avoslocker | 1198fb9117776809b11a19000161377384957bee846f7b25a610fc8ca082eb37

Resubmissions

11-05-2023 15:49

230511-s9f6zsad87 10

11-05-2023 15:45

230511-s7b49agc64 10

03-05-2023 23:25

230503-3edsgsba4x 10

03-05-2023 11:43

230503-nv3n8aee94 10

Analysis

max time kernel
81s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2023 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
Size

807KB
MD5

1a23dd405a1bd4e488c5fb54f22e14ff
SHA1

73b1d319fb361e591c2e6a65caaea73186f51193
SHA256

5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa
SHA512

b9ff21124e04ec7c9e5159cc7cc8ce1110b35941c7a1235b4bd55911ad17c03ace3ce1173e784e6154b09a6eb21da880b7f54886bda589e6293e69d92337f80b
SSDEEP

12288:0Z4s3rg9u/2/oT+NXtHLlP/O+OeO+OeNhBBhhBBAtHg9rjI+LXJ0ivlzkHBDsYA:u4s+oT+NXBLi0rjFXvyHBlb4CZa8

Score

10^/10

avoslocker evasion ransomware

Malware Config

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2444	bcdedit.exe
4104	bcdedit.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\DisableUpdate.tiff => C:\Users\Admin\Pictures\DisableUpdate.tiff.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\DismountConvert.tif => C:\Users\Admin\Pictures\DismountConvert.tif.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Users\Admin\Pictures\GrantRestart.tiff	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\GrantRestart.tiff => C:\Users\Admin\Pictures\GrantRestart.tiff.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\RegisterAssert.tif => C:\Users\Admin\Pictures\RegisterAssert.tif.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File renamed	C:\Users\Admin\Pictures\SetInitialize.tif => C:\Users\Admin\Pictures\SetInitialize.tif.avos2	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Users\Admin\Pictures\DisableUpdate.tiff	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1347122807.png"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbytools.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\ui-strings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\STRTEDGE.INF	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-250.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\nub.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ui-strings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\Logo.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\find-text.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\ui-strings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\vlc.mo	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\management\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24_altform-unplated.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\ExcelCapabilities.json	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\ui-strings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_auditreport_18.svg	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\ui-strings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-125.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\dcfmui.msi.16.en-us.vreg.dat	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\ui-strings.js	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a.jpg	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\GET_YOUR_FILES_BACK.txt	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_invite_18.svg	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-125.png	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4900	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
1516	powershell.exe
1516	powershell.exe
1516	powershell.exe
13656	powershell.exe
13656	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
Token: SeIncreaseQuotaPrivilege	4740	WMIC.exe
Token: SeSecurityPrivilege	4740	WMIC.exe
Token: SeTakeOwnershipPrivilege	4740	WMIC.exe
Token: SeLoadDriverPrivilege	4740	WMIC.exe
Token: SeSystemProfilePrivilege	4740	WMIC.exe
Token: SeSystemtimePrivilege	4740	WMIC.exe
Token: SeProfSingleProcessPrivilege	4740	WMIC.exe
Token: SeIncBasePriorityPrivilege	4740	WMIC.exe
Token: SeCreatePagefilePrivilege	4740	WMIC.exe
Token: SeBackupPrivilege	4740	WMIC.exe
Token: SeRestorePrivilege	4740	WMIC.exe
Token: SeShutdownPrivilege	4740	WMIC.exe
Token: SeDebugPrivilege	4740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4740	WMIC.exe
Token: SeRemoteShutdownPrivilege	4740	WMIC.exe
Token: SeUndockPrivilege	4740	WMIC.exe
Token: SeManageVolumePrivilege	4740	WMIC.exe
Token: 33	4740	WMIC.exe
Token: 34	4740	WMIC.exe
Token: 35	4740	WMIC.exe
Token: 36	4740	WMIC.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeIncreaseQuotaPrivilege	4740	WMIC.exe
Token: SeSecurityPrivilege	4740	WMIC.exe
Token: SeTakeOwnershipPrivilege	4740	WMIC.exe
Token: SeLoadDriverPrivilege	4740	WMIC.exe
Token: SeSystemProfilePrivilege	4740	WMIC.exe
Token: SeSystemtimePrivilege	4740	WMIC.exe
Token: SeProfSingleProcessPrivilege	4740	WMIC.exe
Token: SeIncBasePriorityPrivilege	4740	WMIC.exe
Token: SeCreatePagefilePrivilege	4740	WMIC.exe
Token: SeBackupPrivilege	4740	WMIC.exe
Token: SeRestorePrivilege	4740	WMIC.exe
Token: SeShutdownPrivilege	4740	WMIC.exe
Token: SeDebugPrivilege	4740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4740	WMIC.exe
Token: SeRemoteShutdownPrivilege	4740	WMIC.exe
Token: SeUndockPrivilege	4740	WMIC.exe
Token: SeManageVolumePrivilege	4740	WMIC.exe
Token: 33	4740	WMIC.exe
Token: 34	4740	WMIC.exe
Token: 35	4740	WMIC.exe
Token: 36	4740	WMIC.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeSecurityPrivilege	1516	powershell.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeSecurityPrivilege	1516	powershell.exe
Token: SeBackupPrivilege	6504	vssvc.exe
Token: SeRestorePrivilege	6504	vssvc.exe
Token: SeAuditPrivilege	6504	vssvc.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeSecurityPrivilege	1516	powershell.exe
Token: SeBackupPrivilege	1516	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2040	1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	88
PID 1644 wrote to memory of 2040	1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	88
PID 1644 wrote to memory of 1040	1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	92
PID 1644 wrote to memory of 1040	1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	92
PID 1644 wrote to memory of 3456	1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	91
PID 1644 wrote to memory of 3456	1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	91
PID 1644 wrote to memory of 112	1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	90
PID 1644 wrote to memory of 112	1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	90
PID 1644 wrote to memory of 352	1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	89
PID 1644 wrote to memory of 352	1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	89
PID 352 wrote to memory of 1516	352	cmd.exe	93
PID 352 wrote to memory of 1516	352	cmd.exe	93
PID 3456 wrote to memory of 2444	3456	cmd.exe	94
PID 3456 wrote to memory of 2444	3456	cmd.exe	94
PID 2040 wrote to memory of 4740	2040	cmd.exe	95
PID 2040 wrote to memory of 4740	2040	cmd.exe	95
PID 112 wrote to memory of 4104	112	cmd.exe	96
PID 112 wrote to memory of 4104	112	cmd.exe	96
PID 1040 wrote to memory of 4900	1040	cmd.exe	97
PID 1040 wrote to memory of 4900	1040	cmd.exe	97
PID 1644 wrote to memory of 13656	1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	103
PID 1644 wrote to memory of 13656	1644	5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe	103
PID 13656 wrote to memory of 13548	13656	powershell.exe	105
PID 13656 wrote to memory of 13548	13656	powershell.exe	105
PID 13656 wrote to memory of 13448	13656	powershell.exe	106
PID 13656 wrote to memory of 13448	13656	powershell.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
"C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c wmic shadowcopy delete /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4740
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4104
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c bcdedit /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2444
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:4900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:13656
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1347122807.png /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:13548
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
    3⤵
    PID:13448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
064348106157ac3e6972ebe6852f665f

SHA1
4f95549af4873637f05f5f574b93605d30a28dbb

SHA256
876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

SHA512
e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

Download Submit
C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
064348106157ac3e6972ebe6852f665f

SHA1
4f95549af4873637f05f5f574b93605d30a28dbb

SHA256
876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

SHA512
e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_juma2lqh.xlc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1516-146-0x0000022191340000-0x0000022191362000-memory.dmp

Filesize
136KB

Download
memory/1516-793-0x0000022191260000-0x0000022191270000-memory.dmp

Filesize
64KB

Download
memory/1516-832-0x0000022191260000-0x0000022191270000-memory.dmp

Filesize
64KB

Download
memory/1516-1540-0x0000022191260000-0x0000022191270000-memory.dmp

Filesize
64KB

Download
memory/1516-3346-0x00000221A94E0000-0x00000221A96FC000-memory.dmp

Filesize
2.1MB

Download
memory/13656-24866-0x000001D6CE290000-0x000001D6CE2A0000-memory.dmp

Filesize
64KB

Download
memory/13656-24868-0x000001D6CE290000-0x000001D6CE2A0000-memory.dmp

Filesize
64KB

Download