Malware Analysis Report

2024-10-16 03:28

Sample ID 230511-s7b49agc64
Target Avos2.zip
SHA256 1198fb9117776809b11a19000161377384957bee846f7b25a610fc8ca082eb37
Tags
avoslocker evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1198fb9117776809b11a19000161377384957bee846f7b25a610fc8ca082eb37

Threat Level: Known bad

The file Avos2.zip was found to be: Known bad.

Malicious Activity Summary

avoslocker evasion ransomware

Avoslocker Ransomware

Deletes shadow copies

Modifies boot configuration data using bcdedit

Modifies extensions of user files

Enumerates connected drives

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-11 15:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-11 15:45

Reported

2023-05-11 15:48

Platform

win7-20230220-en

Max time kernel

85s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\StartUnlock.tiff C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Users\Admin\Pictures\CopyMove.tiff C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\CopyMove.tiff => C:\Users\Admin\Pictures\CopyMove.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeConvertFrom.png => C:\Users\Admin\Pictures\InvokeConvertFrom.png.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\ReceiveDeny.crw => C:\Users\Admin\Pictures\ReceiveDeny.crw.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\SendPublish.tiff => C:\Users\Admin\Pictures\SendPublish.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Users\Admin\Pictures\SendPublish.tiff C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\StartUnlock.tiff => C:\Users\Admin\Pictures\StartUnlock.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\RenameRemove.crw => C:\Users\Admin\Pictures\RenameRemove.crw.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\WaitResume.tif => C:\Users\Admin\Pictures\WaitResume.tif.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectExport.png => C:\Users\Admin\Pictures\UnprotectExport.png.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExitConfirm.tiff C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\ExitConfirm.tiff => C:\Users\Admin\Pictures\ExitConfirm.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\PushSet.crw => C:\Users\Admin\Pictures\PushSet.crw.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\ProtectWatch.png => C:\Users\Admin\Pictures\ProtectWatch.png.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1521733757.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ne\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santa_Isabel C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105846.WMF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\Wks9Pxy.cnv C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DissolveNoise.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Common Files\System\Ole DB\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\meta-index C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLY98SP.POC C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.SE.XML C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107262.WMF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETSM.WMF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\as_IN\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\LoginForm.zip C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00110_.WMF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\settings.js C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\km\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Public_Primary_CA.cer C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01184_.WMF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187851.WMF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME27.CSS C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1756 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1756 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1756 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2008 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2008 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2008 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 872 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 872 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 872 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2016 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2016 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2016 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1476 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1476 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1476 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1084 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2788 wrote to memory of 2820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2788 wrote to memory of 2820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2788 wrote to memory of 3416 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 2788 wrote to memory of 3416 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 2788 wrote to memory of 3416 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

"C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe"

C:\Windows\system32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\system32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1521733757.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

N/A

Files

C:\GET_YOUR_FILES_BACK.txt

MD5 064348106157ac3e6972ebe6852f665f
SHA1 4f95549af4873637f05f5f574b93605d30a28dbb
SHA256 876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a
SHA512 e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

memory/2504-685-0x000000001B250000-0x000000001B532000-memory.dmp

memory/2504-699-0x00000000023E0000-0x00000000023E8000-memory.dmp

memory/2504-1068-0x00000000024A0000-0x0000000002520000-memory.dmp

memory/2504-1135-0x00000000024A0000-0x0000000002520000-memory.dmp

memory/2504-1738-0x00000000024A0000-0x0000000002520000-memory.dmp

C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

MD5 064348106157ac3e6972ebe6852f665f
SHA1 4f95549af4873637f05f5f574b93605d30a28dbb
SHA256 876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a
SHA512 e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c516c1e56206056520b8ae60821654dd
SHA1 a94c103f9a4808715afc4532b24ecba6ee3a7ff0
SHA256 30cb4a859416dc6109e87ceeff5d3a226623e24dd12a50a3a67a93a96b71cdd2
SHA512 38250cd71c8c0f2b708143c17f3d40ed3626235840bd9fbb89f7671ab43d063e83d6419e59291f9c8f8be582d1e22c39e75b5555dffc4bd9b98ec92eac30cad4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C8XVUKCCJLRXF1GP2ZAX.temp

MD5 c516c1e56206056520b8ae60821654dd
SHA1 a94c103f9a4808715afc4532b24ecba6ee3a7ff0
SHA256 30cb4a859416dc6109e87ceeff5d3a226623e24dd12a50a3a67a93a96b71cdd2
SHA512 38250cd71c8c0f2b708143c17f3d40ed3626235840bd9fbb89f7671ab43d063e83d6419e59291f9c8f8be582d1e22c39e75b5555dffc4bd9b98ec92eac30cad4

memory/2788-24583-0x000000001B210000-0x000000001B4F2000-memory.dmp

memory/2788-24584-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

memory/2788-24587-0x0000000002340000-0x00000000023C0000-memory.dmp

C:\GET_YOUR_FILES_BACK.txt

MD5 064348106157ac3e6972ebe6852f665f
SHA1 4f95549af4873637f05f5f574b93605d30a28dbb
SHA256 876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a
SHA512 e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

memory/2788-24585-0x0000000002340000-0x00000000023C0000-memory.dmp

memory/2788-24588-0x0000000002340000-0x00000000023C0000-memory.dmp

memory/2788-24589-0x0000000002340000-0x00000000023C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1521733757.png

MD5 0c69ddc9040a706b0ba157b490f1aeff
SHA1 0bfc69c2c03b2154461715f5f739059a8b8cd086
SHA256 c36a6abb844debeb8a3d98826cf9b5664464948b60b43e0d8f76625826b992b1
SHA512 e2a659f799cdd42031af37635b0429ef64f40519616780fcf35ff4db8f7ad102fdeda47cb1d9db3c397c208f531ceebcdf41f5314336cda8cdefb47f0c991562

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-11 15:45

Reported

2023-05-11 15:48

Platform

win10v2004-20230220-en

Max time kernel

149s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

"C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 117.18.237.29:80 tcp
US 20.42.73.26:443 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 40.125.122.176:443 tcp
IN 20.190.145.140:443 tcp
NL 173.223.113.164:443 tcp
NL 20.123.141.233:443 tcp
US 40.125.122.176:443 tcp
IN 20.190.145.141:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 api.msn.com tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 142.145.190.20.in-addr.arpa udp
IN 20.190.145.140:443 tcp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 40.125.122.176:443 tcp

Files

N/A