Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 00:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe
Resource
win7-20240729-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe
-
Size
807KB
-
MD5
e27b5291c8fb2dfdeb7f16bb6851df5e
-
SHA1
40207f83b601cd60905c1f807ac0889c80dfe33f
-
SHA256
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f
-
SHA512
2ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a
-
SSDEEP
12288:0Z4s3rg9u/2/oT+NXtHLlP/O+OeO+OeNhBBhhBBAtHg9rjI+LXJ0ivlzkHBDsYAG:u4s+oT+NXBLi0rjFXvyHBlbmCZa8
Malware Config
Signatures
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Avoslocker family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 37140 bcdedit.exe 37132 bcdedit.exe -
Renames multiple (8459) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1700868993.png" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24_altform-lightunplated.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-48_altform-unplated.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-125.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-60_altform-lightunplated.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\ui-strings.js ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxT ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\setup_wm.exe.mui ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\ui-strings.js ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-400.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-125.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Windows Media Player\en-US\wmpnssci.dll.mui ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files (x86)\Adobe\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_TicketedEvent.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxc ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Informix.xsl ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\TraceConvert.m3u ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\joni.md ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_nb_135x40.svg ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Mozilla Firefox\omni.ja ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\ui-strings.js ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\ui-strings.js ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\MSFT_PackageManagementSource.schema.mfl ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsym.ttf ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\eu-es\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Common Files\System\ado\msado27.tlb ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-30.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files\Microsoft Office 15\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_es_135x40.svg ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-150.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\GET_YOUR_FILES_BACK.txt ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\es-ES.mail.config ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-125.png ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe -
pid Process 10604 powershell.exe 28108 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 37116 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 10604 powershell.exe 10604 powershell.exe 10604 powershell.exe 28108 powershell.exe 28108 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe Token: SeIncreaseQuotaPrivilege 37124 WMIC.exe Token: SeSecurityPrivilege 37124 WMIC.exe Token: SeTakeOwnershipPrivilege 37124 WMIC.exe Token: SeLoadDriverPrivilege 37124 WMIC.exe Token: SeSystemProfilePrivilege 37124 WMIC.exe Token: SeSystemtimePrivilege 37124 WMIC.exe Token: SeProfSingleProcessPrivilege 37124 WMIC.exe Token: SeIncBasePriorityPrivilege 37124 WMIC.exe Token: SeCreatePagefilePrivilege 37124 WMIC.exe Token: SeBackupPrivilege 37124 WMIC.exe Token: SeRestorePrivilege 37124 WMIC.exe Token: SeShutdownPrivilege 37124 WMIC.exe Token: SeDebugPrivilege 37124 WMIC.exe Token: SeSystemEnvironmentPrivilege 37124 WMIC.exe Token: SeRemoteShutdownPrivilege 37124 WMIC.exe Token: SeUndockPrivilege 37124 WMIC.exe Token: SeManageVolumePrivilege 37124 WMIC.exe Token: 33 37124 WMIC.exe Token: 34 37124 WMIC.exe Token: 35 37124 WMIC.exe Token: 36 37124 WMIC.exe Token: SeIncreaseQuotaPrivilege 37124 WMIC.exe Token: SeSecurityPrivilege 37124 WMIC.exe Token: SeTakeOwnershipPrivilege 37124 WMIC.exe Token: SeLoadDriverPrivilege 37124 WMIC.exe Token: SeSystemProfilePrivilege 37124 WMIC.exe Token: SeSystemtimePrivilege 37124 WMIC.exe Token: SeProfSingleProcessPrivilege 37124 WMIC.exe Token: SeIncBasePriorityPrivilege 37124 WMIC.exe Token: SeCreatePagefilePrivilege 37124 WMIC.exe Token: SeBackupPrivilege 37124 WMIC.exe Token: SeRestorePrivilege 37124 WMIC.exe Token: SeShutdownPrivilege 37124 WMIC.exe Token: SeDebugPrivilege 37124 WMIC.exe Token: SeSystemEnvironmentPrivilege 37124 WMIC.exe Token: SeRemoteShutdownPrivilege 37124 WMIC.exe Token: SeUndockPrivilege 37124 WMIC.exe Token: SeManageVolumePrivilege 37124 WMIC.exe Token: 33 37124 WMIC.exe Token: 34 37124 WMIC.exe Token: 35 37124 WMIC.exe Token: 36 37124 WMIC.exe Token: SeBackupPrivilege 3852 vssvc.exe Token: SeRestorePrivilege 3852 vssvc.exe Token: SeAuditPrivilege 3852 vssvc.exe Token: SeDebugPrivilege 10604 powershell.exe Token: SeBackupPrivilege 10604 powershell.exe Token: SeBackupPrivilege 10604 powershell.exe Token: SeBackupPrivilege 10604 powershell.exe Token: SeBackupPrivilege 10604 powershell.exe Token: SeBackupPrivilege 10604 powershell.exe Token: SeBackupPrivilege 10604 powershell.exe Token: SeSecurityPrivilege 10604 powershell.exe Token: SeBackupPrivilege 10604 powershell.exe Token: SeBackupPrivilege 10604 powershell.exe Token: SeBackupPrivilege 10604 powershell.exe Token: SeBackupPrivilege 10604 powershell.exe Token: SeBackupPrivilege 10604 powershell.exe Token: SeSecurityPrivilege 10604 powershell.exe Token: SeBackupPrivilege 10604 powershell.exe Token: SeBackupPrivilege 10604 powershell.exe Token: SeSecurityPrivilege 10604 powershell.exe Token: SeBackupPrivilege 10604 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2244 wrote to memory of 4888 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 84 PID 2244 wrote to memory of 4888 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 84 PID 2244 wrote to memory of 3652 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 85 PID 2244 wrote to memory of 3652 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 85 PID 2244 wrote to memory of 3956 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 86 PID 2244 wrote to memory of 3956 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 86 PID 2244 wrote to memory of 4520 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 87 PID 2244 wrote to memory of 4520 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 87 PID 2244 wrote to memory of 4564 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 88 PID 2244 wrote to memory of 4564 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 88 PID 3652 wrote to memory of 37116 3652 cmd.exe 89 PID 3652 wrote to memory of 37116 3652 cmd.exe 89 PID 4888 wrote to memory of 37124 4888 cmd.exe 91 PID 4888 wrote to memory of 37124 4888 cmd.exe 91 PID 4520 wrote to memory of 37132 4520 cmd.exe 90 PID 4520 wrote to memory of 37132 4520 cmd.exe 90 PID 3956 wrote to memory of 37140 3956 cmd.exe 92 PID 3956 wrote to memory of 37140 3956 cmd.exe 92 PID 4564 wrote to memory of 10604 4564 cmd.exe 93 PID 4564 wrote to memory of 10604 4564 cmd.exe 93 PID 2244 wrote to memory of 28108 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 98 PID 2244 wrote to memory of 28108 2244 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe 98 PID 28108 wrote to memory of 28420 28108 powershell.exe 99 PID 28108 wrote to memory of 28420 28108 powershell.exe 99 PID 28108 wrote to memory of 28452 28108 powershell.exe 100 PID 28108 wrote to memory of 28452 28108 powershell.exe 100 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe"C:\Users\Admin\AppData\Local\Temp\ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SYSTEM32\cmd.execmd /c wmic shadowcopy delete /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:37124
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:37116
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c bcdedit /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:37140
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:37132
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"2⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:10604
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:28108 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1700868993.png /f3⤵
- Sets desktop wallpaper using registry
PID:28420
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False3⤵PID:28452
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3852
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD5eb6332ae9e8fec69c2236355e2638f9d
SHA171500d57fb304979afd6756f06d4b9a59f995eb7
SHA25688e5ffe18fd4a772efce68f1b0db839846cafc42d36415508ad5356a44d38f32
SHA512e87c864ba79bd7a10a62b55ad564cf3acb090e7d85707a6967497deeef5fcde1f0b4608ea8791bf81363ec583a0101d470d8f3cd2172ced8d4071d7f6c674aed
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1011B
MD5c92c2b70fb37f84aab38412ad9226aa8
SHA114f2e9a83285612d0a7b2c83b8f89bccfde6c154
SHA256d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f
SHA51204f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848