Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

00688ead52...7f.exe

windows7-x64

10

00688ead52...7f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 07:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe

  • Size

    1002KB

  • MD5

    6eb93471d34dce78877ebc870816238f

  • SHA1

    288796474024860cd052925518947e71da404aeb

  • SHA256

    00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f

  • SHA512

    1e7e6dcddd3d799e1180a2e0edb37f61b170ffb2d6ccc32fc13057c0ce39aa379217c46749c390f63af727e5041a374b612753babdbdb8aaf893e51118ec3ea6

  • SSDEEP

    24576:eUBPDxG9OhoBEbxWx7wS1XKNPe3U+Emr:eU5NQqWxtKl6wg

Score
10/10
avoslockerdefense_evasionevasionexecutionimpactransomware

Malware Config

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    ransomwareavoslocker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (8462) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe
    "C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c wmic shadowcopy delete /nointeractive
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1200
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:4348
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c bcdedit /set {default} recoveryenabled No
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled No
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:4024
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3468
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1172
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:35880
      • C:\Windows\system32\reg.exe
        "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\6581503.png /f
        3⤵
        • Sets desktop wallpaper using registry
        PID:36176
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
        3⤵
          PID:36604
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:34972

    Network

    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      25.24.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      25.24.18.2.in-addr.arpa
      IN PTR
      Response
      25.24.18.2.in-addr.arpa
      IN PTR
      a2-18-24-25deploystaticakamaitechnologiescom
    • flag-us
      DNS
      2.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      157.123.68.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      157.123.68.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.24.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.24.18.2.in-addr.arpa
      IN PTR
      Response
      18.24.18.2.in-addr.arpa
      IN PTR
      a2-18-24-18deploystaticakamaitechnologiescom
    • flag-us
      DNS
      11.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.189.79.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.189.79.40.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      25.24.18.2.in-addr.arpa
      dns
      69 B
       131 B
       1
      1

      DNS Request

      25.24.18.2.in-addr.arpa

    • 8.8.8.8:53
      2.159.190.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      2.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      157.123.68.40.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      157.123.68.40.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      18.24.18.2.in-addr.arpa
      dns
      69 B
       131 B
       1
      1

      DNS Request

      18.24.18.2.in-addr.arpa

    • 8.8.8.8:53
      11.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      11.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      58.189.79.40.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      58.189.79.40.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\GET_YOUR_FILES_BACK.txt
      Filesize

      1011B

      MD5

      b69a0aa7abf916a5f00d0f438cf98fa6

      SHA1

      1ad8aec6b066487d69492225bb6493b4afd2db64

      SHA256

      9a3b665f5458ade3c61be4fd2f906a915f8c523127be7456a6bff3677356289d

      SHA512

      cec0c8f59d7c204f33452223b0f9eaa55bc0ef07f983c42fbdd3ff0906814bf907816bd6b4dd2dbb3292f6396f22b50b0736caf469f1a942fdd7cd09c099cd72

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      6cf293cb4d80be23433eecf74ddb5503

      SHA1

      24fe4752df102c2ef492954d6b046cb5512ad408

      SHA256

      b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

      SHA512

      0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      a6c9d692ed2826ecb12c09356e69cc09

      SHA1

      def728a6138cf083d8a7c61337f3c9dade41a37f

      SHA256

      a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

      SHA512

      2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ua50kyu.uww.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2008-1-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

      Download

    • memory/2008-3-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

      Download

    • memory/2008-7-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

      Download

    • memory/2008-6-0x0000000000580000-0x0000000000581000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2008-5-0x0000000000401000-0x000000000049D000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2008-2-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

      Download

    • memory/2008-0-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

      Download

    • memory/2008-9-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

      Download

    • memory/2008-8-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

      Download

    • memory/2008-22635-0x0000000002270000-0x00000000022B3000-memory.dmp

      Filesize

      268KB

      Download

    • memory/2008-22634-0x0000000000401000-0x000000000049D000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2008-22633-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

      Download

    • memory/2008-4-0x0000000002270000-0x00000000022B3000-memory.dmp

      Filesize

      268KB

      Download

    • memory/5116-17433-0x000001A2D44B0000-0x000001A2D44D2000-memory.dmp

      Filesize

      136KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.