avoslocker | 1198fb9117776809b11a19000161377384957bee846f7b25a610fc8ca082eb37

General

Target

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
Size

807KB
MD5

1a23dd405a1bd4e488c5fb54f22e14ff
SHA1

73b1d319fb361e591c2e6a65caaea73186f51193
SHA256

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa
SHA512

b9ff21124e04ec7c9e5159cc7cc8ce1110b35941c7a1235b4bd55911ad17c03ace3ce1173e784e6154b09a6eb21da880b7f54886bda589e6293e69d92337f80b
SSDEEP

12288:0Z4s3rg9u/2/oT+NXtHLlP/O+OeO+OeNhBBhhBBAtHg9rjI+LXJ0ivlzkHBDsYA:u4s+oT+NXBLi0rjFXvyHBlb4CZa8

Score

10^/10

avoslocker evasion ransomware

Malware Config

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1500 bcdedit.exe
5024 bcdedit.exe

pid	process
1500	bcdedit.exe
5024	bcdedit.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RestoreEdit.crw => C:\Users\Admin\Pictures\RestoreEdit.crw.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\UnprotectSet.tif => C:\Users\Admin\Pictures\UnprotectSet.tif.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeEnable.tiff	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\InvokeEnable.tiff => C:\Users\Admin\Pictures\InvokeEnable.tiff.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description ioc process

File opened (read-only) \??\Z: 5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description	ioc	process
File opened (read-only)	\??\Z:	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Drops file in Program Files directory 64 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\mai\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\ui-strings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-200.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-96.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxS	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\main-selector.css	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\flags.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\ui-strings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Regular.otf	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-125.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_pt_BR.properties	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Internet Explorer\it-IT\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\iexplore.exe.mui	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-hover_32.svg	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-100.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\blacklisted.certs	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\PlayStore_icon.svg	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\ui-strings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\sample-thumb.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\dailymotion.luac	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\share_icons.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\MSADDNDR.OLB	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MTEXTRA.TTF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-left.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-left.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\ui-strings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-dark-disabled_32.svg	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

524 vssadmin.exe

pid	process
524	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exepowershell.exe

pid	process
4012	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
4012	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
11016	powershell.exe
11016	powershell.exe
11016	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exeWMIC.exepowershell.exevssvc.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4012	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
Token: SeIncreaseQuotaPrivilege	11336	WMIC.exe
Token: SeSecurityPrivilege	11336	WMIC.exe
Token: SeTakeOwnershipPrivilege	11336	WMIC.exe
Token: SeLoadDriverPrivilege	11336	WMIC.exe
Token: SeSystemProfilePrivilege	11336	WMIC.exe
Token: SeSystemtimePrivilege	11336	WMIC.exe
Token: SeProfSingleProcessPrivilege	11336	WMIC.exe
Token: SeIncBasePriorityPrivilege	11336	WMIC.exe
Token: SeCreatePagefilePrivilege	11336	WMIC.exe
Token: SeBackupPrivilege	11336	WMIC.exe
Token: SeRestorePrivilege	11336	WMIC.exe
Token: SeShutdownPrivilege	11336	WMIC.exe
Token: SeDebugPrivilege	11336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	11336	WMIC.exe
Token: SeRemoteShutdownPrivilege	11336	WMIC.exe
Token: SeUndockPrivilege	11336	WMIC.exe
Token: SeManageVolumePrivilege	11336	WMIC.exe
Token: 33	11336	WMIC.exe
Token: 34	11336	WMIC.exe
Token: 35	11336	WMIC.exe
Token: 36	11336	WMIC.exe
Token: SeDebugPrivilege	11016	powershell.exe
Token: SeIncreaseQuotaPrivilege	11336	WMIC.exe
Token: SeSecurityPrivilege	11336	WMIC.exe
Token: SeTakeOwnershipPrivilege	11336	WMIC.exe
Token: SeLoadDriverPrivilege	11336	WMIC.exe
Token: SeSystemProfilePrivilege	11336	WMIC.exe
Token: SeSystemtimePrivilege	11336	WMIC.exe
Token: SeProfSingleProcessPrivilege	11336	WMIC.exe
Token: SeIncBasePriorityPrivilege	11336	WMIC.exe
Token: SeCreatePagefilePrivilege	11336	WMIC.exe
Token: SeBackupPrivilege	11336	WMIC.exe
Token: SeRestorePrivilege	11336	WMIC.exe
Token: SeShutdownPrivilege	11336	WMIC.exe
Token: SeDebugPrivilege	11336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	11336	WMIC.exe
Token: SeRemoteShutdownPrivilege	11336	WMIC.exe
Token: SeUndockPrivilege	11336	WMIC.exe
Token: SeManageVolumePrivilege	11336	WMIC.exe
Token: 33	11336	WMIC.exe
Token: 34	11336	WMIC.exe
Token: 35	11336	WMIC.exe
Token: 36	11336	WMIC.exe
Token: SeBackupPrivilege	11016	powershell.exe
Token: SeSecurityPrivilege	11016	powershell.exe
Token: SeBackupPrivilege	12804	vssvc.exe
Token: SeRestorePrivilege	12804	vssvc.exe
Token: SeAuditPrivilege	12804	vssvc.exe
Token: SeBackupPrivilege	11016	powershell.exe
Token: SeBackupPrivilege	11016	powershell.exe
Token: SeSecurityPrivilege	11016	powershell.exe
Token: SeBackupPrivilege	11016	powershell.exe
Token: SeBackupPrivilege	11016	powershell.exe
Token: SeSecurityPrivilege	11016	powershell.exe
Token: SeBackupPrivilege	11016	powershell.exe
Token: SeBackupPrivilege	11016	powershell.exe
Token: SeSecurityPrivilege	11016	powershell.exe
Token: SeBackupPrivilege	11016	powershell.exe
Token: SeBackupPrivilege	11016	powershell.exe
Token: SeSecurityPrivilege	11016	powershell.exe
Token: SeBackupPrivilege	11016	powershell.exe
Token: SeSecurityPrivilege	11016	powershell.exe
Token: SeBackupPrivilege	11016	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4012 wrote to memory of 4684	4012	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 4012 wrote to memory of 4684	4012	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 4012 wrote to memory of 4720	4012	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 4012 wrote to memory of 4720	4012	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 4012 wrote to memory of 4728	4012	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 4012 wrote to memory of 4728	4012	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 4012 wrote to memory of 2148	4012	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 4012 wrote to memory of 2148	4012	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 4012 wrote to memory of 2160	4012	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 4012 wrote to memory of 2160	4012	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 4728 wrote to memory of 1500	4728	cmd.exe	bcdedit.exe
PID 4728 wrote to memory of 1500	4728	cmd.exe	bcdedit.exe
PID 2148 wrote to memory of 5024	2148	cmd.exe	bcdedit.exe
PID 2148 wrote to memory of 5024	2148	cmd.exe	bcdedit.exe
PID 4720 wrote to memory of 524	4720	cmd.exe	vssadmin.exe
PID 4720 wrote to memory of 524	4720	cmd.exe	vssadmin.exe
PID 2160 wrote to memory of 11016	2160	cmd.exe	powershell.exe
PID 2160 wrote to memory of 11016	2160	cmd.exe	powershell.exe
PID 4684 wrote to memory of 11336	4684	cmd.exe	WMIC.exe
PID 4684 wrote to memory of 11336	4684	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
"C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c wmic shadowcopy delete /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:11336
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:11016
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5024
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c bcdedit /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1500
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
  2⤵
  PID:8256
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\49374.png /f
    3⤵
    PID:6968
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
    3⤵
    PID:7992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:12804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
064348106157ac3e6972ebe6852f665f

SHA1
4f95549af4873637f05f5f574b93605d30a28dbb

SHA256
876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

SHA512
e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

Download Submit
C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
064348106157ac3e6972ebe6852f665f

SHA1
4f95549af4873637f05f5f574b93605d30a28dbb

SHA256
876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

SHA512
e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9680edfad2498497dd8d25e62347808f

SHA1
52aa7c203c812cbbec3390a0b4fba2739676b4ce

SHA256
d25bcc8c1a0de0ac9929c612c917ae21b7a9c3b6fcd7f1e8ca2310eafbb4b958

SHA512
ce8e5cd9ff178e13b72dd00ac1b749456c6459c8969464326f07e210cab442de1014b22e2e808c2f0c0b5c19d173655a888af92c1bca4f51966b7fd43e70c1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ecvapwqd.wh2.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/8256-24820-0x000001E1D8750000-0x000001E1D88E5000-memory.dmp

Filesize
1.6MB

Download
memory/8256-24817-0x000001E1BFF40000-0x000001E1BFF50000-memory.dmp

Filesize
64KB

Download
memory/8256-24801-0x000001E1BFF40000-0x000001E1BFF50000-memory.dmp

Filesize
64KB

Download
memory/8256-24800-0x000001E1BFF40000-0x000001E1BFF50000-memory.dmp

Filesize
64KB

Download
memory/11016-2268-0x0000020B30EA0000-0x0000020B30EB0000-memory.dmp

Filesize
64KB

Download
memory/11016-2970-0x0000020B30EA0000-0x0000020B30EB0000-memory.dmp

Filesize
64KB

Download
memory/11016-2277-0x0000020B30EA0000-0x0000020B30EB0000-memory.dmp

Filesize
64KB

Download
memory/11016-2233-0x0000020B49290000-0x0000020B49306000-memory.dmp

Filesize
472KB

Download
memory/11016-2208-0x0000020B30F60000-0x0000020B30F82000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads