lockfile | 2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a

Analysis

max time kernel
203s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0a89360bb9471af8b2b1136eafd65f.exe
Size

250KB
MD5

1f0a89360bb9471af8b2b1136eafd65f
SHA1

a7bd3592ff31c5c659cda9810936ddce842d6590
SHA256

2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a
SHA512

c696ee6a3a65cf01f120724c8536d14bbdc5283e6a62e1a26454629ea30c4015d62c1ba6139ca158f9952d6028ea7d9a1f76a4d2adad4e3a377d06607f5ad031
SSDEEP

6144:bAr3VCaIjpP65V3Q400RwDym6flM5OPh2r:bAr3VCMP00RwDymd5Uh2r

Score

10^/10

lockfile ransomware upx

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\LOCKFILE-README-VFMDDVWB-1704392489.hta

Ransom Note

<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="x-ua-compatible" content="ie=9"><title>LOCKFILE</title><hta:application id=LOCKFILE applicationName=LOCKFILE icon=explorer.exe selection=yes scroll=no contextmenu=no innerBorder=no windowState=maximize minimizeButton=no singleInstance=yes sysMenu=no /><link rel="stylesheet" href="public/css/test.css"><meta name="viewport" content="width=device-width, initial-scale=1.0"><style>html{font-size:100%}body{position:relative;border:0;font-family:Arial;padding:1% 0 0 0;margin:0;width:100vw;height:100vh;overflow:hidden}*{font-size:1rem}.g1{content:"";position:absolute;left:0;top:50%;transform:translateY(-50%);height:368px;width:150px;z-index:-1}.g2{z-index:-1;content:"";position:absolute;right:0;top:50%;transform:translateY(-50%);height:368px;width:150px}.container{width:90%;margin:auto}.container img{max-width:100%}.ht{margin-bottom:1%;position:relative;padding-left:16px;font-weight:900;font-size:1rem;line-height:100%;letter-spacing:.05em;text-transform:uppercase;color:#dedede}.hb{margin-bottom:1%}.hb img{width:850px;max-width:100%}.hi{margin-bottom:1rem;background:#fcfcfd;border:1px dashed #f71b3a;box-sizing:border-box;border-radius:4px;padding:1rem 3rem;width:100%}.hit{margin-bottom:1%;font-weight:bold;font-size:.9rem;line-height:100%;color:#222}.hib{font-weight:bold;font-size:.9rem;line-height:100%;color:#f71b3a}.main-p{font-weight:bold;font-size:1rem;line-height:125%;color:#333160}.mn{position:absolute;width:5%;height:276px;top:3rem}.mn img{max-width:90%}.ml1{position:absolute;width:50%;height:10rem;left:0;top:0;background:#f3f3fc;border:1px solid #cfd3da;box-sizing:border-box;padding:2% 2%}.ml2{position:absolute;width:50%;height:13rem;left:0;top:11rem;background:#f3f3fc;border:1px solid #cfd3da;box-sizing:border-box;padding:2% 2%}.mr3{position:absolute;padding:2% 2%;width:48%;height:24rem;left:52%;top:0;background:#ffdfdf;border:1px solid #ffa5aa;box-sizing:border-box;border-radius:4px;font-size:15px;line-height:130%}.mlb{font-size:.8rem;line-height:1.2;color:#8988a4;margin-top:2%;margin-bottom:2%}.mlb img{max-width:14px}.sp1{left:0;top:50%;position:absolute;display:block;width:6px;height:6px;background:#f71b3a;transform:translateY(-50%) rotate(135deg)}.mll{font-size:.9rem;line-height:1.2;color:#333160;margin-bottom:2%;position:relative;padding-left:20px}.mll a{font-size:.8rem}.mlt{margin-bottom:15px;font-weight:bold;font-size:.9rem;line-height:1.2;color:#333160}.mlt img{max-width:14px;position:relative}.mrli{font-size:.9rem;line-height:1.2;margin-bottom:2%;position:relative;padding-left:25px}.mrli a{font-size:.9rem}</style><script type="text/javascript">function o(c){var d=new ActiveXObject("WScript.Shell");d.run(c.href)};</script></head><body bgcolor=#F8F8F8 text="buttontext"><img class="g1" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJYAAAFwAQMAAABgpRCKAAAABlBMVEXw8PDv7+81SmF7AAAAAXRSTlMBN+Ho8AAAAWpJREFUeAHt1slxBCEMhWFRs3AkhA7BIRAahEYIDoEQOM5CIfvOX2V5nwWOX+8t6RWirzIt1QamGayDaQY7gSlZBTuBKVkBO4ENMM1gFayBdTAly2AV7ATWwQaYZrACVsFOYB1sgClZBitgDewE1sGG0ZSsGK2CNbATWP/YDC/t6K9uYDsqe4Kyb/Pflx0Y9mUEC9CrHnrVgeHgRLANhimA+fkniAPDaU9gERJgI4PoCWAe0mMH5sAgytgSWIQMJdvIIC6D0TwZFGRnNEcGhSOT71iai/4ti39mJyim9bxly27TdFpkFayBnYzWly1btuxH7AVMElgAc2CSwCJYAPNgDkzIElgE24wWwLzRdkZzRpPvWFom+rPmjLYzmjda+EY/R7AEZpxBDxZuyPyN2+7Gzd2hya1buiFTmzmwHZgHiw+8l1q27PTD1r5h1WjFaBlMZhtG62AnsAZWwDKYzNbBGliZbchs9Z3eAJcyeuremDsyAAAAAElFTkSuQmCC"><img class="g2" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJYAAAFwAQMAAABgpRCKAAAABlBMVEXv7+/w8PB6KHGJAAAAAnRSTlP/AZKwANwAAAGJSURBVHgB7dSHbQMhFMbxh1xQZwQWyA6MdozGCBmBEVB3QRApF3wk77P80l34q/+uH4Xqx56JWSRmO+LmuSXi5rll4haBEbcMLAEL3Apx2wFLwAIw4paB7YBFYAEYcSvAdsASsAjMAyNuBVgGtgMWheaBEbcitJ3QErAILADzwEhmBVheQGfig9ssncgCqyeLjfRioZkFVhfzb7QCZjrrbtesNJu4qbpYbo8AZjrbtUcAc52l9lhuqnYWZ1sB072F2Qww25ufzV2y9nrAKjfVW5ltJTTdW57NCM32tjtv7pKl2SahVZmpdxY/ZasvWXg1/cNmftX82fMsOg+YvVobNmxHvAgsAPPQ/rPRaDR64qQzN8dNVW4amAXmgE3cVOW2AqaBGaFZYA7YJLQqMyW01TdMQxu2+oYpoZHUJqE5YFZoBpgGtgJGyCZg7opsunKr123qBm115aavyFZCU9/ZDwywW2k08j9s4RsWhZaEtgOWgRWhVWQeWACWgO2AZWAVWQCWgBVg7MQX+2SwUiS8JcwAAAAASUVORK5CYII="><div class="container" style=""><div class="ht"><span style="width:6px;height:15px;background:#f71b3a;position:absolute;display:block;left:0;top:0"></span>LOCK <span style="color:#c4c4c4">FILE</span></div><div class="hb"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA4QAAAAwBAMAAAC706n2AAAAGFBMVEVHcEwiIiIiIiIiIiL3Gzr//f79tL76ZHmOe1JuAAAABHRSTlMA/axJAz2MyAAACKNJREFUeAHtmwli4joWRfPDBoDaAMMGnKol1LSBgtoAkA1k2H7LJxxeSW21TEjPfr/bsZ4Gh3t0Jduh7qaYYooppviPj2//hTFRmxBOCCeEE8IJ4YRwignhvzg+bzYrz7YmZ5tN92ejexv1J9QvUmwdgJ+b1D1VEIwkwpfT6e34RPHn6fRImehPyR53u93+0Q5EFKLpj9PpQP4yIAlbUfAydkud0lgcjZPxx8WfcoSbiwZ+prM0RohlhBozBfu8XiyW22IY6xU0HYiORAxngcYzG9nvzkiX+OTZ8oJsseAKxsxGD4tFR1OC3MO5G8XZgqC7CL/vdun4vNv9ovgjqZV+HHcE50nEcwkAz5cqCsZvivzk7NyacR2NgpexW/8bPHGUoO3Jc3HPAyEfwjPiTXxLyxDHQI3Ui9wcIVVD0VCtFPQvB+joYdxFxZwuNmJgfhLxy6xlSXMR5nhpHJfpRGj34gOetd5z5Icnoimpqa9VJcIjbYQ5EuEPET6J0Eoyz7YUoWDmgZDocmAVhHMRig01AqEm0EGQkm4bIZRE6PWXTRfqvpSf09KRay6kvwh14U4D6EKpVSSl6nsgtKEIqR/pwm9VF2pCbagEiJUjnLdduKZChPJAjXUwAM5KN0JKum2EkhAhPbqGC2UHSWqNqgsZq3ChC59lhSs45VW5C3+SFSFn71pIy4vbV4SoJ6WFsRy1kCKReqmGCAnZSTIQrpoIGQwgXp9Gq6YLWUG1/1+MQqnLXSj7GQ3LvXD3C2l14T52NI4AKqtiEghGSs6JCzVXQltS63npQtt6HRqRi3VHlWJRHJjd4rIbcpq78FyERbydyATVWbSg7El+GRotcxc+wLjhQi/s1KG7Uyh3ISmaly7EEAhJmSzUDkKjUV5VIvweCB3QcobF/Y/QhWYK3F78+PhNhHqmE6HCqmQdIS4x5x3fpgt9sYck4SEpW1j2JGMCdRFqPdlXXSguDg7soIMutEnGJQWCgVDBf0KAQhiWBsIx4VngZqDMhXWEdRd6bsSyowjgULUBF5qR/FKEF7gCsrlbE4cMYcOF5gIhwoOu4UIM6G3UwyDCdRWhLkTU3ZALc4RHq0qEVFlwwJYLPc/3wgZCJrEA2ghzFy66QLiqIcSAWPE6FwbCyM8lUnWh04urXu9CrcUS+FOEmmm0C025HjLgob0XXu9CealoiXDeQrga4ULwKegNLoSVHaoudLQNg7zbhfteq6Tj8Vz+XXPhc82FtJZNSgLtA/bC3WOG0M/oJ7vKhWxMDRcq0bZver0LA6G8tVzVhaZSdCNd+DC0F/Ynz66Ex/ZCmt/OyEWyjLRr74XtO1LfrolQMZzbTv9xe+Ey/a/uQrWlEsPe6sIHL1d3oeGzUNOFsxSLIRf2qibBL2Uq6y4sHyqsBxVJfFV34f7Uh/7LEFr5yKB9PD6J0Amp2P35LMXloWLpa8sUeQY1egClC50VXdet4zk8xQVZis+LARduiNpeqPPo2XCht8tNFxI2zbkk/zwmLLrQePp7hFGVI8SfHBzwV92F5zjU3874uoBwNY0pr2iDj/b6K8ugRi/esAsN+YSgxqpwofmu7kLSsGu68N4r1F1Ye8Gm696wWH4LCuVCGlUlwt/0NJkY1F0YCOvvSOnxkl0u5rBzO5uWbYS4dtCFDlMKGgi70oXmq3uhEBYjXOjiOM6F5Iq98PwoFy5U4poLDwVCXCeKlGTQW13oH5u8XvhARULgJkK6pP//QxcqbSALuFe5UFT2aLjQ+lEutHvhwu+IZlkRawhp5ghiOXgkye7admH9Hak9Xo6Xkh/RY/nHprYLk55f6i5URdrmZltCZawLA4YgGy4UYcOFbO0LRwouKp70PupC7ycyhFalw1OOUBR4kSSn735H+jP9F8FqKsJei3ADn0l1ejN0fVAqM94fbodcyDC6p0AYf831up44dMWFDzGBPsqFrswDLmTyP1lW8ByhtAOBCe25xy4k6XjDc6HhahoIsy0deZS1/VzIbK49F2qOEqG5q58LY6P+MBe6Mg/shfhLIHixjjBUNpHd55gE6m3vSA3rs7UROByVpP1cyBSuPBeaaiIc9VxI1lh+oAu92oALv/fKHS3XEB5LxraVYObVG96RVhHeZ3NbkJ9UsuXCpHLFhTD+OBfy0/hAF3ouwmx1/CUQBa+60HUve+NmPJEk1d4Lr3chDIilCJVnzEI6q7nQ+X+7C+++fLGF0Y12oVcQtL9TzLvIlS4cLOu4AqEMTJAxDjETbt8LXw4lwodsbsc3FkYivCsQ3m/VD/FWN7kw5oAlWVznQgfrOK7oIsKAXOyFGS+p2QR1dy6kuczQkoG3pM6Em9+Reu4dqY7zc4BQTQJYdS9EGRffpUn1s/87Xejj+T33rw7tFznWvpDr4rXftkAoYFqeB3tru3AXlGfLhSEi6u4fT/3DmU2DpAlwBSy9epUL9/vj6Xg6gCudpNIbupMXB6EbgdjUjiTSrNN/fo+TTComEcSS+rn4nh8kRCjWsS506NWdTPjSqMbxN3XY9cDXqD4NIbSln8mgkI2cr451F8Yud7BpWDNn6onJa/ZCgvbHbFM16BAT3pNzaT3u6082moOgfGhD/GtcaP/83aUIw9PrAuGsitCRbcloXkaEjHXNXhiSSigg2FZG2lGuV9yRBqldIEy1Bo01n/doIkT7DFgVIZ+fPtaon3zaLqwipJMI/U1JdCNdSGS1jl3c+XaBcNCFCq4NVbf2J1/LLoxukI29sOlCbeg4mcrM7bgVXDVduFZh+0hA/dhkbnLhKhDaUpjjXQhiX+lZWonQAce70PdbpKyStQld6Zm3qVfshaLKXOhbbi9WrHULELqqjlxIg9PapuqHs29x4fYuEN4Ssy8pslJ3479s+vn6+qrm//J49eIg/NBQqI+OrqvXTf84bYoJ4YRwQjghnBBOCKeYYooppphiiv+O+Bvo15hrmh7VCwAAAABJRU5ErkJggg=="></div><div class="hi"><div class="hit">Any attempts to restore your files with the thrid-party software will be <span style="color:#f71b3a;font-size:.9rem">fatal for your files!</span></div><div class="hib">Restore you data posible only buying private key from us.</div></div><div class="main-p">There is only one way to get your files back:</div><div style="position:relative;margin-top:15px"><div class="mn" style=""><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADgAAAEVBAMAAABH7TtxAAAALVBMVEVHcEz/NXAiIiL9DTYiIiKSIDUiIiL9EzwiIiIiIiL/N3L9ACP8AST+KF3+G0rPEf4SAAAADHRSTlMA/v7+PxmqQoLamc5bm0ExAAAB20lEQVR4Ae3ZtZYUURDG8W9npgV39289xd01w909w2Ncwjl95gHgPYhwWc1xYngFpLjdhd1G16vG539+reHF5+k/fj28c2vYKG/rP2zYsPV+OMxHBSrdvBIAtl9RqDQkKwAONihUeokJlyJkg0KlrAl5IU4kKhwm51ri1BLLBSYSsWFYOicllj/1wmG3z6qfxAAuRtlmkUU92lMu3kS2T42RQjnamPslhtwv1EE9T42RQrlCDdAoVKDM2ivrAaxchdLKpRAq0DOnBHqmaph8WLTY3pPkoOd5cVLeZnNle4dIPVqLFi1a7DtxcK580SFy0LsO2efg93nxRSdKixYtWrToiYs7RBY7RhZn5MW3eXHxX8sZ3U1atGjRYs+Nd7uZHNiUFxd2vizmbtaiRYsWOz7ubjrpbcHtpjneuKup6e5JP2xqeuiHSnHj+FJg7dErUNiU7nUH2YCQ5P4MKj3YeIlLl/MoaxSmew1YG3P/pTq3GDmgqcnR9ekqZjlYhUTi7qZ0dP0T2MpaJ92s1xgk/LLWuFD3mcV1rEBmk24VCDhVet16BCvXO+ogkDRs5YUdrLt2OOR+Rx0ElpNcf4lknUShKUScsIJEo1AHgWAVdIR6b4rQk/4YnMNP5yP+Vz9OakSaLAAAAABJRU5ErkJggg=="></div><div style="margin-left:6%;position:relative"><div class="ml1"><div style="position:relative;top:50%;transform:translateY(-50%)"><div style="font-weight:bold;font-size:1rem;line-height:1.2;color:#333160">contact us</div><div class="mlb" style=""><span class=sp2><img class=im1 src="data:image/x-icon;base64,AAABAAEAGBgAAAEAIACICQAAFgAAACgAAAAYAAAAMAAAAAEAIAAAAAAAAAkAAAAAAAAAAAAAAAAAAAAAAAD//////////9XV1f9YVlj/KScp/yUjJf8lIyX/JSMl/yUjJf8lIyX/JSMl/yUjJf8lIyX/JSMl/yUjJf8lIyX/JSMl/yUjJf8lIyX/JiQm/1FQUf/S0tL/////////////////+Pj4/2ppav8hHyH/JSMl/yUjJf8lIyX/JSMl/yQiJP8iICL/IiAi/yIgIv8iICL/IiAi/yIgIv8kIiT/JSMl/yUjJf8lIyX/JSMl/yEfIf9qaGr/+Pj4////////////5eTl/z49Pv8jISP/JSMl/yUjJf8lIyX/JCIk/zk3Of+CgYL/jYyN/42Mjf+NjI3/joyO/318ff80MjT/JCIk/yUjJf8lIyX/JSMl/yMhI/8+PT7/5eTl////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/IR8h/3Nxc/////////////////////////////v7+/9jYmP/IiAi/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/IR8h/3h3eP////////////////////////////v7+/9nZWf/IR8h/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/IiAi/11cXf/39/f//////////////////////+np6f9JR0n/IyEj/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/JCIk/y0sLf+srKz/////////////////8fHx/4KBgv8mJCb/JSMl/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/JSMl/yQiJP8zMTP/o6Kj//39/f/z8/P/eHd4/yUjJf8lIyX/JSMl/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/JSMl/yQhJP89PD3/x8fH///////+/v7/xsXG/z89P/8jISP/JSMl/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/JSMl/yIgIv+DgYP//////////////////////4OCg/8iICL/JSMl/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/JSMl/yIgIv+OjY7//////////////////////4yLjP8iICL/JSMl/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/JSMl/yMhI/9QT1D/5OPk////////////4+Pj/09OT/8jISP/JSMl/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4uHi/zw6PP8kIiT/JSMl/yUjJf8lIyX/JSMl/yUjJf8lIyX/VlRW/6CfoP+enZ7/VlRW/yUjJf8lIyX/JSMl/yUjJf8lIyX/JSMl/yMhI/88Ojz/4uLi////////////7+/v/05NTv8hHyH/JSMl/yUjJf8lIyX/JSMl/yUjJf8lIyX/IiAi/yclJ/88Ojz/JSMl/yQiJP8lIyX/JSMl/yUjJf8lIyX/JSMl/yEfIf9QT1D/8PDw/////////////////6yrrP82NTb/JCIk/yQiJP8lIyX/JSMl/yUjJf8kIiT/IiAi/yIgIv+FhIX/l5aX/zAuMP8kIiT/JSMl/yUjJf8kIiT/JCIk/zg2OP+vrq////////////////////////39/f/T0tP/rKys/6Khov9DQkP/IyEj/yQiJP8vLS//aWhp/5STlP+/vr///v7+/5aVlv8mJCb/IyEj/0NBQ/+ioaL/rKys/9TT1P/+/v7///////////////////////////////////////n5+f9YV1j/IR8h/y4sLv+mpqb/+/v7/////////////////+np6f9IRkj/IB4g/1hWWP/5+fn///////////////////////////////////////////////////////b29v9XVlf/Hx0f/19eX//4+Pj///////////////////////39/f9sa2z/Hhwe/1ZVVv/19fX///////////////////////////////////////////////////////f39/9aWVr/Hhwe/3V0df////////////////////////////////90c3T/Hhwe/1pZWv/39/f///////////////////////////////////////////////////////39/f9vbW//Hhwe/1VUVf/y8vL///////////////////////Ly8v9VVFX/Hhwe/29ub//9/f3///////////////////////////////////////////////////////////+kpKT/JCIk/yknKf+Yl5j/+vr6////////////+/v7/5qZmv8pJyn/JCIk/6SjpP/////////////////////////////////////////////////////////////////q6er/VFNU/yAeIP8sKiz/bWxt/6Wkpf+lpKX/bm1u/y0rLf8gHiD/VFJU/+np6f//////////////////////////////////////////////////////////////////////0NDQ/1BPUP8kIiT/IR8h/yQiJP8kIiT/IR8h/yQiJP9QT1D/0NDQ/////////////////////////////////////////////////////////////////////////////////+Dg4P+CgYL/Pjw+/yclJ/8nJSf/Pj0+/4KBgv/g3+D///////////////////////////////////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="> UTox       </span><span class=sp2><img class=im1 src="data:image/x-icon;base64,AAABAAEAGBgAAAEAIACICQAAFgAAACgAAAAYAAAAMAAAAAEAIAAAAAAAAAkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAABgAAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAYAAAAAgAAAAAAAAAYAAAAjQAAANgAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADYAAAAjQAAABgAAAChAAAA/wAAAOMAAACIAAAAgQAAAIIAAACBAAAAgQAAAIEAAACBAAAAgQAAAIEAAACBAAAAgQAAAIEAAACBAAAAgQAAAIEAAACCAAAAgQAAAIgAAADjAAAA/wAAAKEAAAD1AAAA8QAAAPEAAABnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGcAAADxAAAA8QAAAPUAAAD/AAAAlQAAAKwAAADwAAAAVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVAAAAPAAAACsAAAAlQAAAP8AAAD/AAAAfgAAABsAAADEAAAA5QAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAA5QAAAMQAAAAbAAAAfgAAAP8AAAD/AAAAgQAAAAAAAAAuAAAA1gAAANYAAAAuAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC4AAADWAAAA1gAAAC4AAAAAAAAAgQAAAP8AAAD/AAAAgAAAAAAAAAAAAAAAQAAAAOUAAADEAAAAHwAAAAAAAAAAAAAAAAAAACcAAAAnAAAAAAAAAAAAAAAAAAAAHwAAAMQAAADlAAAAPwAAAAAAAAAAAAAAgAAAAP8AAAD/AAAAgAAAAAAAAAAAAAAAAAAAAFQAAADwAAAAsAAAABIAAAAAAAAATAAAANwAAADcAAAATAAAAAAAAAASAAAAsAAAAPAAAABUAAAAAAAAAAAAAAAAAAAAgAAAAP8AAAD/AAAAgAAAAAAAAAAAAAAAAAAAAAAAAABqAAAA9gAAAJoAAABrAAAA7AAAANEAAADRAAAA7AAAAGsAAACaAAAA9gAAAGoAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAP8AAAD/AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAhgAAAP0AAAD8AAAAtAAAACIAAAAiAAAAtAAAAPwAAAD9AAAAhgAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAP8AAAD/AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAUAAAAngAAAPsAAACaAAAAFAAAAAAAAAAAAAAAFAAAAJoAAAD7AAAAngAAABQAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAP8AAAD/AAAAgAAAAAAAAAAAAAAAAAAAACMAAAC0AAAA9QAAAH8AAAAKAAAAAAAAAAAAAAAAAAAAAAAAAAoAAAB/AAAA9gAAALQAAAAjAAAAAAAAAAAAAAAAAAAAgAAAAP8AAAD/AAAAgAAAAAAAAAAAAAAANgAAAMsAAADtAAAAZQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAZQAAAO0AAADLAAAANgAAAAAAAAAAAAAAgAAAAP8AAAD/AAAAgAAAAAAAAABMAAAA3wAAAN8AAABMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEwAAADfAAAA3wAAAEwAAAAAAAAAgAAAAP8AAAD/AAAAhgAAAGIAAADtAAAAywAAADYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2AAAAywAAAO0AAABiAAAAhgAAAP8AAAD2AAAA4AAAAPAAAACxAAAAHwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHwAAALEAAADwAAAA4AAAAPYAAAChAAAA/wAAAPQAAACYAAAAfwAAAIIAAACBAAAAgQAAAIEAAACBAAAAgQAAAIEAAACBAAAAgQAAAIEAAACBAAAAgQAAAIEAAACCAAAAfwAAAJgAAAD0AAAA/wAAAKEAAAAYAAAAjQAAANgAAADjAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOMAAADYAAAAjQAAABgAAAAAAAAAAgAAABgAAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAYAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAAAH4AAAAAAAAAAAAAAAAAAAAAAAAQAAgAAAAAAAAAAAAAAAAAABgAAAB+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///wA="> Email </span></div><div class="mll"><span class=sp1></span> qTox ID:  B2F873769EB6B508EBC2103DDEB7366CEFB7B09AB8314DAD0C4346169072686690489B47EAEB     <a href="https://utox.org/" class=ah1 onclick="o(this)">https://tox.chat/download.html</a> </a></div><div class="mll"><span class=sp1></span> Email:     [email protected]    </div></div></div><div class="ml2"><div style="position:relative;top:50%;transform:translateY(-50%)"><div class="mlt" style="">Through a <img style="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABYAAAAWCAMAAADza

Emails

[email protected]

URLs

http-equiv="Content-Type"

http-equiv="x-ua-compatible"

Signatures

Detect LockFile payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4916-1-0x00007FF65A5B0000-0x00007FF65A689000-memory.dmp	family_lockfile
behavioral2/memory/4916-92-0x00007FF65A5B0000-0x00007FF65A689000-memory.dmp	family_lockfile

LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
ransomware lockfile
Renames multiple (341) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4916-0-0x00007FF65A5B0000-0x00007FF65A689000-memory.dmp	upx
behavioral2/memory/4916-1-0x00007FF65A5B0000-0x00007FF65A689000-memory.dmp	upx
behavioral2/memory/4916-92-0x00007FF65A5B0000-0x00007FF65A689000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

1f0a89360bb9471af8b2b1136eafd65f.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\dotnet\host\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Java\jre-1.8\bin\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Google\Chrome\Application\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Common Files\System\Ole DB\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Common Files\System\msadc\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Common Files\System\it-IT\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Internet Explorer\es-ES\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\rt.jar	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\thaidict.md	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrenuslm.dat	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\getexit.7z	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\classlist	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Java\jdk-1.8\bin\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\dotnet\thirdpartynotices.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Common Files\System\ado\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\LOCKFILE-README-VFMDDVWB-1704392489.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\thirdpartylicensereadme-javafx.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_br.properties	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	1f0a89360bb9471af8b2b1136eafd65f.exe

Kills process with WMI 9 IoCs
evasion

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

1700 WMIC.exe
2240 WMIC.exe
2100 WMIC.exe
1404 WMIC.exe
2008 WMIC.exe
3644 WMIC.exe
2760 WMIC.exe
2128 WMIC.exe
4520 WMIC.exe

pid	process
1700	WMIC.exe
2240	WMIC.exe
2100	WMIC.exe
1404	WMIC.exe
2008	WMIC.exe
3644	WMIC.exe
2760	WMIC.exe
2128	WMIC.exe
4520	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2128	WMIC.exe
Token: SeSecurityPrivilege	2128	WMIC.exe
Token: SeTakeOwnershipPrivilege	2128	WMIC.exe
Token: SeLoadDriverPrivilege	2128	WMIC.exe
Token: SeSystemProfilePrivilege	2128	WMIC.exe
Token: SeSystemtimePrivilege	2128	WMIC.exe
Token: SeProfSingleProcessPrivilege	2128	WMIC.exe
Token: SeIncBasePriorityPrivilege	2128	WMIC.exe
Token: SeCreatePagefilePrivilege	2128	WMIC.exe
Token: SeBackupPrivilege	2128	WMIC.exe
Token: SeRestorePrivilege	2128	WMIC.exe
Token: SeShutdownPrivilege	2128	WMIC.exe
Token: SeDebugPrivilege	2128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2128	WMIC.exe
Token: SeRemoteShutdownPrivilege	2128	WMIC.exe
Token: SeUndockPrivilege	2128	WMIC.exe
Token: SeManageVolumePrivilege	2128	WMIC.exe
Token: 33	2128	WMIC.exe
Token: 34	2128	WMIC.exe
Token: 35	2128	WMIC.exe
Token: 36	2128	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2128	WMIC.exe
Token: SeSecurityPrivilege	2128	WMIC.exe
Token: SeTakeOwnershipPrivilege	2128	WMIC.exe
Token: SeLoadDriverPrivilege	2128	WMIC.exe
Token: SeSystemProfilePrivilege	2128	WMIC.exe
Token: SeSystemtimePrivilege	2128	WMIC.exe
Token: SeProfSingleProcessPrivilege	2128	WMIC.exe
Token: SeIncBasePriorityPrivilege	2128	WMIC.exe
Token: SeCreatePagefilePrivilege	2128	WMIC.exe
Token: SeBackupPrivilege	2128	WMIC.exe
Token: SeRestorePrivilege	2128	WMIC.exe
Token: SeShutdownPrivilege	2128	WMIC.exe
Token: SeDebugPrivilege	2128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2128	WMIC.exe
Token: SeRemoteShutdownPrivilege	2128	WMIC.exe
Token: SeUndockPrivilege	2128	WMIC.exe
Token: SeManageVolumePrivilege	2128	WMIC.exe
Token: 33	2128	WMIC.exe
Token: 34	2128	WMIC.exe
Token: 35	2128	WMIC.exe
Token: 36	2128	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2100	WMIC.exe
Token: SeSecurityPrivilege	2100	WMIC.exe
Token: SeTakeOwnershipPrivilege	2100	WMIC.exe
Token: SeLoadDriverPrivilege	2100	WMIC.exe
Token: SeSystemProfilePrivilege	2100	WMIC.exe
Token: SeSystemtimePrivilege	2100	WMIC.exe
Token: SeProfSingleProcessPrivilege	2100	WMIC.exe
Token: SeIncBasePriorityPrivilege	2100	WMIC.exe
Token: SeCreatePagefilePrivilege	2100	WMIC.exe
Token: SeBackupPrivilege	2100	WMIC.exe
Token: SeRestorePrivilege	2100	WMIC.exe
Token: SeShutdownPrivilege	2100	WMIC.exe
Token: SeDebugPrivilege	2100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2100	WMIC.exe
Token: SeRemoteShutdownPrivilege	2100	WMIC.exe
Token: SeUndockPrivilege	2100	WMIC.exe
Token: SeManageVolumePrivilege	2100	WMIC.exe
Token: 33	2100	WMIC.exe
Token: 34	2100	WMIC.exe
Token: 35	2100	WMIC.exe
Token: 36	2100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2100	WMIC.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

1f0a89360bb9471af8b2b1136eafd65f.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4916 wrote to memory of 1912	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 4916 wrote to memory of 1912	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 1912 wrote to memory of 2128	1912	cmd.exe	WMIC.exe
PID 1912 wrote to memory of 2128	1912	cmd.exe	WMIC.exe
PID 4916 wrote to memory of 456	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 4916 wrote to memory of 456	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 456 wrote to memory of 2100	456	cmd.exe	WMIC.exe
PID 456 wrote to memory of 2100	456	cmd.exe	WMIC.exe
PID 4916 wrote to memory of 4804	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 4916 wrote to memory of 4804	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 4804 wrote to memory of 1404	4804	cmd.exe	WMIC.exe
PID 4804 wrote to memory of 1404	4804	cmd.exe	WMIC.exe
PID 4916 wrote to memory of 916	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 4916 wrote to memory of 916	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 916 wrote to memory of 4520	916	cmd.exe	WMIC.exe
PID 916 wrote to memory of 4520	916	cmd.exe	WMIC.exe
PID 4916 wrote to memory of 460	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 4916 wrote to memory of 460	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 460 wrote to memory of 2008	460	cmd.exe	WMIC.exe
PID 460 wrote to memory of 2008	460	cmd.exe	WMIC.exe
PID 4916 wrote to memory of 4784	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 4916 wrote to memory of 4784	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 4784 wrote to memory of 1700	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 1700	4784	cmd.exe	WMIC.exe
PID 4916 wrote to memory of 4248	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 4916 wrote to memory of 4248	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 4248 wrote to memory of 3644	4248	cmd.exe	WMIC.exe
PID 4248 wrote to memory of 3644	4248	cmd.exe	WMIC.exe
PID 4916 wrote to memory of 1920	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 4916 wrote to memory of 1920	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 1920 wrote to memory of 2760	1920	cmd.exe	WMIC.exe
PID 1920 wrote to memory of 2760	1920	cmd.exe	WMIC.exe
PID 4916 wrote to memory of 1696	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 4916 wrote to memory of 1696	4916	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 1696 wrote to memory of 2240	1696	cmd.exe	WMIC.exe
PID 1696 wrote to memory of 2240	1696	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\1f0a89360bb9471af8b2b1136eafd65f.exe
"C:\Users\Admin\AppData\Local\Temp\1f0a89360bb9471af8b2b1136eafd65f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmwp%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vmwp%'" call terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%virtualbox%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%virtualbox%'" call terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vbox%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vbox%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%sqlservr%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%sqlservr%'" call terminate
    3⤵
    - Kills process with WMI
    PID:4520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%mysqld%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%mysqld%'" call terminate
    3⤵
    - Kills process with WMI
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%omtsreco%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%omtsreco%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%oracle%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%oracle%'" call terminate
    3⤵
    - Kills process with WMI
    PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%tnslsnr%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%tnslsnr%'" call terminate
    3⤵
    - Kills process with WMI
    PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmware%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vmware%'" call terminate
    3⤵
    - Kills process with WMI
    PID:2240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

F:\$RECYCLE.BIN\LOCKFILE-README-VFMDDVWB-1704392489.hta

Filesize
26KB

MD5
3b1730f640cbf0fab78a94a24a9b0b3e

SHA1
4e591f36969be38a3412ec0fc69ab67eedd3221d

SHA256
132f76829c41a22bf940bc9632b725219203e7835ccbdea401f00d4aad2d1a5a

SHA512
7a701c7c18bb08ae0e075145cffb2fee7f550ed64408067d9fee2e4364b13ee396c8231597b6381621a11d61c4872325e270ee6bf474b12625fd58061cc8694b

Download Submit
memory/4916-0-0x00007FF65A5B0000-0x00007FF65A689000-memory.dmp

Filesize
868KB

Download
memory/4916-1-0x00007FF65A5B0000-0x00007FF65A689000-memory.dmp

Filesize
868KB

Download
memory/4916-92-0x00007FF65A5B0000-0x00007FF65A689000-memory.dmp

Filesize
868KB

Download