Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 07:39
Static task
static1
Behavioral task
behavioral1
Sample
eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
Resource
win10v2004-20240508-en
General
-
Target
eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe
-
Size
1002KB
-
MD5
97b34aecdcbe69cc57b4d321b0700cd9
-
SHA1
b2f2a027512a6f2b4ea856468eaccf6250a555d4
-
SHA256
eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115
-
SHA512
5436ad5e25083f167de6a30d2aa06d4dce514a4b5a2cc6d9ca5a4b1f7d3903f2d0bb70f64fa4562b26857dac7bd36ef7c8bb5b766d4975a0fef39a01dac63327
-
SSDEEP
24576:Lgg34ayddj+yYCVj2EG1bWIL0oHPVRV37AXVJmUCOsvxFdUwcT:E2edj4CwE4bFbl7AqUgvrFcT
Malware Config
Signatures
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3664 bcdedit.exe 3728 bcdedit.exe -
Renames multiple (10387) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2114547645.png" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\PREVIEW.GIF eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\plugins.dat eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00252_.WMF eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS2BARB.POC eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14790_.GIF eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File created C:\Program Files\VideoLAN\VLC\GET_YOUR_FILES_BACK.txt eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\GET_YOUR_FILES_BACK.txt eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02268_.WMF eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.ELM eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\SpiderSolitaire.exe.mui eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBLINK.POC eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana.css eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183172.WMF eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\GET_YOUR_FILES_BACK.txt eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYBB.POC eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter.png eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Perspective.dotx eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME12.CSS eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10253_.GIF eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151061.WMF eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198377.WMF eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\GET_YOUR_FILES_BACK.txt eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\GET_YOUR_FILES_BACK.txt eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233992.WMF eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\GET_YOUR_FILES_BACK.txt eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File created C:\Program Files\Mozilla Firefox\uninstall\GET_YOUR_FILES_BACK.txt eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SUBMIT.JS eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SUBMIT.JS eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00183_.WMF eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\GET_YOUR_FILES_BACK.txt eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\GET_YOUR_FILES_BACK.txt eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\GET_YOUR_FILES_BACK.txt eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\GET_YOUR_FILES_BACK.txt eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityLetter.Dotx eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FALL_01.MID eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBARV.POC eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15035_.GIF eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00443_.WMF eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\GET_YOUR_FILES_BACK.txt eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\wmlaunch.exe.mui eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe File opened for modification C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe -
pid Process 2384 powershell.exe 3656 powershell.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3640 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 3656 powershell.exe 2384 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe Token: SeIncreaseQuotaPrivilege 3648 WMIC.exe Token: SeSecurityPrivilege 3648 WMIC.exe Token: SeTakeOwnershipPrivilege 3648 WMIC.exe Token: SeLoadDriverPrivilege 3648 WMIC.exe Token: SeSystemProfilePrivilege 3648 WMIC.exe Token: SeSystemtimePrivilege 3648 WMIC.exe Token: SeProfSingleProcessPrivilege 3648 WMIC.exe Token: SeIncBasePriorityPrivilege 3648 WMIC.exe Token: SeCreatePagefilePrivilege 3648 WMIC.exe Token: SeBackupPrivilege 3648 WMIC.exe Token: SeRestorePrivilege 3648 WMIC.exe Token: SeShutdownPrivilege 3648 WMIC.exe Token: SeDebugPrivilege 3648 WMIC.exe Token: SeSystemEnvironmentPrivilege 3648 WMIC.exe Token: SeRemoteShutdownPrivilege 3648 WMIC.exe Token: SeUndockPrivilege 3648 WMIC.exe Token: SeManageVolumePrivilege 3648 WMIC.exe Token: 33 3648 WMIC.exe Token: 34 3648 WMIC.exe Token: 35 3648 WMIC.exe Token: SeDebugPrivilege 3656 powershell.exe Token: SeIncreaseQuotaPrivilege 3648 WMIC.exe Token: SeSecurityPrivilege 3648 WMIC.exe Token: SeTakeOwnershipPrivilege 3648 WMIC.exe Token: SeLoadDriverPrivilege 3648 WMIC.exe Token: SeSystemProfilePrivilege 3648 WMIC.exe Token: SeSystemtimePrivilege 3648 WMIC.exe Token: SeProfSingleProcessPrivilege 3648 WMIC.exe Token: SeIncBasePriorityPrivilege 3648 WMIC.exe Token: SeCreatePagefilePrivilege 3648 WMIC.exe Token: SeBackupPrivilege 3648 WMIC.exe Token: SeRestorePrivilege 3648 WMIC.exe Token: SeShutdownPrivilege 3648 WMIC.exe Token: SeDebugPrivilege 3648 WMIC.exe Token: SeSystemEnvironmentPrivilege 3648 WMIC.exe Token: SeRemoteShutdownPrivilege 3648 WMIC.exe Token: SeUndockPrivilege 3648 WMIC.exe Token: SeManageVolumePrivilege 3648 WMIC.exe Token: 33 3648 WMIC.exe Token: 34 3648 WMIC.exe Token: 35 3648 WMIC.exe Token: SeBackupPrivilege 3656 powershell.exe Token: SeSecurityPrivilege 3656 powershell.exe Token: SeBackupPrivilege 3680 vssvc.exe Token: SeRestorePrivilege 3680 vssvc.exe Token: SeAuditPrivilege 3680 vssvc.exe Token: SeBackupPrivilege 3656 powershell.exe Token: SeBackupPrivilege 3656 powershell.exe Token: SeSecurityPrivilege 3656 powershell.exe Token: SeBackupPrivilege 3656 powershell.exe Token: SeBackupPrivilege 3656 powershell.exe Token: SeSecurityPrivilege 3656 powershell.exe Token: SeBackupPrivilege 3656 powershell.exe Token: SeBackupPrivilege 3656 powershell.exe Token: SeSecurityPrivilege 3656 powershell.exe Token: SeBackupPrivilege 3656 powershell.exe Token: SeBackupPrivilege 3656 powershell.exe Token: SeSecurityPrivilege 3656 powershell.exe Token: SeBackupPrivilege 3656 powershell.exe Token: SeBackupPrivilege 3656 powershell.exe Token: SeSecurityPrivilege 3656 powershell.exe Token: SeBackupPrivilege 3656 powershell.exe Token: SeSecurityPrivilege 3656 powershell.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2972 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 29 PID 1712 wrote to memory of 2972 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 29 PID 1712 wrote to memory of 2972 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 29 PID 1712 wrote to memory of 2972 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 29 PID 1712 wrote to memory of 2984 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 30 PID 1712 wrote to memory of 2984 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 30 PID 1712 wrote to memory of 2984 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 30 PID 1712 wrote to memory of 2984 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 30 PID 1712 wrote to memory of 2012 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 31 PID 1712 wrote to memory of 2012 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 31 PID 1712 wrote to memory of 2012 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 31 PID 1712 wrote to memory of 2012 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 31 PID 1712 wrote to memory of 1260 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 32 PID 1712 wrote to memory of 1260 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 32 PID 1712 wrote to memory of 1260 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 32 PID 1712 wrote to memory of 1260 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 32 PID 1712 wrote to memory of 2028 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 33 PID 1712 wrote to memory of 2028 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 33 PID 1712 wrote to memory of 2028 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 33 PID 1712 wrote to memory of 2028 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 33 PID 2972 wrote to memory of 3648 2972 cmd.exe 35 PID 2972 wrote to memory of 3648 2972 cmd.exe 35 PID 2972 wrote to memory of 3648 2972 cmd.exe 35 PID 2028 wrote to memory of 3656 2028 cmd.exe 36 PID 2028 wrote to memory of 3656 2028 cmd.exe 36 PID 2028 wrote to memory of 3656 2028 cmd.exe 36 PID 2012 wrote to memory of 3664 2012 cmd.exe 37 PID 2012 wrote to memory of 3664 2012 cmd.exe 37 PID 2012 wrote to memory of 3664 2012 cmd.exe 37 PID 2984 wrote to memory of 3640 2984 cmd.exe 34 PID 2984 wrote to memory of 3640 2984 cmd.exe 34 PID 2984 wrote to memory of 3640 2984 cmd.exe 34 PID 1260 wrote to memory of 3728 1260 cmd.exe 38 PID 1260 wrote to memory of 3728 1260 cmd.exe 38 PID 1260 wrote to memory of 3728 1260 cmd.exe 38 PID 1712 wrote to memory of 2384 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 43 PID 1712 wrote to memory of 2384 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 43 PID 1712 wrote to memory of 2384 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 43 PID 1712 wrote to memory of 2384 1712 eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe 43 PID 2384 wrote to memory of 3848 2384 powershell.exe 44 PID 2384 wrote to memory of 3848 2384 powershell.exe 44 PID 2384 wrote to memory of 3848 2384 powershell.exe 44 PID 2384 wrote to memory of 3636 2384 powershell.exe 45 PID 2384 wrote to memory of 3636 2384 powershell.exe 45 PID 2384 wrote to memory of 3636 2384 powershell.exe 45 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe"C:\Users\Admin\AppData\Local\Temp\eba3a5a7171c68752065faeff30716844b53d14bba821bf33002189b64eda115.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\cmd.execmd /c wmic shadowcopy delete /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3648
-
-
-
C:\Windows\system32\cmd.execmd /c vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3640
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:3664
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3728
-
-
-
C:\Windows\system32\cmd.execmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2114547645.png /f3⤵
- Sets desktop wallpaper using registry
PID:3848
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False3⤵PID:3636
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1011B
MD536d08e3dadf813cefd755ba410908b16
SHA13ec7b14da6eaaf24f99be6c68301a6a7d05e6e5a
SHA2564b38c6732593914ff892b2ed9fd337d4fa3cac8df096bae3fc532e606b3d1752
SHA5128828d2f7cd763dfafff76f28ed990498a241ae6abace6fa7ce96060672216143d6c5a92eef8eacdf1060ae239c275571640328452b2e516ed90d8c14b245c52e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54c6a17abe24e6c9b1011e7791b05b7f9
SHA143f816186a00833788399e2085dc25243966b2f2
SHA25601c56b2b5d1c6ef2f9f8c1760ef6e57b71e162d166b93c957d0244857e45fb6d
SHA512276f6f5e8b60f313ac35e12bf0443bd86219d28f1d05332b3d1243430216e25909bbaad9d6db05fbf285614474aff2033f049b4545ce1c0180696fee485439d3