adb6f8d52932e656f3b129d4f31104426b39c1c6521e23a59108ee3f7990ba91

Analysis

max time kernel
143s
max time network
114s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
Size

660KB
MD5

affd7cfdd9720f8a044d5e9410923a78
SHA1

80ac3f86c3a31c4516f9077f8c5e990de2068032
SHA256

478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064
SHA512

5468ae683c5d5cf41ae8b961d40a02e827a226a2aa5845c74d20ef0f556145d737d3d8932b0dbae4ff69736c388a931f72a5f33a2775b1a9ac8717ce160b43de
SSDEEP

12288:1kr/10xl0PFS4jwbIsO/arlTT6zncVUJ7vndkrh:+r/10xl04EOIH/cTT6DNGrh

Score

10^/10

evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\info.hta

Ransom Note

All your files have been encrypted by Loki locker! All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email [email protected] You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay Double . In case of no answer in 24 hours (1 Day) write to this email [email protected] Your unique ID is : 1C64CDBA You only have LIMITED time to get back your files! If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED. You will lose some of your data on day 2 in the timer. You can buy more time for pay. Just email us. THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) What is our decryption guarantee? Before paying you can send us up to for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! DO NOT pay any money before decrypting the test files. DO NOT trust any intermediary. they wont help you and you may be victim of scam. just email us , we help you in any steps. DO NOT reply to other emails. ONLY this two emails can help you. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1512	netsh.exe
744	netsh.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe

Drops desktop.ini file(s) 38 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Users\Public\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
256	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezaph3uk.Loki"	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\Restore-My-Files.txt	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_COL.HXT	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\Restore-My-Files.txt	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\CAPSULES.INF	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00126_.GIF	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_04.MID	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern.png	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18241_.WMF	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKIRM.XML	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieMergeLetter.dotx	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belize	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\Restore-My-Files.txt	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212685.WMF	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_K_COL.HXK	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\SNEEZE.WAV	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Karachi	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198113.WMF	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd28.tlb	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\Restore-My-Files.txt	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\reflow.api	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309902.WMF	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR22F.GIF	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\Restore-My-Files.txt	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0324704.WMF	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSORES.DLL	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\Proofing.XML	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\AFTRNOON.INF	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0291794.WMF	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18231_.WMF	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADVCMP.DIC	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Dublin	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\Restore-My-Files.txt	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\Restore-My-Files.txt	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ust-Nera	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\Restore-My-Files.txt	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\wmpnscfg.exe.mui	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\gadget.xml	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winlogon.exe	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
File opened for modification	C:\Windows\winlogon.exe	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1732	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
596	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\WallpaperStyle = "2"	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\TileWallpaper = "0"	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\atvswilc.exe \"%l\" "	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Loki	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki"	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
2000	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
Token: SeIncreaseQuotaPrivilege	2000	WMIC.exe
Token: SeSecurityPrivilege	2000	WMIC.exe
Token: SeTakeOwnershipPrivilege	2000	WMIC.exe
Token: SeLoadDriverPrivilege	2000	WMIC.exe
Token: SeSystemProfilePrivilege	2000	WMIC.exe
Token: SeSystemtimePrivilege	2000	WMIC.exe
Token: SeProfSingleProcessPrivilege	2000	WMIC.exe
Token: SeIncBasePriorityPrivilege	2000	WMIC.exe
Token: SeCreatePagefilePrivilege	2000	WMIC.exe
Token: SeBackupPrivilege	2000	WMIC.exe
Token: SeRestorePrivilege	2000	WMIC.exe
Token: SeShutdownPrivilege	2000	WMIC.exe
Token: SeDebugPrivilege	2000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2000	WMIC.exe
Token: SeRemoteShutdownPrivilege	2000	WMIC.exe
Token: SeUndockPrivilege	2000	WMIC.exe
Token: SeManageVolumePrivilege	2000	WMIC.exe
Token: 33	2000	WMIC.exe
Token: 34	2000	WMIC.exe
Token: 35	2000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2000	WMIC.exe
Token: SeSecurityPrivilege	2000	WMIC.exe
Token: SeTakeOwnershipPrivilege	2000	WMIC.exe
Token: SeLoadDriverPrivilege	2000	WMIC.exe
Token: SeSystemProfilePrivilege	2000	WMIC.exe
Token: SeSystemtimePrivilege	2000	WMIC.exe
Token: SeProfSingleProcessPrivilege	2000	WMIC.exe
Token: SeIncBasePriorityPrivilege	2000	WMIC.exe
Token: SeCreatePagefilePrivilege	2000	WMIC.exe
Token: SeBackupPrivilege	2000	WMIC.exe
Token: SeRestorePrivilege	2000	WMIC.exe
Token: SeShutdownPrivilege	2000	WMIC.exe
Token: SeDebugPrivilege	2000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2000	WMIC.exe
Token: SeRemoteShutdownPrivilege	2000	WMIC.exe
Token: SeUndockPrivilege	2000	WMIC.exe
Token: SeManageVolumePrivilege	2000	WMIC.exe
Token: 33	2000	WMIC.exe
Token: 34	2000	WMIC.exe
Token: 35	2000	WMIC.exe
Token: SeBackupPrivilege	432	vssvc.exe
Token: SeRestorePrivilege	432	vssvc.exe
Token: SeAuditPrivilege	432	vssvc.exe
Token: SeDebugPrivilege	2000	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1680	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	27
PID 1696 wrote to memory of 1680	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	27
PID 1696 wrote to memory of 1680	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	27
PID 1696 wrote to memory of 1680	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	27
PID 1680 wrote to memory of 1732	1680	cmd.exe	29
PID 1680 wrote to memory of 1732	1680	cmd.exe	29
PID 1680 wrote to memory of 1732	1680	cmd.exe	29
PID 1680 wrote to memory of 1732	1680	cmd.exe	29
PID 1696 wrote to memory of 1352	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	30
PID 1696 wrote to memory of 1352	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	30
PID 1696 wrote to memory of 1352	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	30
PID 1696 wrote to memory of 1352	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	30
PID 1352 wrote to memory of 568	1352	csc.exe	32
PID 1352 wrote to memory of 568	1352	csc.exe	32
PID 1352 wrote to memory of 568	1352	csc.exe	32
PID 1352 wrote to memory of 568	1352	csc.exe	32
PID 1696 wrote to memory of 1752	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	33
PID 1696 wrote to memory of 1752	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	33
PID 1696 wrote to memory of 1752	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	33
PID 1696 wrote to memory of 1752	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	33
PID 1696 wrote to memory of 1448	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	35
PID 1696 wrote to memory of 1448	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	35
PID 1696 wrote to memory of 1448	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	35
PID 1696 wrote to memory of 1448	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	35
PID 1696 wrote to memory of 2044	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	37
PID 1696 wrote to memory of 2044	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	37
PID 1696 wrote to memory of 2044	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	37
PID 1696 wrote to memory of 2044	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	37
PID 1696 wrote to memory of 1144	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	43
PID 1696 wrote to memory of 1144	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	43
PID 1696 wrote to memory of 1144	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	43
PID 1696 wrote to memory of 1144	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	43
PID 1696 wrote to memory of 1476	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	41
PID 1696 wrote to memory of 1476	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	41
PID 1696 wrote to memory of 1476	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	41
PID 1696 wrote to memory of 1476	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	41
PID 1752 wrote to memory of 596	1752	cmd.exe	38
PID 1752 wrote to memory of 596	1752	cmd.exe	38
PID 1752 wrote to memory of 596	1752	cmd.exe	38
PID 1752 wrote to memory of 596	1752	cmd.exe	38
PID 1696 wrote to memory of 1536	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	50
PID 1696 wrote to memory of 1536	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	50
PID 1696 wrote to memory of 1536	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	50
PID 1696 wrote to memory of 1536	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	50
PID 1696 wrote to memory of 1996	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	49
PID 1696 wrote to memory of 1996	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	49
PID 1696 wrote to memory of 1996	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	49
PID 1696 wrote to memory of 1996	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	49
PID 2044 wrote to memory of 2000	2044	cmd.exe	48
PID 2044 wrote to memory of 2000	2044	cmd.exe	48
PID 2044 wrote to memory of 2000	2044	cmd.exe	48
PID 2044 wrote to memory of 2000	2044	cmd.exe	48
PID 1696 wrote to memory of 1924	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	47
PID 1696 wrote to memory of 1924	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	47
PID 1696 wrote to memory of 1924	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	47
PID 1696 wrote to memory of 1924	1696	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe	47
PID 1996 wrote to memory of 1512	1996	cmd.exe	51
PID 1996 wrote to memory of 1512	1996	cmd.exe	51
PID 1996 wrote to memory of 1512	1996	cmd.exe	51
PID 1996 wrote to memory of 1512	1996	cmd.exe	51
PID 1924 wrote to memory of 744	1924	cmd.exe	52
PID 1924 wrote to memory of 744	1924	cmd.exe	52
PID 1924 wrote to memory of 744	1924	cmd.exe	52
PID 1924 wrote to memory of 744	1924	cmd.exe	52

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker"	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: [email protected]\r\nWrite this ID in the title of your message: 1C64CDBA\r\nIn case of no answer in 24 hours write us to this e-mail: [email protected]"	478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe

C:\Users\Admin\AppData\Local\Temp\478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
"C:\Users\Admin\AppData\Local\Temp\478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\izh41bvl\izh41bvl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FA2.tmp" "c:\ProgramData\CSCCC1C899C40E24C1DA44BF9DF4F7E3E1F.TMP"
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:1448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:1144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1536
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Get-ADComputer -filter * -Searchbase '%s' | foreach{ Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:2944
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:2960
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:2976
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:2992
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:3008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C defrag /C /H
  2⤵
  PID:3020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\atvswilc.exe

Filesize
28KB

MD5
e744671af571c55ea42ce9b6cf7adfca

SHA1
6fb7293b09d34d2c4df9cdba2b42611ed3fa7bc0

SHA256
6669ab0d4ad7648a50ed3c95e6f9a4f770f978c3d3003d0a436ca3126fd551c1

SHA512
9ecb0183c79f1d7dc112dc122c3afe38a323a4bec7a7374c3c7200573208e713dcbdc816bf9f49014b0c9fcf4a2dfe1c7b9596fb05db2c2a853e86e131cf03fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1FA2.tmp

Filesize
25KB

MD5
bb08722d65c7fa30404b68bfad981492

SHA1
bcc7fa089168f0dc16f0c7512fe0993ba8376ec4

SHA256
315755aa2ea016daf5605adf7608aa4db36223b5897cb48061764c5c06bf41f4

SHA512
def1cccc64c247dedb268b594baa2e6f79804195997d27135533cdfb05e9050b4c62aff8cc9caff33a7e25b0b222a99a5e3e034237b266aa3d907d6daeb89089

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.hta

Filesize
6KB

MD5
45363e9bfe49f94b46fe12910038abee

SHA1
609118687551a3ab085283d4ed3fcce78d387bb1

SHA256
53f1746f45c873afa8635acc75be01fda8b293ec9adcb6117237cdd97e2ad97d

SHA512
a97ef0f22891e5da942678496df8fd061c4ee2399a1fe748d774bc5626e785438706dad8afcec24a1a7bccc67d3092ea10e76fbae5307b430cbaf288e79fe180

Download Submit
\??\c:\ProgramData\CSCCC1C899C40E24C1DA44BF9DF4F7E3E1F.TMP

Filesize
24KB

MD5
a163a95dceddfc429903a7d93d75f8a3

SHA1
2d3b5b400f3d0aafd46bcd5cc8ca87c11f50640e

SHA256
cef7fb3ba3768478c0cd355c81d5c203744681720408b54a1c8e86bbb5ca1d6d

SHA512
0f3902ad1a51adacd51b4b896d4abab871d32f80f63dc9236be7e25fb95414e7dfc5af69e84440349196ec986b115244c53e078ee01cdb76b2ff5089596b0645

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1gn3xddo.ico

Filesize
23KB

MD5
8c9a5448905c6ad6f5a15ad8f102fa56

SHA1
185575a9708fe9ff122423e459eeed7098ad11d4

SHA256
fc65491d373c30593f9ef53d83959625dc384bc42d551aa77a666d4e9b538104

SHA512
2032d1f19ac0734339626531cd77ce0509dbba93260c87505d20998ab66aa3dceee4c94e10d8620cdcc62eacf9e63bbe5357afa2a09abdaa51ca0fde8b9aed50

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\izh41bvl\izh41bvl.0.cs

Filesize
1KB

MD5
5b6f82c2d959a2537f9bd0f3ed20aa0c

SHA1
05ea352ae5ee942f3c7d031b019ed41eba392d6c

SHA256
754d3a014bc3368cbd9fd933d02ed5542771252cb9be35e5be4ed800c110decf

SHA512
45ce82ac3ffe9b01a92614bea8911767b356d3dfd8b21e85effedd94e26843539eba54c608c7a13f140ab03a7e8352c4f8fe97ded022e9e0817894fc15245e7e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\izh41bvl\izh41bvl.cmdline

Filesize
236B

MD5
298bbea758e6e5a9813b0a944339ff1b

SHA1
7de28052ef83269837628f06e84f885389a0c460

SHA256
097dfa66c86230ebfe978dd595bcdd33b6797afd45ffa2ad7e05a5105db2e996

SHA512
ac558226e5416648a967d24c7f16c1a6f484bbefd6556e6f096073eea30414eb16ac92cfd8ae460561af83cd0282b9c0cc3ddc13e7122d4ea600be7dff2fad30

Download Submit
memory/1696-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-66-0x0000000000B90000-0x0000000000BAA000-memory.dmp

Filesize
104KB

Download
memory/1696-54-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2000-83-0x000000006E190000-0x000000006E73B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-84-0x000000006E190000-0x000000006E73B000-memory.dmp

Filesize
5.7MB

Download