Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2024 02:56
Static task
static1
Behavioral task
behavioral1
Sample
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe
Resource
win10v2004-20241007-en
General
-
Target
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe
-
Size
499KB
-
MD5
d7d28006e0679b1f2ea0a87ba94f4af0
-
SHA1
675f7b9185ccc3241650ff2fd96f5e1a0bbf63ee
-
SHA256
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3
-
SHA512
b3f9257825850e4f2920d05f45eece26323d81d06a761fa2e5b2d154535d45f996a316e238f2d29fb82081a133dfd5ad304835317e65fa72f9fc2e1acbfce03a
-
SSDEEP
12288:dSGy1fPQ+biwPPMgasqdprlTT6zncVUJ7vn:kGy1fP9PPIrTT6DN
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\info.hta
http-equiv="x-ua-compatible"
Signatures
-
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 4472 netsh.exe 5340 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Drops startup file 3 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Drops desktop.ini file(s) 28 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process File opened for modification C:\Users\Public\Pictures\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Downloads\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Desktop\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Documents\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Searches\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Libraries\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Documents\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Music\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Videos\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Videos\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Links\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Music\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process File opened (read-only) \??\F: e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v3xfkar2.Loki" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Drops file in Program Files directory 64 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\DEEPBLUE.INF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_start_a_coversation_v3.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\dotnet\host\fxr\8.0.2\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\Font\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\HoloMDL2.ttf e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-100.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\ruleset_en-GB_TTS.lua e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\bun.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\Common Files\DESIGNER\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-100.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-100.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\s_empty_folder_state.svg e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-16.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_contrast-black.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxSignature.p7x e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-100.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-100.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-colorize.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24_altform-lightunplated.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\WideTile.scale-100.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_unselected_18.svg e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-24_altform-unplated.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_contrast-white.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-es_es_2x.gif e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\VEN2232.OLB e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-200.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-36_contrast-black.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1113_20x20x32.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\EVRGREEN.INF e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-256.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-80_altform-unplated.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\ui-strings.js e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-100.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\identity_helper.Sparse.Dev.msix e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.nuspec e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-disabled.svg e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-white_scale-200.png e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PNG32.FLT e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Drops file in Windows directory 2 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process File created C:\Windows\winlogon.exe e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Windows\winlogon.exe e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5368 3396 WerFault.exe mshta.exe 6124 116 WerFault.exe mshta.exe 5456 5452 WerFault.exe mshta.exe 2260 1744 WerFault.exe mshta.exe -
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
csc.execmd.execmd.exeWMIC.exemshta.exeschtasks.exenetsh.exemshta.execmd.execmd.execmd.execmd.exenetsh.exemshta.execvtres.execmd.execmd.execmd.exemshta.exemshta.exee28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Modifies Control Panel 2 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\WallpaperStyle = "2" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\TileWallpaper = "0" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Modifies registry class 8 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\5ha2hibk.exe \"%l\" " e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exepid process 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Token: SeIncreaseQuotaPrivilege 5696 WMIC.exe Token: SeSecurityPrivilege 5696 WMIC.exe Token: SeTakeOwnershipPrivilege 5696 WMIC.exe Token: SeLoadDriverPrivilege 5696 WMIC.exe Token: SeSystemProfilePrivilege 5696 WMIC.exe Token: SeSystemtimePrivilege 5696 WMIC.exe Token: SeProfSingleProcessPrivilege 5696 WMIC.exe Token: SeIncBasePriorityPrivilege 5696 WMIC.exe Token: SeCreatePagefilePrivilege 5696 WMIC.exe Token: SeBackupPrivilege 5696 WMIC.exe Token: SeRestorePrivilege 5696 WMIC.exe Token: SeShutdownPrivilege 5696 WMIC.exe Token: SeDebugPrivilege 5696 WMIC.exe Token: SeSystemEnvironmentPrivilege 5696 WMIC.exe Token: SeRemoteShutdownPrivilege 5696 WMIC.exe Token: SeUndockPrivilege 5696 WMIC.exe Token: SeManageVolumePrivilege 5696 WMIC.exe Token: 33 5696 WMIC.exe Token: 34 5696 WMIC.exe Token: 35 5696 WMIC.exe Token: 36 5696 WMIC.exe Token: SeIncreaseQuotaPrivilege 5696 WMIC.exe Token: SeSecurityPrivilege 5696 WMIC.exe Token: SeTakeOwnershipPrivilege 5696 WMIC.exe Token: SeLoadDriverPrivilege 5696 WMIC.exe Token: SeSystemProfilePrivilege 5696 WMIC.exe Token: SeSystemtimePrivilege 5696 WMIC.exe Token: SeProfSingleProcessPrivilege 5696 WMIC.exe Token: SeIncBasePriorityPrivilege 5696 WMIC.exe Token: SeCreatePagefilePrivilege 5696 WMIC.exe Token: SeBackupPrivilege 5696 WMIC.exe Token: SeRestorePrivilege 5696 WMIC.exe Token: SeShutdownPrivilege 5696 WMIC.exe Token: SeDebugPrivilege 5696 WMIC.exe Token: SeSystemEnvironmentPrivilege 5696 WMIC.exe Token: SeRemoteShutdownPrivilege 5696 WMIC.exe Token: SeUndockPrivilege 5696 WMIC.exe Token: SeManageVolumePrivilege 5696 WMIC.exe Token: 33 5696 WMIC.exe Token: 34 5696 WMIC.exe Token: 35 5696 WMIC.exe Token: 36 5696 WMIC.exe Token: SeBackupPrivilege 2336 vssvc.exe Token: SeRestorePrivilege 2336 vssvc.exe Token: SeAuditPrivilege 2336 vssvc.exe Token: SeDebugPrivilege 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.execmd.execsc.execmd.execmd.execmd.exedescription pid process target process PID 2128 wrote to memory of 5476 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 5476 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 5476 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 5476 wrote to memory of 376 5476 cmd.exe schtasks.exe PID 5476 wrote to memory of 376 5476 cmd.exe schtasks.exe PID 5476 wrote to memory of 376 5476 cmd.exe schtasks.exe PID 2128 wrote to memory of 5032 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe csc.exe PID 2128 wrote to memory of 5032 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe csc.exe PID 2128 wrote to memory of 5032 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe csc.exe PID 5032 wrote to memory of 5648 5032 csc.exe cvtres.exe PID 5032 wrote to memory of 5648 5032 csc.exe cvtres.exe PID 5032 wrote to memory of 5648 5032 csc.exe cvtres.exe PID 2128 wrote to memory of 6016 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 6016 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 6016 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 6008 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 6008 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 6008 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 6076 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 6076 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 6076 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 6120 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 6120 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 6120 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 6124 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 6124 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 6124 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 4936 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 4936 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 4936 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 5828 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 5828 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 5828 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 5824 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 5824 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 2128 wrote to memory of 5824 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe cmd.exe PID 6076 wrote to memory of 5696 6076 cmd.exe WMIC.exe PID 6076 wrote to memory of 5696 6076 cmd.exe WMIC.exe PID 6076 wrote to memory of 5696 6076 cmd.exe WMIC.exe PID 5828 wrote to memory of 4472 5828 cmd.exe netsh.exe PID 5828 wrote to memory of 4472 5828 cmd.exe netsh.exe PID 5828 wrote to memory of 4472 5828 cmd.exe netsh.exe PID 5824 wrote to memory of 5340 5824 cmd.exe netsh.exe PID 5824 wrote to memory of 5340 5824 cmd.exe netsh.exe PID 5824 wrote to memory of 5340 5824 cmd.exe netsh.exe PID 2128 wrote to memory of 5452 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe PID 2128 wrote to memory of 5452 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe PID 2128 wrote to memory of 5452 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe PID 2128 wrote to memory of 4784 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe PID 2128 wrote to memory of 4784 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe PID 2128 wrote to memory of 4784 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe PID 2128 wrote to memory of 1744 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe PID 2128 wrote to memory of 1744 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe PID 2128 wrote to memory of 1744 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe PID 2128 wrote to memory of 116 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe PID 2128 wrote to memory of 116 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe PID 2128 wrote to memory of 116 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe PID 2128 wrote to memory of 3396 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe PID 2128 wrote to memory of 3396 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe PID 2128 wrote to memory of 3396 2128 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe mshta.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: [email protected]\r\nWrite this ID in the title of your message: 58344A94\r\nIn case of no answer in 24 hours write us to this e-mail: [email protected]" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe"C:\Users\Admin\AppData\Local\Temp\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5476 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y2ckrffq\y2ckrffq.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES319A.tmp" "c:\ProgramData\CSC3EFA743BADC04205A98E14F5CAC9A499.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:5648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- System Location Discovery: System Language Discovery
PID:6016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵
- System Location Discovery: System Language Discovery
PID:6008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6076 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
- System Location Discovery: System Language Discovery
PID:6120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- System Location Discovery: System Language Discovery
PID:6124 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
- System Location Discovery: System Language Discovery
PID:4936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5828 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5824 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5340 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:5452 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5452 -s 14283⤵
- Program crash
PID:5456 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:4784 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 14363⤵
- Program crash
PID:2260 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 13363⤵
- Program crash
PID:6124 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:3396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 13683⤵
- Program crash
PID:5368
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3396 -ip 33961⤵PID:6128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4784 -ip 47841⤵PID:5400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 116 -ip 1161⤵PID:6120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1744 -ip 17441⤵PID:5772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5452 -ip 54521⤵PID:3624
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5134f012757195ef52eb253201be7ff38
SHA112fb8b3f0cd1638f9f06e67fcc062e76fd4286d9
SHA256570e693a8625978a46c7970009f328b395782089c0401f49e1482da07303f76b
SHA512edb002183f061cf4ddb5d4a696b74908fa66b7e56233901d1a1d10f57f427044f3e84a5950ee2dc0f16f4ce6fbc33720d55484df5e47a52ba88f280fc5db3257
-
Filesize
499KB
MD5d7d28006e0679b1f2ea0a87ba94f4af0
SHA1675f7b9185ccc3241650ff2fd96f5e1a0bbf63ee
SHA256e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3
SHA512b3f9257825850e4f2920d05f45eece26323d81d06a761fa2e5b2d154535d45f996a316e238f2d29fb82081a133dfd5ad304835317e65fa72f9fc2e1acbfce03a
-
Filesize
29KB
MD552e12418bf2ae2d7d69d77c5953b9e78
SHA12b344064a73780c794f950e2bec48ad315edf896
SHA256302d108b502dd6255061c0822bae01eb230f52c8274c30a8f71d033333525112
SHA5126adb8ff2f81f25ccc12ce6c68310f4c66f26cdd3a729239448d353ded7a455561bec28e625f6d47006df5aaf9301f7179175b1561d8bbfc42a402488536de9a7
-
Filesize
3KB
MD580bb4c4a3a988d7eab8240e85e07401f
SHA19424a3587e8b77866fd5dc598715a8569a0aedac
SHA256f0922c59720b8590b821573435e08523734c3c17258adc280ed7b33bbcb75c7b
SHA5126aab15dc2f69cefb6c23b6e123cce02cb22ccac79e94729f2c828a4ace56cf9c94878869c95ad6ab80cf3dd31f834c53f2230118a27ab035ab917c832e655f71
-
Filesize
2KB
MD5d4091fcabf754815f654ea52de30231b
SHA10e844be856f3a6b82dbe7e05d4c2dfb340631c4b
SHA256cc14b935ce8724fe2f01933e8727e813bd54cf70f1f0c845b9ec413901c91dd9
SHA512cd4f4983161818b6cfd30e5ce488bfdf86f6c411698c93bae35623362093767eca96b432a16fe2ad100978ee6bc86c6a564e8cbd3d331a5e425622ba4398ba04
-
Filesize
344B
MD54619f9eed707de724ceb97b506d7b6fe
SHA16868619ecca7303fcbc9a3d440dddb7f50775e0a
SHA25600e261865614395f37891df8baaf63c09bf2c67b99bbb7951f633824c95b0e52
SHA5125a63a7e0393127414806a83a695e1d63bf97c376e2c43e410b46e4acca5ee1ea0bbcd30ac45e2f517550c9c20ed43d11960b41beae90bb4b3665548af6728b50
-
Filesize
28KB
MD5ef314b2832f08be28a768647b672f4ff
SHA1a43b602f1453f25da6c5267e2becd098836a48ad
SHA256a4803bed4ac93466c2f3fa08cd166869da1d2585bb3a927f2c7a43ac94675cae
SHA5124781ab5643834af818785950ff876d44f3be03d08312a2792fdb939257c341925a7ce2024a45eb374b41798cd1fea318f93a6105f1672fcb9778163c221a6c75
-
Filesize
27KB
MD5dbc49b5f7714255217080c2e81f05a99
SHA14de2ef415d66d2bb8b389ba140a468b125388e19
SHA2566d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c
SHA51229a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb
-
Filesize
1KB
MD5c613631bdd33f586082cd9fa5c31a399
SHA1f629d338ddcb32039b87831e640f07ca443a2d31
SHA2568e19800612f096b7f53f5aa023babe7aeee3a8aaf6f7421063ed245ebea1a70a
SHA5121ac9a6b54fe6360cab5514ea5f9084c78cf0235a31f26705e3829b95554651c2718ea2eaeacbc2f5a77671fa587955cb1ec6d4c5016096c1a72be29bacc13de8
-
Filesize
236B
MD584e055377be82abb58026b55e1f4bfb7
SHA1bf54ea5e74d23763c019f956f4246768c5ca0184
SHA256685e6f3f8d58bf68824739dedd8bc000688c25b6a96e9019be72f5867550e7b3
SHA5120f557598ce20bd5982ba2ce3e366c992651a6bcc2da99dd84d49b293df1a9bbf273cd0e5fcf19868abe7c5166b237e29113a1ea27cb51c556a68b4ed5a202e97