Analysis
-
max time kernel
112s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2023 05:23
Static task
static1
Behavioral task
behavioral1
Sample
794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
Resource
win10v2004-20230220-en
General
-
Target
794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
-
Size
807KB
-
MD5
540a177a21044860e104dc2b0512a524
-
SHA1
20014c52c83ed4cb87a2166ee77937684f1fbeb9
-
SHA256
794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81
-
SHA512
234d9b2c9a4b204e4962a9ba02824dfb312347a10bf642642e804b43db91786b0509022c33a671b0dc68cc89ca38841ffd33d38cefa928b8f10af298cc0beac8
-
SSDEEP
12288:0Z4s3rg9u/2/oT+NXtHLlP/O+OeO+OeNhBBhhBBAtHg9rjI+LXJ0ivlzkHBDsYAZ:u4s+oT+NXBLi0rjFXvyHBlbtCZa8
Malware Config
Signatures
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2088 bcdedit.exe 4412 bcdedit.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\UnpublishUnregister.crw => C:\Users\Admin\Pictures\UnpublishUnregister.crw.avos2 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Users\Admin\Pictures\CloseUnregister.tiff 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File renamed C:\Users\Admin\Pictures\ResizeDeny.tif => C:\Users\Admin\Pictures\ResizeDeny.tif.avos2 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File renamed C:\Users\Admin\Pictures\CloseUnregister.tiff => C:\Users\Admin\Pictures\CloseUnregister.tiff.avos2 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File renamed C:\Users\Admin\Pictures\ConfirmInvoke.tif => C:\Users\Admin\Pictures\ConfirmInvoke.tif.avos2 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File renamed C:\Users\Admin\Pictures\SetUse.raw => C:\Users\Admin\Pictures\SetUse.raw.avos2 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2125497753.png" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Snooze.scale-80.png 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\plugins.dat 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-150.png 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files\VideoLAN\VLC\lua\modules\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\ui-strings.js 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-125.png 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-150.png 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\ui-strings.js 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\MarkAsReadToastQuickAction.scale-80.png 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.png 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Windows Media Player\fr-FR\wmlaunch.exe.mui 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files\Internet Explorer\es-ES\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-200.png 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files\Microsoft Office\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-150.png 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\PipelineSegments.store 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info.png 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxUnselected.svg 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-100.png 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files\Common Files\microsoft shared\VC\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\GET_YOUR_FILES_BACK.txt 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4180 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 9124 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe 2232 powershell.exe 2232 powershell.exe 2232 powershell.exe 19172 powershell.exe 19172 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe Token: SeIncreaseQuotaPrivilege 4508 WMIC.exe Token: SeSecurityPrivilege 4508 WMIC.exe Token: SeTakeOwnershipPrivilege 4508 WMIC.exe Token: SeLoadDriverPrivilege 4508 WMIC.exe Token: SeSystemProfilePrivilege 4508 WMIC.exe Token: SeSystemtimePrivilege 4508 WMIC.exe Token: SeProfSingleProcessPrivilege 4508 WMIC.exe Token: SeIncBasePriorityPrivilege 4508 WMIC.exe Token: SeCreatePagefilePrivilege 4508 WMIC.exe Token: SeBackupPrivilege 4508 WMIC.exe Token: SeRestorePrivilege 4508 WMIC.exe Token: SeShutdownPrivilege 4508 WMIC.exe Token: SeDebugPrivilege 4508 WMIC.exe Token: SeSystemEnvironmentPrivilege 4508 WMIC.exe Token: SeRemoteShutdownPrivilege 4508 WMIC.exe Token: SeUndockPrivilege 4508 WMIC.exe Token: SeManageVolumePrivilege 4508 WMIC.exe Token: 33 4508 WMIC.exe Token: 34 4508 WMIC.exe Token: 35 4508 WMIC.exe Token: 36 4508 WMIC.exe Token: SeIncreaseQuotaPrivilege 4508 WMIC.exe Token: SeSecurityPrivilege 4508 WMIC.exe Token: SeTakeOwnershipPrivilege 4508 WMIC.exe Token: SeLoadDriverPrivilege 4508 WMIC.exe Token: SeSystemProfilePrivilege 4508 WMIC.exe Token: SeSystemtimePrivilege 4508 WMIC.exe Token: SeProfSingleProcessPrivilege 4508 WMIC.exe Token: SeIncBasePriorityPrivilege 4508 WMIC.exe Token: SeCreatePagefilePrivilege 4508 WMIC.exe Token: SeBackupPrivilege 4508 WMIC.exe Token: SeRestorePrivilege 4508 WMIC.exe Token: SeShutdownPrivilege 4508 WMIC.exe Token: SeDebugPrivilege 4508 WMIC.exe Token: SeSystemEnvironmentPrivilege 4508 WMIC.exe Token: SeRemoteShutdownPrivilege 4508 WMIC.exe Token: SeUndockPrivilege 4508 WMIC.exe Token: SeManageVolumePrivilege 4508 WMIC.exe Token: 33 4508 WMIC.exe Token: 34 4508 WMIC.exe Token: 35 4508 WMIC.exe Token: 36 4508 WMIC.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeBackupPrivilege 5264 vssvc.exe Token: SeRestorePrivilege 5264 vssvc.exe Token: SeAuditPrivilege 5264 vssvc.exe Token: SeBackupPrivilege 2232 powershell.exe Token: SeBackupPrivilege 2232 powershell.exe Token: SeBackupPrivilege 2232 powershell.exe Token: SeBackupPrivilege 2232 powershell.exe Token: SeBackupPrivilege 2232 powershell.exe Token: SeBackupPrivilege 2232 powershell.exe Token: SeSecurityPrivilege 2232 powershell.exe Token: SeBackupPrivilege 2232 powershell.exe Token: SeBackupPrivilege 2232 powershell.exe Token: SeBackupPrivilege 2232 powershell.exe Token: SeBackupPrivilege 2232 powershell.exe Token: SeBackupPrivilege 2232 powershell.exe Token: SeSecurityPrivilege 2232 powershell.exe Token: SeBackupPrivilege 2232 powershell.exe Token: SeBackupPrivilege 2232 powershell.exe Token: SeSecurityPrivilege 2232 powershell.exe Token: SeBackupPrivilege 2232 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2708 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe 84 PID 2132 wrote to memory of 2708 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe 84 PID 2132 wrote to memory of 2716 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe 85 PID 2132 wrote to memory of 2716 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe 85 PID 2132 wrote to memory of 4020 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe 86 PID 2132 wrote to memory of 4020 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe 86 PID 2132 wrote to memory of 1964 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe 87 PID 2132 wrote to memory of 1964 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe 87 PID 2132 wrote to memory of 2356 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe 88 PID 2132 wrote to memory of 2356 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe 88 PID 2708 wrote to memory of 4508 2708 cmd.exe 89 PID 2708 wrote to memory of 4508 2708 cmd.exe 89 PID 2716 wrote to memory of 4180 2716 cmd.exe 90 PID 2716 wrote to memory of 4180 2716 cmd.exe 90 PID 2356 wrote to memory of 2232 2356 cmd.exe 92 PID 2356 wrote to memory of 2232 2356 cmd.exe 92 PID 4020 wrote to memory of 2088 4020 cmd.exe 91 PID 4020 wrote to memory of 2088 4020 cmd.exe 91 PID 1964 wrote to memory of 4412 1964 cmd.exe 93 PID 1964 wrote to memory of 4412 1964 cmd.exe 93 PID 2132 wrote to memory of 19172 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe 99 PID 2132 wrote to memory of 19172 2132 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe 99 PID 19172 wrote to memory of 13076 19172 powershell.exe 100 PID 19172 wrote to memory of 13076 19172 powershell.exe 100 PID 19172 wrote to memory of 19328 19172 powershell.exe 101 PID 19172 wrote to memory of 19328 19172 powershell.exe 101 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe"C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SYSTEM32\cmd.execmd /c wmic shadowcopy delete /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:4180
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c bcdedit /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2088
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:4412
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"2⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:19172 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2125497753.png /f3⤵
- Sets desktop wallpaper using registry
PID:13076
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False3⤵PID:19328
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5264
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt1⤵
- Opens file in notepad (likely ransom note)
PID:9124
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:17860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1011B
MD59bcb42cd18f95356b2d1a1a4de0b5aad
SHA1b03da5cab852e8fafc12a52e424ec4b10431270d
SHA2566e66527651da97c609c697e763e165eaf0fa1da104c26d311ec48fec9950ae24
SHA51285961b90024f25a20943f9ce3b3c0959ced373d7b548cfc533bb51164aa615125528352438ab43e4b285ab570268bb4ed46f861db89d29d830230b9f63b0f496
-
Filesize
1011B
MD59bcb42cd18f95356b2d1a1a4de0b5aad
SHA1b03da5cab852e8fafc12a52e424ec4b10431270d
SHA2566e66527651da97c609c697e763e165eaf0fa1da104c26d311ec48fec9950ae24
SHA51285961b90024f25a20943f9ce3b3c0959ced373d7b548cfc533bb51164aa615125528352438ab43e4b285ab570268bb4ed46f861db89d29d830230b9f63b0f496
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD57274a07d1b80de6f66290b47588cee3b
SHA1d926b384806c755fe6b9d03f68852765aabb5703
SHA2565eba7517357473e4d5d7ede75c3768069c578d2b0023473fd67f76b373430de8
SHA512b7813fea9091298d48c87b259b0d4473ddc4480667f82ed6b5f8bdfa600590dcbfb1d62cbaca649dcf321d85cb786bf62d48826ab04297a22b7c88439b94bcf3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1011B
MD59bcb42cd18f95356b2d1a1a4de0b5aad
SHA1b03da5cab852e8fafc12a52e424ec4b10431270d
SHA2566e66527651da97c609c697e763e165eaf0fa1da104c26d311ec48fec9950ae24
SHA51285961b90024f25a20943f9ce3b3c0959ced373d7b548cfc533bb51164aa615125528352438ab43e4b285ab570268bb4ed46f861db89d29d830230b9f63b0f496