avoslocker | 1198fb9117776809b11a19000161377384957bee846f7b25a610fc8ca082eb37

General

Target

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
Size

807KB
MD5

1a23dd405a1bd4e488c5fb54f22e14ff
SHA1

73b1d319fb361e591c2e6a65caaea73186f51193
SHA256

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa
SHA512

b9ff21124e04ec7c9e5159cc7cc8ce1110b35941c7a1235b4bd55911ad17c03ace3ce1173e784e6154b09a6eb21da880b7f54886bda589e6293e69d92337f80b
SSDEEP

12288:0Z4s3rg9u/2/oT+NXtHLlP/O+OeO+OeNhBBhhBBAtHg9rjI+LXJ0ivlzkHBDsYA:u4s+oT+NXBLi0rjFXvyHBlb4CZa8

Score

10^/10

avoslocker evasion ransomware

Malware Config

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2168 bcdedit.exe
2344 bcdedit.exe

pid	process
2168	bcdedit.exe
2344	bcdedit.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\GrantWait.png => C:\Users\Admin\Pictures\GrantWait.png.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\ImportComplete.raw => C:\Users\Admin\Pictures\ImportComplete.raw.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\NewBackup.tiff => C:\Users\Admin\Pictures\NewBackup.tiff.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\ResumeEdit.tiff => C:\Users\Admin\Pictures\ResumeEdit.tiff.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\UnregisterGrant.raw => C:\Users\Admin\Pictures\UnregisterGrant.raw.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Users\Admin\Pictures\NewBackup.tiff	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeEdit.tiff	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\ConvertToSet.raw => C:\Users\Admin\Pictures\ConvertToSet.raw.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description ioc process

File opened (read-only) \??\Z: 5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description	ioc	process
File opened (read-only)	\??\Z:	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1700332598.png"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105496.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01293_.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_cs.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH.HXS	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\de-DE\Mahjong.exe.mui	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BUTTON.JPG	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\OCEAN_01.MID	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Antigua	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301418.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00555_.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107712.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\THEMES.INF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV11.POC	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTEX2.ECF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02198_.GIF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME06.CSS	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\background.gif	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01638_.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198025.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.POC	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.HXS	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00012_.WMF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2076 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3128 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exepowershell.exepowershell.exe

pid process

1232 5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
2992 powershell.exe
3060 powershell.exe

pid	process
2076	vssadmin.exe

pid	process
3128	NOTEPAD.EXE

pid	process
1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
2992	powershell.exe
3060	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exeWMIC.exevssvc.exepowershell.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
Token: SeIncreaseQuotaPrivilege	2420	WMIC.exe
Token: SeSecurityPrivilege	2420	WMIC.exe
Token: SeTakeOwnershipPrivilege	2420	WMIC.exe
Token: SeLoadDriverPrivilege	2420	WMIC.exe
Token: SeSystemProfilePrivilege	2420	WMIC.exe
Token: SeSystemtimePrivilege	2420	WMIC.exe
Token: SeProfSingleProcessPrivilege	2420	WMIC.exe
Token: SeIncBasePriorityPrivilege	2420	WMIC.exe
Token: SeCreatePagefilePrivilege	2420	WMIC.exe
Token: SeBackupPrivilege	2420	WMIC.exe
Token: SeRestorePrivilege	2420	WMIC.exe
Token: SeShutdownPrivilege	2420	WMIC.exe
Token: SeDebugPrivilege	2420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2420	WMIC.exe
Token: SeRemoteShutdownPrivilege	2420	WMIC.exe
Token: SeUndockPrivilege	2420	WMIC.exe
Token: SeManageVolumePrivilege	2420	WMIC.exe
Token: 33	2420	WMIC.exe
Token: 34	2420	WMIC.exe
Token: 35	2420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2420	WMIC.exe
Token: SeSecurityPrivilege	2420	WMIC.exe
Token: SeTakeOwnershipPrivilege	2420	WMIC.exe
Token: SeLoadDriverPrivilege	2420	WMIC.exe
Token: SeSystemProfilePrivilege	2420	WMIC.exe
Token: SeSystemtimePrivilege	2420	WMIC.exe
Token: SeProfSingleProcessPrivilege	2420	WMIC.exe
Token: SeIncBasePriorityPrivilege	2420	WMIC.exe
Token: SeCreatePagefilePrivilege	2420	WMIC.exe
Token: SeBackupPrivilege	2420	WMIC.exe
Token: SeRestorePrivilege	2420	WMIC.exe
Token: SeShutdownPrivilege	2420	WMIC.exe
Token: SeDebugPrivilege	2420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2420	WMIC.exe
Token: SeRemoteShutdownPrivilege	2420	WMIC.exe
Token: SeUndockPrivilege	2420	WMIC.exe
Token: SeManageVolumePrivilege	2420	WMIC.exe
Token: 33	2420	WMIC.exe
Token: 34	2420	WMIC.exe
Token: 35	2420	WMIC.exe
Token: SeBackupPrivilege	2492	vssvc.exe
Token: SeRestorePrivilege	2492	vssvc.exe
Token: SeAuditPrivilege	2492	vssvc.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeBackupPrivilege	2992	powershell.exe
Token: SeSecurityPrivilege	2992	powershell.exe
Token: SeBackupPrivilege	2992	powershell.exe
Token: SeBackupPrivilege	2992	powershell.exe
Token: SeSecurityPrivilege	2992	powershell.exe
Token: SeBackupPrivilege	2992	powershell.exe
Token: SeBackupPrivilege	2992	powershell.exe
Token: SeSecurityPrivilege	2992	powershell.exe
Token: SeBackupPrivilege	2992	powershell.exe
Token: SeBackupPrivilege	2992	powershell.exe
Token: SeSecurityPrivilege	2992	powershell.exe
Token: SeBackupPrivilege	2992	powershell.exe
Token: SeBackupPrivilege	2992	powershell.exe
Token: SeSecurityPrivilege	2992	powershell.exe
Token: SeBackupPrivilege	2992	powershell.exe
Token: SeBackupPrivilege	2992	powershell.exe
Token: SeSecurityPrivilege	2992	powershell.exe
Token: SeBackupPrivilege	2992	powershell.exe
Token: SeSecurityPrivilege	2992	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.execmd.execmd.execmd.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 1232 wrote to memory of 912	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 912	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 912	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 912	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 1236	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 1236	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 1236	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 1236	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 908	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 908	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 908	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 908	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 1284	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 1284	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 1284	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 1284	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 1660	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 1660	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 1660	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1232 wrote to memory of 1660	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	cmd.exe
PID 1236 wrote to memory of 2076	1236	cmd.exe	vssadmin.exe
PID 1236 wrote to memory of 2076	1236	cmd.exe	vssadmin.exe
PID 1236 wrote to memory of 2076	1236	cmd.exe	vssadmin.exe
PID 1284 wrote to memory of 2168	1284	cmd.exe	bcdedit.exe
PID 1284 wrote to memory of 2168	1284	cmd.exe	bcdedit.exe
PID 1284 wrote to memory of 2168	1284	cmd.exe	bcdedit.exe
PID 908 wrote to memory of 2344	908	cmd.exe	bcdedit.exe
PID 908 wrote to memory of 2344	908	cmd.exe	bcdedit.exe
PID 908 wrote to memory of 2344	908	cmd.exe	bcdedit.exe
PID 1660 wrote to memory of 2992	1660	cmd.exe	powershell.exe
PID 1660 wrote to memory of 2992	1660	cmd.exe	powershell.exe
PID 1660 wrote to memory of 2992	1660	cmd.exe	powershell.exe
PID 912 wrote to memory of 2420	912	cmd.exe	WMIC.exe
PID 912 wrote to memory of 2420	912	cmd.exe	WMIC.exe
PID 912 wrote to memory of 2420	912	cmd.exe	WMIC.exe
PID 1232 wrote to memory of 3060	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	powershell.exe
PID 1232 wrote to memory of 3060	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	powershell.exe
PID 1232 wrote to memory of 3060	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	powershell.exe
PID 1232 wrote to memory of 3060	1232	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	powershell.exe
PID 3060 wrote to memory of 3948	3060	powershell.exe	reg.exe
PID 3060 wrote to memory of 3948	3060	powershell.exe	reg.exe
PID 3060 wrote to memory of 3948	3060	powershell.exe	reg.exe
PID 3060 wrote to memory of 2528	3060	powershell.exe	rundll32.exe
PID 3060 wrote to memory of 2528	3060	powershell.exe	rundll32.exe
PID 3060 wrote to memory of 2528	3060	powershell.exe	rundll32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
"C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\system32\cmd.exe
  cmd /c wmic shadowcopy delete /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2076
- C:\Windows\system32\cmd.exe
  cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2168
- C:\Windows\system32\cmd.exe
  cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- C:\Windows\system32\cmd.exe
  cmd /c bcdedit /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1700332598.png /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:3948
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
    3⤵
    PID:2528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
064348106157ac3e6972ebe6852f665f

SHA1
4f95549af4873637f05f5f574b93605d30a28dbb

SHA256
876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

SHA512
e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
37db35bb35a49d029a8e75c8c65b44f8

SHA1
0db3e4eebe23f270e865258ec50ec3f2c4fce270

SHA256
25fb9885b75d90e62e19bf05c0cbb69b533820196aacc09efa0a773ac16ed59c

SHA512
313eb372d02f4921432a519bca11c622fb561cfd2972eb4738e300ef556f1d61e394f890c3b7880e597ae32749792cd44f0681e6e07b253166ccdf478e891129

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EN5SGQ61K109RTDDN5BS.temp

Filesize
7KB

MD5
37db35bb35a49d029a8e75c8c65b44f8

SHA1
0db3e4eebe23f270e865258ec50ec3f2c4fce270

SHA256
25fb9885b75d90e62e19bf05c0cbb69b533820196aacc09efa0a773ac16ed59c

SHA512
313eb372d02f4921432a519bca11c622fb561cfd2972eb4738e300ef556f1d61e394f890c3b7880e597ae32749792cd44f0681e6e07b253166ccdf478e891129

Download Submit
C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
064348106157ac3e6972ebe6852f665f

SHA1
4f95549af4873637f05f5f574b93605d30a28dbb

SHA256
876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

SHA512
e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Device\HarddiskVolume1\Boot\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
064348106157ac3e6972ebe6852f665f

SHA1
4f95549af4873637f05f5f574b93605d30a28dbb

SHA256
876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

SHA512
e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

Download Submit
memory/2992-1297-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/2992-1504-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/2992-1334-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/2992-1327-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/2992-1080-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2992-1007-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/3060-24550-0x000000001B0D0000-0x000000001B3B2000-memory.dmp

Filesize
2.9MB

Download
memory/3060-24551-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/3060-24553-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads