avoslocker | 1198fb9117776809b11a19000161377384957bee846f7b25a610fc8ca082eb37

General

Target

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
Size

807KB
MD5

1a23dd405a1bd4e488c5fb54f22e14ff
SHA1

73b1d319fb361e591c2e6a65caaea73186f51193
SHA256

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa
SHA512

b9ff21124e04ec7c9e5159cc7cc8ce1110b35941c7a1235b4bd55911ad17c03ace3ce1173e784e6154b09a6eb21da880b7f54886bda589e6293e69d92337f80b
SSDEEP

12288:0Z4s3rg9u/2/oT+NXtHLlP/O+OeO+OeNhBBhhBBAtHg9rjI+LXJ0ivlzkHBDsYA:u4s+oT+NXBLi0rjFXvyHBlb4CZa8

Score

10^/10

avoslocker evasion ransomware

Malware Config

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2976 bcdedit.exe
2504 bcdedit.exe

pid	process
2976	bcdedit.exe
2504	bcdedit.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\WriteUnblock.png => C:\Users\Admin\Pictures\WriteUnblock.png.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\CloseJoin.tiff => C:\Users\Admin\Pictures\CloseJoin.tiff.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Users\Admin\Pictures\CompressMount.tiff	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\CompressMount.tiff => C:\Users\Admin\Pictures\CompressMount.tiff.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\ProtectPing.tif => C:\Users\Admin\Pictures\ProtectPing.tif.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Users\Admin\Pictures\CloseJoin.tiff	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\InvokeBlock.raw => C:\Users\Admin\Pictures\InvokeBlock.raw.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\RequestUnblock.crw => C:\Users\Admin\Pictures\RequestUnblock.crw.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\SendUpdate.png => C:\Users\Admin\Pictures\SendUpdate.png.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description ioc process

File opened (read-only) \??\Z: 5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description	ioc	process
File opened (read-only)	\??\Z:	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1372300437.png"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Microsoft Games\Hearts\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\PST8PDT	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\weather.css	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04206_.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageScript.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234131.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR36F.GIF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msolui100.rll	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\PREVIEW.GIF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_bottom.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Maroon.css	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Magadan	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\CollectSignatures_Init.xsn	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216516.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Microsoft Games\Purble Place\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieResume.dotx	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREET11.POC	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\currency.css	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\gadget.xml	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Catamarca	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0250504.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00052_.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00783_.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\107.accdt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\RSSFeeds.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143753.GIF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2760 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exepowershell.exepowershell.exe

pid process

1996 5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
2676 powershell.exe
3960 powershell.exe

pid	process
2760	vssadmin.exe

pid	process
1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
2676	powershell.exe
3960	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exeWMIC.exevssvc.exepowershell.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
Token: SeIncreaseQuotaPrivilege	2364	WMIC.exe
Token: SeSecurityPrivilege	2364	WMIC.exe
Token: SeTakeOwnershipPrivilege	2364	WMIC.exe
Token: SeLoadDriverPrivilege	2364	WMIC.exe
Token: SeSystemProfilePrivilege	2364	WMIC.exe
Token: SeSystemtimePrivilege	2364	WMIC.exe
Token: SeProfSingleProcessPrivilege	2364	WMIC.exe
Token: SeIncBasePriorityPrivilege	2364	WMIC.exe
Token: SeCreatePagefilePrivilege	2364	WMIC.exe
Token: SeBackupPrivilege	2364	WMIC.exe
Token: SeRestorePrivilege	2364	WMIC.exe
Token: SeShutdownPrivilege	2364	WMIC.exe
Token: SeDebugPrivilege	2364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2364	WMIC.exe
Token: SeRemoteShutdownPrivilege	2364	WMIC.exe
Token: SeUndockPrivilege	2364	WMIC.exe
Token: SeManageVolumePrivilege	2364	WMIC.exe
Token: 33	2364	WMIC.exe
Token: 34	2364	WMIC.exe
Token: 35	2364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2364	WMIC.exe
Token: SeSecurityPrivilege	2364	WMIC.exe
Token: SeTakeOwnershipPrivilege	2364	WMIC.exe
Token: SeLoadDriverPrivilege	2364	WMIC.exe
Token: SeSystemProfilePrivilege	2364	WMIC.exe
Token: SeSystemtimePrivilege	2364	WMIC.exe
Token: SeProfSingleProcessPrivilege	2364	WMIC.exe
Token: SeIncBasePriorityPrivilege	2364	WMIC.exe
Token: SeCreatePagefilePrivilege	2364	WMIC.exe
Token: SeBackupPrivilege	2364	WMIC.exe
Token: SeRestorePrivilege	2364	WMIC.exe
Token: SeShutdownPrivilege	2364	WMIC.exe
Token: SeDebugPrivilege	2364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2364	WMIC.exe
Token: SeRemoteShutdownPrivilege	2364	WMIC.exe
Token: SeUndockPrivilege	2364	WMIC.exe
Token: SeManageVolumePrivilege	2364	WMIC.exe
Token: 33	2364	WMIC.exe
Token: 34	2364	WMIC.exe
Token: 35	2364	WMIC.exe
Token: SeBackupPrivilege	2956	vssvc.exe
Token: SeRestorePrivilege	2956	vssvc.exe
Token: SeAuditPrivilege	2956	vssvc.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeBackupPrivilege	2676	powershell.exe
Token: SeSecurityPrivilege	2676	powershell.exe
Token: SeBackupPrivilege	2676	powershell.exe
Token: SeBackupPrivilege	2676	powershell.exe
Token: SeSecurityPrivilege	2676	powershell.exe
Token: SeBackupPrivilege	2676	powershell.exe
Token: SeBackupPrivilege	2676	powershell.exe
Token: SeSecurityPrivilege	2676	powershell.exe
Token: SeBackupPrivilege	2676	powershell.exe
Token: SeBackupPrivilege	2676	powershell.exe
Token: SeSecurityPrivilege	2676	powershell.exe
Token: SeBackupPrivilege	2676	powershell.exe
Token: SeBackupPrivilege	2676	powershell.exe
Token: SeSecurityPrivilege	2676	powershell.exe
Token: SeBackupPrivilege	2676	powershell.exe
Token: SeBackupPrivilege	2676	powershell.exe
Token: SeSecurityPrivilege	2676	powershell.exe
Token: SeBackupPrivilege	2676	powershell.exe
Token: SeSecurityPrivilege	2676	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.execmd.execmd.execmd.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 1996 wrote to memory of 1948	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 1948	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 1948	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 1948	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 940	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 940	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 940	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 940	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 1940	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 1940	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 1940	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 1940	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 924	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 924	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 924	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 924	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 884	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 884	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 884	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1996 wrote to memory of 884	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1948 wrote to memory of 2364	1948	cmd.exe	WMIC.exe
PID 1948 wrote to memory of 2364	1948	cmd.exe	WMIC.exe
PID 1948 wrote to memory of 2364	1948	cmd.exe	WMIC.exe
PID 884 wrote to memory of 2676	884	cmd.exe	powershell.exe
PID 884 wrote to memory of 2676	884	cmd.exe	powershell.exe
PID 884 wrote to memory of 2676	884	cmd.exe	powershell.exe
PID 924 wrote to memory of 2976	924	cmd.exe	bcdedit.exe
PID 924 wrote to memory of 2976	924	cmd.exe	bcdedit.exe
PID 924 wrote to memory of 2976	924	cmd.exe	bcdedit.exe
PID 940 wrote to memory of 2760	940	cmd.exe	vssadmin.exe
PID 940 wrote to memory of 2760	940	cmd.exe	vssadmin.exe
PID 940 wrote to memory of 2760	940	cmd.exe	vssadmin.exe
PID 1940 wrote to memory of 2504	1940	cmd.exe	bcdedit.exe
PID 1940 wrote to memory of 2504	1940	cmd.exe	bcdedit.exe
PID 1940 wrote to memory of 2504	1940	cmd.exe	bcdedit.exe
PID 1996 wrote to memory of 3960	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	powershell.exe
PID 1996 wrote to memory of 3960	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	powershell.exe
PID 1996 wrote to memory of 3960	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	powershell.exe
PID 1996 wrote to memory of 3960	1996	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	powershell.exe
PID 3960 wrote to memory of 2384	3960	powershell.exe	reg.exe
PID 3960 wrote to memory of 2384	3960	powershell.exe	reg.exe
PID 3960 wrote to memory of 2384	3960	powershell.exe	reg.exe
PID 3960 wrote to memory of 4396	3960	powershell.exe	rundll32.exe
PID 3960 wrote to memory of 4396	3960	powershell.exe	rundll32.exe
PID 3960 wrote to memory of 4396	3960	powershell.exe	rundll32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
"C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\system32\cmd.exe
  cmd /c wmic shadowcopy delete /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2760
- C:\Windows\system32\cmd.exe
  cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2976
- C:\Windows\system32\cmd.exe
  cmd /c bcdedit /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2504
- C:\Windows\system32\cmd.exe
  cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1372300437.png /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2384
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
    3⤵
    PID:4396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
064348106157ac3e6972ebe6852f665f

SHA1
4f95549af4873637f05f5f574b93605d30a28dbb

SHA256
876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

SHA512
e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1372300437.png

Filesize
32KB

MD5
0c69ddc9040a706b0ba157b490f1aeff

SHA1
0bfc69c2c03b2154461715f5f739059a8b8cd086

SHA256
c36a6abb844debeb8a3d98826cf9b5664464948b60b43e0d8f76625826b992b1

SHA512
e2a659f799cdd42031af37635b0429ef64f40519616780fcf35ff4db8f7ad102fdeda47cb1d9db3c397c208f531ceebcdf41f5314336cda8cdefb47f0c991562

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ace58598c6c59f7d90f09f1cd1eb7597

SHA1
0815651f1ebb03207eb7ae3c4dd204e0e9762129

SHA256
e83a3286e48cc170c788a89416f89ba3bbe870ea39543119cedec2a443008cd1

SHA512
20ba3ff9054179daf4d9c7a8ee6eb0f4497170ba98cd385d19c50c2c95e200b787e5c0df7439d5a18b39a0f198232c5425ff53ba2e18186f011990f1b2ded5a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ICH8DVQA270WEFFVWR78.temp

Filesize
7KB

MD5
ace58598c6c59f7d90f09f1cd1eb7597

SHA1
0815651f1ebb03207eb7ae3c4dd204e0e9762129

SHA256
e83a3286e48cc170c788a89416f89ba3bbe870ea39543119cedec2a443008cd1

SHA512
20ba3ff9054179daf4d9c7a8ee6eb0f4497170ba98cd385d19c50c2c95e200b787e5c0df7439d5a18b39a0f198232c5425ff53ba2e18186f011990f1b2ded5a4

Download Submit
C:\Users\Default\Links\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
064348106157ac3e6972ebe6852f665f

SHA1
4f95549af4873637f05f5f574b93605d30a28dbb

SHA256
876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

SHA512
e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2676-1044-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2676-1599-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2676-1325-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2676-751-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2676-746-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2676-635-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/3960-24653-0x000000001B160000-0x000000001B442000-memory.dmp

Filesize
2.9MB

Download
memory/3960-24654-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/3960-24655-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/3960-24656-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/3960-24657-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/3960-24659-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads