Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 22:09
Static task
static1
Behavioral task
behavioral1
Sample
sex.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
sex.exe
Resource
win10v2004-20241007-en
General
-
Target
sex.exe
-
Size
1.1MB
-
MD5
adafab2dac5b7c82b724ee21ef9b9074
-
SHA1
79705ff60099779427009651fdb9a86e305dff20
-
SHA256
b4589e3b06efe598a5c57d2a93ef9101d91a7be465a7d5aecb2e68b8ed1d0ae7
-
SHA512
ec030ba61181ec09a974a1dd41ba5a1b713f157c43dcd2cae44dd78c5fd401afaceddfafb7c88e123d476fc09f3550696b3367083285a58fba5e7ae3116ccb48
-
SSDEEP
24576:lImw98okVgela0as5CqLVO7XJCjkD3N0HRA:7L5ljasaU
Malware Config
Signatures
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Avoslocker family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1532 bcdedit.exe 3052 bcdedit.exe -
Renames multiple (10376) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 2316 P1kAlMiG2Kb7.scr -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI P1kAlMiG2Kb7.scr -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: P1kAlMiG2Kb7.scr -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1779948278.png" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.XML P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198102.WMF P1kAlMiG2Kb7.scr File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\GET_YOUR_FILES_BACK.txt P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\DVD Maker\Shared\DissolveNoise.png P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00411_.WMF P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf P1kAlMiG2Kb7.scr File created C:\Program Files\Microsoft Games\Minesweeper\es-ES\GET_YOUR_FILES_BACK.txt P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02407_.WMF P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREST.CFG P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\AUTHOR.XSL P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv P1kAlMiG2Kb7.scr File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\GET_YOUR_FILES_BACK.txt P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Fortaleza P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Grid.thmx P1kAlMiG2Kb7.scr File created C:\Program Files\VideoLAN\VLC\locale\gl\GET_YOUR_FILES_BACK.txt P1kAlMiG2Kb7.scr File created C:\Program Files\VideoLAN\VLC\locale\fi\GET_YOUR_FILES_BACK.txt P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID P1kAlMiG2Kb7.scr File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\GET_YOUR_FILES_BACK.txt P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\RSSFeeds.css P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WSIDBR98.POC P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXT P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01630_.WMF P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jre7\lib\tzmappings P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Rome P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nipigon P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\HST10 P1kAlMiG2Kb7.scr File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\GET_YOUR_FILES_BACK.txt P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XML2WORD.XSL P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00165_.GIF P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Nassau P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar P1kAlMiG2Kb7.scr File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\GET_YOUR_FILES_BACK.txt P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18221_.WMF P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\vlc.mo P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra P1kAlMiG2Kb7.scr File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Colombo P1kAlMiG2Kb7.scr File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\GET_YOUR_FILES_BACK.txt P1kAlMiG2Kb7.scr File created C:\Program Files\Windows Mail\ja-JP\GET_YOUR_FILES_BACK.txt P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98SP.POC P1kAlMiG2Kb7.scr File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML P1kAlMiG2Kb7.scr -
pid Process 1488 powershell.exe 1712 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language P1kAlMiG2Kb7.scr -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1740 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2316 P1kAlMiG2Kb7.scr 1488 powershell.exe 1712 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2316 P1kAlMiG2Kb7.scr Token: SeIncreaseQuotaPrivilege 1212 WMIC.exe Token: SeSecurityPrivilege 1212 WMIC.exe Token: SeTakeOwnershipPrivilege 1212 WMIC.exe Token: SeLoadDriverPrivilege 1212 WMIC.exe Token: SeSystemProfilePrivilege 1212 WMIC.exe Token: SeSystemtimePrivilege 1212 WMIC.exe Token: SeProfSingleProcessPrivilege 1212 WMIC.exe Token: SeIncBasePriorityPrivilege 1212 WMIC.exe Token: SeCreatePagefilePrivilege 1212 WMIC.exe Token: SeBackupPrivilege 1212 WMIC.exe Token: SeRestorePrivilege 1212 WMIC.exe Token: SeShutdownPrivilege 1212 WMIC.exe Token: SeDebugPrivilege 1212 WMIC.exe Token: SeSystemEnvironmentPrivilege 1212 WMIC.exe Token: SeRemoteShutdownPrivilege 1212 WMIC.exe Token: SeUndockPrivilege 1212 WMIC.exe Token: SeManageVolumePrivilege 1212 WMIC.exe Token: 33 1212 WMIC.exe Token: 34 1212 WMIC.exe Token: 35 1212 WMIC.exe Token: SeBackupPrivilege 3556 vssvc.exe Token: SeRestorePrivilege 3556 vssvc.exe Token: SeAuditPrivilege 3556 vssvc.exe Token: SeIncreaseQuotaPrivilege 1212 WMIC.exe Token: SeSecurityPrivilege 1212 WMIC.exe Token: SeTakeOwnershipPrivilege 1212 WMIC.exe Token: SeLoadDriverPrivilege 1212 WMIC.exe Token: SeSystemProfilePrivilege 1212 WMIC.exe Token: SeSystemtimePrivilege 1212 WMIC.exe Token: SeProfSingleProcessPrivilege 1212 WMIC.exe Token: SeIncBasePriorityPrivilege 1212 WMIC.exe Token: SeCreatePagefilePrivilege 1212 WMIC.exe Token: SeBackupPrivilege 1212 WMIC.exe Token: SeRestorePrivilege 1212 WMIC.exe Token: SeShutdownPrivilege 1212 WMIC.exe Token: SeDebugPrivilege 1212 WMIC.exe Token: SeSystemEnvironmentPrivilege 1212 WMIC.exe Token: SeRemoteShutdownPrivilege 1212 WMIC.exe Token: SeUndockPrivilege 1212 WMIC.exe Token: SeManageVolumePrivilege 1212 WMIC.exe Token: 33 1212 WMIC.exe Token: 34 1212 WMIC.exe Token: 35 1212 WMIC.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeBackupPrivilege 1488 powershell.exe Token: SeSecurityPrivilege 1488 powershell.exe Token: SeBackupPrivilege 1488 powershell.exe Token: SeBackupPrivilege 1488 powershell.exe Token: SeSecurityPrivilege 1488 powershell.exe Token: SeBackupPrivilege 1488 powershell.exe Token: SeBackupPrivilege 1488 powershell.exe Token: SeSecurityPrivilege 1488 powershell.exe Token: SeBackupPrivilege 1488 powershell.exe Token: SeBackupPrivilege 1488 powershell.exe Token: SeSecurityPrivilege 1488 powershell.exe Token: SeBackupPrivilege 1488 powershell.exe Token: SeBackupPrivilege 1488 powershell.exe Token: SeSecurityPrivilege 1488 powershell.exe Token: SeBackupPrivilege 1488 powershell.exe Token: SeBackupPrivilege 1488 powershell.exe Token: SeSecurityPrivilege 1488 powershell.exe Token: SeBackupPrivilege 1488 powershell.exe Token: SeSecurityPrivilege 1488 powershell.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2316 3004 sex.exe 30 PID 3004 wrote to memory of 2316 3004 sex.exe 30 PID 3004 wrote to memory of 2316 3004 sex.exe 30 PID 3004 wrote to memory of 2316 3004 sex.exe 30 PID 2316 wrote to memory of 1920 2316 P1kAlMiG2Kb7.scr 32 PID 2316 wrote to memory of 1920 2316 P1kAlMiG2Kb7.scr 32 PID 2316 wrote to memory of 1920 2316 P1kAlMiG2Kb7.scr 32 PID 2316 wrote to memory of 1920 2316 P1kAlMiG2Kb7.scr 32 PID 2316 wrote to memory of 1720 2316 P1kAlMiG2Kb7.scr 33 PID 2316 wrote to memory of 1720 2316 P1kAlMiG2Kb7.scr 33 PID 2316 wrote to memory of 1720 2316 P1kAlMiG2Kb7.scr 33 PID 2316 wrote to memory of 1720 2316 P1kAlMiG2Kb7.scr 33 PID 2316 wrote to memory of 1908 2316 P1kAlMiG2Kb7.scr 34 PID 2316 wrote to memory of 1908 2316 P1kAlMiG2Kb7.scr 34 PID 2316 wrote to memory of 1908 2316 P1kAlMiG2Kb7.scr 34 PID 2316 wrote to memory of 1908 2316 P1kAlMiG2Kb7.scr 34 PID 2316 wrote to memory of 2948 2316 P1kAlMiG2Kb7.scr 35 PID 2316 wrote to memory of 2948 2316 P1kAlMiG2Kb7.scr 35 PID 2316 wrote to memory of 2948 2316 P1kAlMiG2Kb7.scr 35 PID 2316 wrote to memory of 2948 2316 P1kAlMiG2Kb7.scr 35 PID 2316 wrote to memory of 2544 2316 P1kAlMiG2Kb7.scr 36 PID 2316 wrote to memory of 2544 2316 P1kAlMiG2Kb7.scr 36 PID 2316 wrote to memory of 2544 2316 P1kAlMiG2Kb7.scr 36 PID 2316 wrote to memory of 2544 2316 P1kAlMiG2Kb7.scr 36 PID 1920 wrote to memory of 1212 1920 cmd.exe 37 PID 1920 wrote to memory of 1212 1920 cmd.exe 37 PID 1920 wrote to memory of 1212 1920 cmd.exe 37 PID 1908 wrote to memory of 3052 1908 cmd.exe 38 PID 1908 wrote to memory of 3052 1908 cmd.exe 38 PID 1908 wrote to memory of 3052 1908 cmd.exe 38 PID 2948 wrote to memory of 1532 2948 cmd.exe 39 PID 2948 wrote to memory of 1532 2948 cmd.exe 39 PID 2948 wrote to memory of 1532 2948 cmd.exe 39 PID 2544 wrote to memory of 1488 2544 cmd.exe 40 PID 2544 wrote to memory of 1488 2544 cmd.exe 40 PID 2544 wrote to memory of 1488 2544 cmd.exe 40 PID 1720 wrote to memory of 1740 1720 cmd.exe 41 PID 1720 wrote to memory of 1740 1720 cmd.exe 41 PID 1720 wrote to memory of 1740 1720 cmd.exe 41 PID 2316 wrote to memory of 1712 2316 P1kAlMiG2Kb7.scr 47 PID 2316 wrote to memory of 1712 2316 P1kAlMiG2Kb7.scr 47 PID 2316 wrote to memory of 1712 2316 P1kAlMiG2Kb7.scr 47 PID 2316 wrote to memory of 1712 2316 P1kAlMiG2Kb7.scr 47 PID 1712 wrote to memory of 5992 1712 powershell.exe 48 PID 1712 wrote to memory of 5992 1712 powershell.exe 48 PID 1712 wrote to memory of 5992 1712 powershell.exe 48 PID 1712 wrote to memory of 3980 1712 powershell.exe 49 PID 1712 wrote to memory of 3980 1712 powershell.exe 49 PID 1712 wrote to memory of 3980 1712 powershell.exe 49 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sex.exe"C:\Users\Admin\AppData\Local\Temp\sex.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr"C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr" /S2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\cmd.execmd /c wmic shadowcopy delete /nointeractive3⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
-
C:\Windows\system32\cmd.execmd /c vssadmin.exe Delete Shadows /All /Quiet3⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:1740
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} recoveryenabled No3⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No4⤵
- Modifies boot configuration data using bcdedit
PID:3052
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1532
-
-
-
C:\Windows\system32\cmd.execmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"3⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$a = [System.IO.File]::ReadAllText(\"Z:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1779948278.png /f4⤵
- Sets desktop wallpaper using registry
PID:5992
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False4⤵PID:3980
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3556
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
807KB
MD5e27b5291c8fb2dfdeb7f16bb6851df5e
SHA140207f83b601cd60905c1f807ac0889c80dfe33f
SHA256ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f
SHA5122ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f63cef48d6e3dfa2bf1a8b93424f793f
SHA117ffe8c45bd7c263be41193303bd38224520fa50
SHA25656b8bd6c65223056909a3078584de416627edaf2e1b9213ce173c96e1dd6fb78
SHA5125149a1f83be50c96fca9c6a6c0d214ed0d098e084630962b7b7358009399c025d6900241865caaedb3f5d6cf46734a813a8c511b8c5bd8195208f994baa62a3c
-
Filesize
1011B
MD5c92c2b70fb37f84aab38412ad9226aa8
SHA114f2e9a83285612d0a7b2c83b8f89bccfde6c154
SHA256d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f
SHA51204f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848