Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 02:56
Static task
static1
Behavioral task
behavioral1
Sample
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe
Resource
win10v2004-20241007-en
General
-
Target
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe
-
Size
499KB
-
MD5
d7d28006e0679b1f2ea0a87ba94f4af0
-
SHA1
675f7b9185ccc3241650ff2fd96f5e1a0bbf63ee
-
SHA256
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3
-
SHA512
b3f9257825850e4f2920d05f45eece26323d81d06a761fa2e5b2d154535d45f996a316e238f2d29fb82081a133dfd5ad304835317e65fa72f9fc2e1acbfce03a
-
SSDEEP
12288:dSGy1fPQ+biwPPMgasqdprlTT6zncVUJ7vn:kGy1fP9PPIrTT6DN
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\info.hta
http-equiv="x-ua-compatible"
Signatures
-
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 1312 netsh.exe 2176 netsh.exe -
Drops startup file 3 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Drops desktop.ini file(s) 38 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process File opened for modification C:\Users\Admin\Documents\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Documents\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Downloads\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Music\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Pictures\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Searches\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Libraries\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Videos\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Music\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Links\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Desktop\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Videos\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process File opened (read-only) \??\F: e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqwcfnl1.Loki" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Drops file in Program Files directory 64 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21321_.GIF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBTRAP.DLL e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\settings.css e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\WISC30.DLL e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01074_.WMF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105588.WMF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLINACC.DPV e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Urban.eftx e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5B.GIF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chatham e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Windows Sidebar\es-ES\Sidebar.exe.mui e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\3082\MSO.ACL e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\IPDSINTL.DLL e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06102_.WMF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01852_.WMF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGZIP.DPV e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Windows Media Player\en-US\wmpnssui.dll.mui e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00223_.WMF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Windows NT\TableTextService\it-IT\TableTextService.dll.mui e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02361_.WMF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CGMIMP32.HLP e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE.DPV e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\picturePuzzle.js e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00437_.WMF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152556.WMF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00042_.WMF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Drops file in Windows directory 2 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process File created C:\Windows\winlogon.exe e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Windows\winlogon.exe e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exeschtasks.execvtres.execmd.execmd.exenetsh.exemshta.exemshta.exemshta.execmd.exevssadmin.execmd.execmd.exeWMIC.exenetsh.exemshta.exemshta.execmd.execmd.execmd.execmd.execsc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2440 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\WallpaperStyle = "2" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\TileWallpaper = "0" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Processes:
mshta.exemshta.exemshta.exemshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 7 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\z1fvzqe1.exe \"%l\" " e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exepid process 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Token: SeBackupPrivilege 1664 vssvc.exe Token: SeRestorePrivilege 1664 vssvc.exe Token: SeAuditPrivilege 1664 vssvc.exe Token: SeIncreaseQuotaPrivilege 940 WMIC.exe Token: SeSecurityPrivilege 940 WMIC.exe Token: SeTakeOwnershipPrivilege 940 WMIC.exe Token: SeLoadDriverPrivilege 940 WMIC.exe Token: SeSystemProfilePrivilege 940 WMIC.exe Token: SeSystemtimePrivilege 940 WMIC.exe Token: SeProfSingleProcessPrivilege 940 WMIC.exe Token: SeIncBasePriorityPrivilege 940 WMIC.exe Token: SeCreatePagefilePrivilege 940 WMIC.exe Token: SeBackupPrivilege 940 WMIC.exe Token: SeRestorePrivilege 940 WMIC.exe Token: SeShutdownPrivilege 940 WMIC.exe Token: SeDebugPrivilege 940 WMIC.exe Token: SeSystemEnvironmentPrivilege 940 WMIC.exe Token: SeRemoteShutdownPrivilege 940 WMIC.exe Token: SeUndockPrivilege 940 WMIC.exe Token: SeManageVolumePrivilege 940 WMIC.exe Token: 33 940 WMIC.exe Token: 34 940 WMIC.exe Token: 35 940 WMIC.exe Token: SeIncreaseQuotaPrivilege 940 WMIC.exe Token: SeSecurityPrivilege 940 WMIC.exe Token: SeTakeOwnershipPrivilege 940 WMIC.exe Token: SeLoadDriverPrivilege 940 WMIC.exe Token: SeSystemProfilePrivilege 940 WMIC.exe Token: SeSystemtimePrivilege 940 WMIC.exe Token: SeProfSingleProcessPrivilege 940 WMIC.exe Token: SeIncBasePriorityPrivilege 940 WMIC.exe Token: SeCreatePagefilePrivilege 940 WMIC.exe Token: SeBackupPrivilege 940 WMIC.exe Token: SeRestorePrivilege 940 WMIC.exe Token: SeShutdownPrivilege 940 WMIC.exe Token: SeDebugPrivilege 940 WMIC.exe Token: SeSystemEnvironmentPrivilege 940 WMIC.exe Token: SeRemoteShutdownPrivilege 940 WMIC.exe Token: SeUndockPrivilege 940 WMIC.exe Token: SeManageVolumePrivilege 940 WMIC.exe Token: 33 940 WMIC.exe Token: 34 940 WMIC.exe Token: 35 940 WMIC.exe Token: SeDebugPrivilege 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.execmd.execsc.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2276 wrote to memory of 604 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 604 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 604 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 604 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 604 wrote to memory of 1316 604 cmd.exe schtasks.exe PID 604 wrote to memory of 1316 604 cmd.exe schtasks.exe PID 604 wrote to memory of 1316 604 cmd.exe schtasks.exe PID 604 wrote to memory of 1316 604 cmd.exe schtasks.exe PID 2276 wrote to memory of 1132 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe csc.exe PID 2276 wrote to memory of 1132 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe csc.exe PID 2276 wrote to memory of 1132 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe csc.exe PID 2276 wrote to memory of 1132 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe csc.exe PID 1132 wrote to memory of 2952 1132 csc.exe cvtres.exe PID 1132 wrote to memory of 2952 1132 csc.exe cvtres.exe PID 1132 wrote to memory of 2952 1132 csc.exe cvtres.exe PID 1132 wrote to memory of 2952 1132 csc.exe cvtres.exe PID 2276 wrote to memory of 2132 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2132 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2132 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2132 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2052 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2052 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2052 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2052 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2744 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2744 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2744 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2744 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2552 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2552 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2552 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2552 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2132 wrote to memory of 2440 2132 cmd.exe vssadmin.exe PID 2132 wrote to memory of 2440 2132 cmd.exe vssadmin.exe PID 2132 wrote to memory of 2440 2132 cmd.exe vssadmin.exe PID 2132 wrote to memory of 2440 2132 cmd.exe vssadmin.exe PID 2276 wrote to memory of 2200 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2200 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2200 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2200 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 1592 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 1592 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 1592 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 1592 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2288 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2288 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2288 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2288 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2060 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2060 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2060 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2276 wrote to memory of 2060 2276 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2744 wrote to memory of 940 2744 cmd.exe WMIC.exe PID 2744 wrote to memory of 940 2744 cmd.exe WMIC.exe PID 2744 wrote to memory of 940 2744 cmd.exe WMIC.exe PID 2744 wrote to memory of 940 2744 cmd.exe WMIC.exe PID 2288 wrote to memory of 1312 2288 cmd.exe netsh.exe PID 2288 wrote to memory of 1312 2288 cmd.exe netsh.exe PID 2288 wrote to memory of 1312 2288 cmd.exe netsh.exe PID 2288 wrote to memory of 1312 2288 cmd.exe netsh.exe PID 2060 wrote to memory of 2176 2060 cmd.exe netsh.exe PID 2060 wrote to memory of 2176 2060 cmd.exe netsh.exe PID 2060 wrote to memory of 2176 2060 cmd.exe netsh.exe PID 2060 wrote to memory of 2176 2060 cmd.exe netsh.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: [email protected]\r\nWrite this ID in the title of your message: DEC82EC4\r\nIn case of no answer in 24 hours write us to this e-mail: [email protected]" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe"C:\Users\Admin\AppData\Local\Temp\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1316 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bkklml2u\bkklml2u.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB01D.tmp" "c:\ProgramData\CSCA8564EA948F8445EAA807B5911DE5E8E.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2808 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2020 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1592 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:672 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:548
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
499KB
MD5d7d28006e0679b1f2ea0a87ba94f4af0
SHA1675f7b9185ccc3241650ff2fd96f5e1a0bbf63ee
SHA256e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3
SHA512b3f9257825850e4f2920d05f45eece26323d81d06a761fa2e5b2d154535d45f996a316e238f2d29fb82081a133dfd5ad304835317e65fa72f9fc2e1acbfce03a
-
Filesize
32KB
MD53a9cd8235f191454aefed23ce8f9e8cb
SHA1f58b8f51666065a296206a1344c82c522cac2b8a
SHA256f59f4c8140c0f2f5d24b5f63154b6b8f29d27bdaf1824f06d9bea01428bfb8ce
SHA5124de7950023a75dcd6020937f4e18334f66dc8e1dec6ca43a7e044210e306204801b84341776633fd2efdfc3737c0b15cf59729c47fded8dde3913ea34c00dfc2
-
Filesize
29KB
MD5f494a0b5dfcda36abbaf74da6ff4556b
SHA1d70b88648ba5621291c59108e3338b4bac0e33d8
SHA256210ac4218da41134729fd9b1abd2004315cab62cfa7279dec50b5aa8384c2fba
SHA5128152df2603969d27ec9accf091402475062449fd4373022a8b5c69ff968e964e3d639f71a69036bd0df70e73a85164d8cec5ed9766bb42c4ab7b34e68dfd0f98
-
Filesize
3KB
MD50736088cc01aede2a20d6b07e6569618
SHA1c4db66300cc98bf61e71b4020e3bcab5f0b4312b
SHA256ab5df89adf589db0987901e765588fa194615a0f8689fb3538e4fb06cf0baf4f
SHA512ff920b835e6497c039a43f31305c9c6a1176ae57c9e965deab18b4c48aa006dccb08ab802a962a03227a3555bdcf411f35a853a6807f34059ebc317bbe1535df
-
Filesize
2KB
MD5d420ce360228ea95b9fb80ede089fb63
SHA15b4e6f9a7e77708587b4db824d8a96977d425cd1
SHA256d762fefcbd1e6906b6336509c871d7873cd5cad5fb32eefee233317f07ee4dbd
SHA512afc58b9249f603b3f48cf25e3fe6d050c3d9d1a5bb5cc45916244c6aefa0f32d35ce6d76b13a1e53adc6a8f2d9f88f40679240b16fa759a94cb0763928ec3664
-
Filesize
344B
MD5c0c4880253b7cb1e6f9481b057241a79
SHA181ae354ce1e3900ac2cd3127885930401786b079
SHA256731792b5598d446dbc65d6c83200273eff2f510ad9e64863597e0175e8531d6b
SHA512e3d4b0d6be946eac6ae3ae3cb7c235760ac65c656112b6feb02b6ede3b5520f917f38e0761d1b705a32aa74f4caa3bc539128b25a8d90622a5b0f70731deb755
-
Filesize
28KB
MD585b4eedd9538a088879e8377faf5f005
SHA1d29163688133d9c571dd2dce5c2b6dbc2d36bfa0
SHA2566affe7f82f5cd2aff9e3ee8a27e39d679232cb92f2be52e87649a3d563eea3d6
SHA5126c3aec7055331b11862f791e60623a064629b08a3a2d33a18becd15a790c8b7481b438ddbb0c3369157b7b4deeacd756cacf6fe310c0724d1dccd9f6ba47f9bd
-
Filesize
1KB
MD5367f1bb91576f965028702350adb0f41
SHA1ed9b257229e29681d74489c6a4031d62cca0b707
SHA256f646f16ea464b07a0514c1eebc8f3637caf5e9f7f4800e74d79d7ebe271848be
SHA512b30ea2df60051d5835307febba64d364ae8c4439a6e14f3ec6abe9a442e5e3955963a1626dfb28517e3570e5188b4278cdd903eff6f9fdf957ded7ca0efb7c96
-
Filesize
236B
MD5da32d83d7deb6222711162bfa352c686
SHA1817380a84a7845606dce5f56114869bae3f26683
SHA256804a3d16333aad6a1130cdcb37038aa9fc2ef8a82ccd682142daf8b220abad22
SHA51288719dfe9720b747c94ef6dd024cf129c727d2f048ec9e9f6348eb06b992efd5d9d7a77c4e09870c3ae8ac71c7f71af92eb5d7665ea8041fd3ea781f91e3c36c
-
Filesize
27KB
MD5dbc49b5f7714255217080c2e81f05a99
SHA14de2ef415d66d2bb8b389ba140a468b125388e19
SHA2566d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c
SHA51229a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb