exe	WMIC.exe
PID 1712 wrote to memory of 844	1712	cmd.exe	WMIC.exe
PID 736 wrote to memory of 1768	736	locker.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\locker.exe
"C:\Users\Admin\AppData\Local\Temp\locker.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{309BDB4B-09FA-4B2E-A35D-461EB97EED0F}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{309BDB4B-09FA-4B2E-A35D-461EB97EED0F}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{29A0A02F-1E9E-4A50-93C4-1D938C11D8A3}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{29A0A02F-1E9E-4A50-93C4-1D938C11D8A3}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63518277-314E-424C-927F-BE5311012F87}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63518277-314E-424C-927F-BE5311012F87}'" delete
3⤵
PID:1204

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE926DAD-1617-4795-B527-6BF393D8C84F}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE926DAD-1617-4795-B527-6BF393D8C84F}'" delete
3⤵
PID:1528

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA815155-F367-44DF-81BC-9261FA314804}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA815155-F367-44DF-81BC-9261FA314804}'" delete
3⤵
PID:1808

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40CED04A-6E3E-4F2B-A898-3A91BC30C720}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40CED04A-6E3E-4F2B-A898-3A91BC30C720}'" delete
3⤵
PID:1056

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84A94E09-FA64-4706-922F-1A42644841C7}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84A94E09-FA64-4706-922F-1A42644841C7}'" delete
3⤵
PID:1996

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5310782C-4B83-44EF-A20A-4EF0D7F0F1CB}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5310782C-4B83-44EF-A20A-4EF0D7F0F1CB}'" delete
3⤵
PID:1776

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1F9BEBD-4E70-454E-8D24-DD4AE488E0DD}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1F9BEBD-4E70-454E-8D24-DD4AE488E0DD}'" delete
3⤵
PID:844

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5511917A-F208-4E79-AEC9-AE6599F02876}'" delete
2⤵
PID:1768

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5511917A-F208-4E79-AEC9-AE6599F02876}'" delete
3⤵
PID:1352

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4B689505-5AE8-4A90-B1F2-497F7F0C4150}'" delete
2⤵
PID:1204

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4B689505-5AE8-4A90-B1F2-497F7F0C4150}'" delete
3⤵
PID:1844

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B3B653C1-A05E-459A-BD91-502AA66C0CEE}'" delete
2⤵
PID:1328

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B3B653C1-A05E-459A-BD91-502AA66C0CEE}'" delete
3⤵
PID:808

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1E48722-B271-4CCD-AEF4-7F12F6FADC6A}'" delete
2⤵
PID:1260

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1E48722-B271-4CCD-AEF4-7F12F6FADC6A}'" delete
3⤵
PID:1684

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F9276E2F-ACFF-4708-BCB1-F0A9011CD438}'" delete
2⤵
PID:1380

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F9276E2F-ACFF-4708-BCB1-F0A9011CD438}'" delete
3⤵
PID:1172

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A3C8AB8E-8532-4D1E-9214-4210D792EC6A}'" delete
2⤵
PID:1992

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A3C8AB8E-8532-4D1E-9214-4210D792EC6A}'" delete
3⤵
PID:972

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E76C29A-2DC1-410F-80E4-1E8FD3F45D65}'" delete
2⤵
PID:1760

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E76C29A-2DC1-410F-80E4-1E8FD3F45D65}'" delete
3⤵
PID:1456

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5B20EEB1-2BE5-498F-A1E2-70CDF5EC36A8}'" delete
2⤵
PID:968

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5B20EEB1-2BE5-498F-A1E2-70CDF5EC36A8}'" delete
3⤵
PID:1712

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{473003D3-A154-4F7C-9D8C-00BACFEAC351}'" delete
2⤵
PID:1444

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{473003D3-A154-4F7C-9D8C-00BACFEAC351}'" delete
3⤵
PID:1660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-67-0x0000000000000000-mapping.dmp

Download
memory/736-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/808-78-0x0000000000000000-mapping.dmp

Download
memory/844-72-0x0000000000000000-mapping.dmp

Download
memory/968-87-0x0000000000000000-mapping.dmp

Download
memory/972-84-0x0000000000000000-mapping.dmp

Download
memory/996-65-0x0000000000000000-mapping.dmp

Download
memory/1056-66-0x0000000000000000-mapping.dmp

Download
memory/1172-82-0x0000000000000000-mapping.dmp

Download
memory/1204-60-0x0000000000000000-mapping.dmp

Download
memory/1204-75-0x0000000000000000-mapping.dmp

Download
memory/1260-79-0x0000000000000000-mapping.dmp

Download
memory/1328-77-0x0000000000000000-mapping.dmp

Download
memory/1332-59-0x0000000000000000-mapping.dmp

Download
memory/1352-74-0x0000000000000000-mapping.dmp

Download
memory/1380-81-0x0000000000000000-mapping.dmp

Download
memory/1444-89-0x0000000000000000-mapping.dmp

Download
memory/1456-69-0x0000000000000000-mapping.dmp

Download
memory/1456-86-0x0000000000000000-mapping.dmp

Download
memory/1528-62-0x0000000000000000-mapping.dmp

Download
memory/1656-55-0x0000000000000000-mapping.dmp

Download
memory/1660-90-0x0000000000000000-mapping.dmp

Download
memory/1684-80-0x0000000000000000-mapping.dmp

Download
memory/1704-57-0x0000000000000000-mapping.dmp

Download
memory/1712-71-0x0000000000000000-mapping.dmp

Download
memory/1712-88-0x0000000000000000-mapping.dmp

Download
memory/1712-56-0x0000000000000000-mapping.dmp

Download
memory/1760-85-0x0000000000000000-mapping.dmp

Download
memory/1768-58-0x0000000000000000-mapping.dmp

Download
memory/1768-73-0x0000000000000000-mapping.dmp

Download
memory/1776-70-0x0000000000000000-mapping.dmp

Download
memory/1808-64-0x0000000000000000-mapping.dmp

Download
memory/1828-63-0x0000000000000000-mapping.dmp

Download
memory/1844-76-0x0000000000000000-mapping.dmp

Download
memory/1940-61-0x0000000000000000-mapping.dmp

Download
memory/1992-83-0x0000000000000000-mapping.dmp

Download
memory/1996-68-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads