avoslocker | 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81

General

Target

794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
Size

807KB
MD5

540a177a21044860e104dc2b0512a524
SHA1

20014c52c83ed4cb87a2166ee77937684f1fbeb9
SHA256

794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81
SHA512

234d9b2c9a4b204e4962a9ba02824dfb312347a10bf642642e804b43db91786b0509022c33a671b0dc68cc89ca38841ffd33d38cefa928b8f10af298cc0beac8
SSDEEP

12288:0Z4s3rg9u/2/oT+NXtHLlP/O+OeO+OeNhBBhhBBAtHg9rjI+LXJ0ivlzkHBDsYAZ:u4s+oT+NXBLi0rjFXvyHBlbtCZa8

Score

10^/10

avoslocker evasion ransomware

Malware Config

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2092 bcdedit.exe
2572 bcdedit.exe

pid	process
2092	bcdedit.exe
2572	bcdedit.exe

Modifies extensions of user files 17 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ResolveEnable.tiff	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Users\Admin\Pictures\ReadConvertFrom.tiff	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File renamed	C:\Users\Admin\Pictures\DebugLock.tif => C:\Users\Admin\Pictures\DebugLock.tif.avos2	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File renamed	C:\Users\Admin\Pictures\RemoveEnable.tiff => C:\Users\Admin\Pictures\RemoveEnable.tiff.avos2	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File renamed	C:\Users\Admin\Pictures\RequestFind.png => C:\Users\Admin\Pictures\RequestFind.png.avos2	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File renamed	C:\Users\Admin\Pictures\ResetTrace.crw => C:\Users\Admin\Pictures\ResetTrace.crw.avos2	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File renamed	C:\Users\Admin\Pictures\ReadConvertFrom.tiff => C:\Users\Admin\Pictures\ReadConvertFrom.tiff.avos2	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File renamed	C:\Users\Admin\Pictures\ConvertToClose.png => C:\Users\Admin\Pictures\ConvertToClose.png.avos2	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File renamed	C:\Users\Admin\Pictures\InvokeWrite.crw => C:\Users\Admin\Pictures\InvokeWrite.crw.avos2	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File renamed	C:\Users\Admin\Pictures\WaitInitialize.png => C:\Users\Admin\Pictures\WaitInitialize.png.avos2	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveEnable.tiff	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File renamed	C:\Users\Admin\Pictures\InstallRegister.tif => C:\Users\Admin\Pictures\InstallRegister.tif.avos2	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File renamed	C:\Users\Admin\Pictures\RevokeCompress.crw => C:\Users\Admin\Pictures\RevokeCompress.crw.avos2	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File renamed	C:\Users\Admin\Pictures\ResolveEnable.tiff => C:\Users\Admin\Pictures\ResolveEnable.tiff.avos2	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File renamed	C:\Users\Admin\Pictures\LimitRename.tif => C:\Users\Admin\Pictures\LimitRename.tif.avos2	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File renamed	C:\Users\Admin\Pictures\GrantWait.crw => C:\Users\Admin\Pictures\GrantWait.crw.avos2	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File renamed	C:\Users\Admin\Pictures\SearchConvert.crw => C:\Users\Admin\Pictures\SearchConvert.crw.avos2	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe

description ioc process

File opened (read-only) \??\Z: 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe

description	ioc	process
File opened (read-only)	\??\Z:	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1040352102.png"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185774.WMF	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Niue	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\GET_YOUR_FILES_BACK.txt	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15058_.GIF	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\networkinspection.dll.mui	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\gadget.xml	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301050.WMF	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309904.WMF	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen.css	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105282.WMF	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00809_.WMF	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03014_.GIF	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\logo.png	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\GET_YOUR_FILES_BACK.txt	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18244_.WMF	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\GET_YOUR_FILES_BACK.txt	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_on.gif	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15173_.GIF	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File created	C:\Program Files (x86)\Internet Explorer\GET_YOUR_FILES_BACK.txt	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\GET_YOUR_FILES_BACK.txt	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\LoginForm.zip	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN002.XML	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199283.WMF	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\GET_YOUR_FILES_BACK.txt	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\GET_YOUR_FILES_BACK.txt	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05870_.WMF	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00352_.WMF	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado26.tlb	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\PREVIEW.GIF	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\GET_YOUR_FILES_BACK.txt	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageStyle.css	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1056 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exepowershell.exepowershell.exe

pid process

1972 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
2564 powershell.exe
2540 powershell.exe

pid	process
1056	vssadmin.exe

pid	process
1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
2564	powershell.exe
2540	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exeWMIC.exevssvc.exepowershell.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
Token: SeIncreaseQuotaPrivilege	2348	WMIC.exe
Token: SeSecurityPrivilege	2348	WMIC.exe
Token: SeTakeOwnershipPrivilege	2348	WMIC.exe
Token: SeLoadDriverPrivilege	2348	WMIC.exe
Token: SeSystemProfilePrivilege	2348	WMIC.exe
Token: SeSystemtimePrivilege	2348	WMIC.exe
Token: SeProfSingleProcessPrivilege	2348	WMIC.exe
Token: SeIncBasePriorityPrivilege	2348	WMIC.exe
Token: SeCreatePagefilePrivilege	2348	WMIC.exe
Token: SeBackupPrivilege	2348	WMIC.exe
Token: SeRestorePrivilege	2348	WMIC.exe
Token: SeShutdownPrivilege	2348	WMIC.exe
Token: SeDebugPrivilege	2348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2348	WMIC.exe
Token: SeRemoteShutdownPrivilege	2348	WMIC.exe
Token: SeUndockPrivilege	2348	WMIC.exe
Token: SeManageVolumePrivilege	2348	WMIC.exe
Token: 33	2348	WMIC.exe
Token: 34	2348	WMIC.exe
Token: 35	2348	WMIC.exe
Token: SeBackupPrivilege	2736	vssvc.exe
Token: SeRestorePrivilege	2736	vssvc.exe
Token: SeAuditPrivilege	2736	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2348	WMIC.exe
Token: SeSecurityPrivilege	2348	WMIC.exe
Token: SeTakeOwnershipPrivilege	2348	WMIC.exe
Token: SeLoadDriverPrivilege	2348	WMIC.exe
Token: SeSystemProfilePrivilege	2348	WMIC.exe
Token: SeSystemtimePrivilege	2348	WMIC.exe
Token: SeProfSingleProcessPrivilege	2348	WMIC.exe
Token: SeIncBasePriorityPrivilege	2348	WMIC.exe
Token: SeCreatePagefilePrivilege	2348	WMIC.exe
Token: SeBackupPrivilege	2348	WMIC.exe
Token: SeRestorePrivilege	2348	WMIC.exe
Token: SeShutdownPrivilege	2348	WMIC.exe
Token: SeDebugPrivilege	2348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2348	WMIC.exe
Token: SeRemoteShutdownPrivilege	2348	WMIC.exe
Token: SeUndockPrivilege	2348	WMIC.exe
Token: SeManageVolumePrivilege	2348	WMIC.exe
Token: 33	2348	WMIC.exe
Token: 34	2348	WMIC.exe
Token: 35	2348	WMIC.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeBackupPrivilege	2564	powershell.exe
Token: SeSecurityPrivilege	2564	powershell.exe
Token: SeBackupPrivilege	2564	powershell.exe
Token: SeBackupPrivilege	2564	powershell.exe
Token: SeSecurityPrivilege	2564	powershell.exe
Token: SeBackupPrivilege	2564	powershell.exe
Token: SeBackupPrivilege	2564	powershell.exe
Token: SeSecurityPrivilege	2564	powershell.exe
Token: SeBackupPrivilege	2564	powershell.exe
Token: SeBackupPrivilege	2564	powershell.exe
Token: SeSecurityPrivilege	2564	powershell.exe
Token: SeBackupPrivilege	2564	powershell.exe
Token: SeBackupPrivilege	2564	powershell.exe
Token: SeSecurityPrivilege	2564	powershell.exe
Token: SeBackupPrivilege	2564	powershell.exe
Token: SeBackupPrivilege	2564	powershell.exe
Token: SeSecurityPrivilege	2564	powershell.exe
Token: SeBackupPrivilege	2564	powershell.exe
Token: SeSecurityPrivilege	2564	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.execmd.execmd.execmd.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 1972 wrote to memory of 1976	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1976	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1976	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1976	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1936	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1936	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1936	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1936	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1944	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1944	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1944	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1944	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1608	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1608	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1608	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1608	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1800	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1800	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1800	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1972 wrote to memory of 1800	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	cmd.exe
PID 1936 wrote to memory of 1056	1936	cmd.exe	vssadmin.exe
PID 1936 wrote to memory of 1056	1936	cmd.exe	vssadmin.exe
PID 1936 wrote to memory of 1056	1936	cmd.exe	vssadmin.exe
PID 1608 wrote to memory of 2092	1608	cmd.exe	bcdedit.exe
PID 1608 wrote to memory of 2092	1608	cmd.exe	bcdedit.exe
PID 1608 wrote to memory of 2092	1608	cmd.exe	bcdedit.exe
PID 1976 wrote to memory of 2348	1976	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 2348	1976	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 2348	1976	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 2564	1800	cmd.exe	powershell.exe
PID 1800 wrote to memory of 2564	1800	cmd.exe	powershell.exe
PID 1800 wrote to memory of 2564	1800	cmd.exe	powershell.exe
PID 1944 wrote to memory of 2572	1944	cmd.exe	bcdedit.exe
PID 1944 wrote to memory of 2572	1944	cmd.exe	bcdedit.exe
PID 1944 wrote to memory of 2572	1944	cmd.exe	bcdedit.exe
PID 1972 wrote to memory of 2540	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	powershell.exe
PID 1972 wrote to memory of 2540	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	powershell.exe
PID 1972 wrote to memory of 2540	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	powershell.exe
PID 1972 wrote to memory of 2540	1972	794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe	powershell.exe
PID 2540 wrote to memory of 3524	2540	powershell.exe	reg.exe
PID 2540 wrote to memory of 3524	2540	powershell.exe	reg.exe
PID 2540 wrote to memory of 3524	2540	powershell.exe	reg.exe
PID 2540 wrote to memory of 3336	2540	powershell.exe	rundll32.exe
PID 2540 wrote to memory of 3336	2540	powershell.exe	rundll32.exe
PID 2540 wrote to memory of 3336	2540	powershell.exe	rundll32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
"C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\system32\cmd.exe
  cmd /c wmic shadowcopy delete /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1056
- C:\Windows\system32\cmd.exe
  cmd /c bcdedit /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2572
- C:\Windows\system32\cmd.exe
  cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2092
- C:\Windows\system32\cmd.exe
  cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1040352102.png /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:3524
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
    3⤵
    PID:3336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
9bcb42cd18f95356b2d1a1a4de0b5aad

SHA1
b03da5cab852e8fafc12a52e424ec4b10431270d

SHA256
6e66527651da97c609c697e763e165eaf0fa1da104c26d311ec48fec9950ae24

SHA512
85961b90024f25a20943f9ce3b3c0959ced373d7b548cfc533bb51164aa615125528352438ab43e4b285ab570268bb4ed46f861db89d29d830230b9f63b0f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\1040352102.png

Filesize
32KB

MD5
fb93594c806f5b3b4cc627d1cbcc9327

SHA1
d4c29ca6106bad5409748e7f949ccff1b7d150cc

SHA256
fbc6e6163add1cc990cc92afea4883465ab09b9eef49390eab674aab6c296fbb

SHA512
73c0a84dad9854315d58fdc6a088c5fbf978dab3a2e193833afc72ddc83b1bf3d4a339310b51b96eb23934eb27e3379f3989f9502fcc882d2a298cf69282fc55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
696f3c89816fa4e7f6b0d9b32f3fb40d

SHA1
ac72491c5b793ca8cfd6c6b522303371613181cd

SHA256
272601253ff2746a6c6b7e47dac459ab133cab33acff8a9db063c3279bf28e4b

SHA512
4a662690fc7ebad5a3a321d913726edb5014d533ab36ae0bb295b9e3980eb985b82394afb40d486c87d373dc0da5999d914bce67a8fe473e4fce80e3379c6a74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K7CB0I1V55192Q6T34NP.temp

Filesize
7KB

MD5
696f3c89816fa4e7f6b0d9b32f3fb40d

SHA1
ac72491c5b793ca8cfd6c6b522303371613181cd

SHA256
272601253ff2746a6c6b7e47dac459ab133cab33acff8a9db063c3279bf28e4b

SHA512
4a662690fc7ebad5a3a321d913726edb5014d533ab36ae0bb295b9e3980eb985b82394afb40d486c87d373dc0da5999d914bce67a8fe473e4fce80e3379c6a74

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Device\HarddiskVolume1\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
9bcb42cd18f95356b2d1a1a4de0b5aad

SHA1
b03da5cab852e8fafc12a52e424ec4b10431270d

SHA256
6e66527651da97c609c697e763e165eaf0fa1da104c26d311ec48fec9950ae24

SHA512
85961b90024f25a20943f9ce3b3c0959ced373d7b548cfc533bb51164aa615125528352438ab43e4b285ab570268bb4ed46f861db89d29d830230b9f63b0f496

Download Submit
memory/2540-24606-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/2540-24605-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2540-24604-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2540-24608-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2540-24609-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2564-2464-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2564-2461-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2564-1990-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2564-1977-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/2564-1829-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2564-1798-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads