avoslocker | b4589e3b06efe598a5c57d2a93ef9101d91a7be465a7d5aecb2e68b8ed1d0ae7

Analysis

max time kernel
95s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sex.exe
Size

1.1MB
MD5

adafab2dac5b7c82b724ee21ef9b9074
SHA1

79705ff60099779427009651fdb9a86e305dff20
SHA256

b4589e3b06efe598a5c57d2a93ef9101d91a7be465a7d5aecb2e68b8ed1d0ae7
SHA512

ec030ba61181ec09a974a1dd41ba5a1b713f157c43dcd2cae44dd78c5fd401afaceddfafb7c88e123d476fc09f3550696b3367083285a58fba5e7ae3116ccb48
SSDEEP

24576:lImw98okVgela0as5CqLVO7XJCjkD3N0HRA:7L5ljasaU

Score

10^/10

avoslocker defense_evasion discovery evasion execution impact ransomware

Malware Config

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Avoslocker family
avoslocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4948	bcdedit.exe
1124	bcdedit.exe

Renames multiple (8506) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	sex.exe

Executes dropped EXE 1 IoCs

pid	Process
4660	P1kAlMiG2Kb7.scr

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	P1kAlMiG2Kb7.scr

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	P1kAlMiG2Kb7.scr

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1966767074.png"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms	P1kAlMiG2Kb7.scr
File created	C:\Program Files\Java\jdk-1.8\jre\bin\GET_YOUR_FILES_BACK.txt	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\ui-strings.js	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-tool-view.js	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\japanese_over.png	P1kAlMiG2Kb7.scr
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\GET_YOUR_FILES_BACK.txt	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.gpd	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms	P1kAlMiG2Kb7.scr
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\GET_YOUR_FILES_BACK.txt	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_delete_18.svg	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-250.png	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RenderingControl_DMP.xml	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\af.pak.DATA	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\version.js	P1kAlMiG2Kb7.scr
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\GET_YOUR_FILES_BACK.txt	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-150.png	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30_altform-unplated.png	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailBadge.scale-100.png	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\bg.pak.DATA	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pl_get.svg	P1kAlMiG2Kb7.scr
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\GET_YOUR_FILES_BACK.txt	P1kAlMiG2Kb7.scr
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\GET_YOUR_FILES_BACK.txt	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.format.ps1xml	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\TimelessReport.dotx	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql70.xsl	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms	P1kAlMiG2Kb7.scr
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sl-si\GET_YOUR_FILES_BACK.txt	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview.png	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32.png	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	P1kAlMiG2Kb7.scr
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\GET_YOUR_FILES_BACK.txt	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-125.png	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-250.png	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.boot.tree.dat	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	P1kAlMiG2Kb7.scr
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ar-ae\GET_YOUR_FILES_BACK.txt	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ui-strings.js	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfig.xml	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-150.png	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-300.png	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\db2v0801.xsl	P1kAlMiG2Kb7.scr
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\GET_YOUR_FILES_BACK.txt	P1kAlMiG2Kb7.scr
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\GET_YOUR_FILES_BACK.txt	P1kAlMiG2Kb7.scr
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\GET_YOUR_FILES_BACK.txt	P1kAlMiG2Kb7.scr
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\GET_YOUR_FILES_BACK.txt	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\glib.md	P1kAlMiG2Kb7.scr
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\GET_YOUR_FILES_BACK.txt	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\main.css	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-300.png	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties	P1kAlMiG2Kb7.scr
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_fillsign_logo.svg	P1kAlMiG2Kb7.scr

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4748	powershell.exe
20636	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	P1kAlMiG2Kb7.scr

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3380	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
19596	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4660	P1kAlMiG2Kb7.scr
4660	P1kAlMiG2Kb7.scr
4748	powershell.exe
4748	powershell.exe
4748	powershell.exe
4748	powershell.exe
20636	powershell.exe
20636	powershell.exe
17876	chrome.exe
17876	chrome.exe
17876	chrome.exe
17876	chrome.exe
17588	chrome.exe
17588	chrome.exe
17588	chrome.exe
17588	chrome.exe
16292	chrome.exe
16292	chrome.exe
16292	chrome.exe
16292	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4660	P1kAlMiG2Kb7.scr
Token: SeIncreaseQuotaPrivilege	552	WMIC.exe
Token: SeSecurityPrivilege	552	WMIC.exe
Token: SeTakeOwnershipPrivilege	552	WMIC.exe
Token: SeLoadDriverPrivilege	552	WMIC.exe
Token: SeSystemProfilePrivilege	552	WMIC.exe
Token: SeSystemtimePrivilege	552	WMIC.exe
Token: SeProfSingleProcessPrivilege	552	WMIC.exe
Token: SeIncBasePriorityPrivilege	552	WMIC.exe
Token: SeCreatePagefilePrivilege	552	WMIC.exe
Token: SeBackupPrivilege	552	WMIC.exe
Token: SeRestorePrivilege	552	WMIC.exe
Token: SeShutdownPrivilege	552	WMIC.exe
Token: SeDebugPrivilege	552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	552	WMIC.exe
Token: SeRemoteShutdownPrivilege	552	WMIC.exe
Token: SeUndockPrivilege	552	WMIC.exe
Token: SeManageVolumePrivilege	552	WMIC.exe
Token: 33	552	WMIC.exe
Token: 34	552	WMIC.exe
Token: 35	552	WMIC.exe
Token: 36	552	WMIC.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	43772	vssvc.exe
Token: SeRestorePrivilege	43772	vssvc.exe
Token: SeAuditPrivilege	43772	vssvc.exe
Token: SeIncreaseQuotaPrivilege	552	WMIC.exe
Token: SeSecurityPrivilege	552	WMIC.exe
Token: SeTakeOwnershipPrivilege	552	WMIC.exe
Token: SeLoadDriverPrivilege	552	WMIC.exe
Token: SeSystemProfilePrivilege	552	WMIC.exe
Token: SeSystemtimePrivilege	552	WMIC.exe
Token: SeProfSingleProcessPrivilege	552	WMIC.exe
Token: SeIncBasePriorityPrivilege	552	WMIC.exe
Token: SeCreatePagefilePrivilege	552	WMIC.exe
Token: SeBackupPrivilege	552	WMIC.exe
Token: SeRestorePrivilege	552	WMIC.exe
Token: SeShutdownPrivilege	552	WMIC.exe
Token: SeDebugPrivilege	552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	552	WMIC.exe
Token: SeRemoteShutdownPrivilege	552	WMIC.exe
Token: SeUndockPrivilege	552	WMIC.exe
Token: SeManageVolumePrivilege	552	WMIC.exe
Token: 33	552	WMIC.exe
Token: 34	552	WMIC.exe
Token: 35	552	WMIC.exe
Token: 36	552	WMIC.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeSecurityPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeSecurityPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeSecurityPrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
19596	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 4660	2040	sex.exe	83
PID 2040 wrote to memory of 4660	2040	sex.exe	83
PID 2040 wrote to memory of 4660	2040	sex.exe	83
PID 4660 wrote to memory of 1432	4660	P1kAlMiG2Kb7.scr	85
PID 4660 wrote to memory of 1432	4660	P1kAlMiG2Kb7.scr	85
PID 4660 wrote to memory of 116	4660	P1kAlMiG2Kb7.scr	86
PID 4660 wrote to memory of 116	4660	P1kAlMiG2Kb7.scr	86
PID 4660 wrote to memory of 1880	4660	P1kAlMiG2Kb7.scr	87
PID 4660 wrote to memory of 1880	4660	P1kAlMiG2Kb7.scr	87
PID 4660 wrote to memory of 1404	4660	P1kAlMiG2Kb7.scr	88
PID 4660 wrote to memory of 1404	4660	P1kAlMiG2Kb7.scr	88
PID 4660 wrote to memory of 4160	4660	P1kAlMiG2Kb7.scr	89
PID 4660 wrote to memory of 4160	4660	P1kAlMiG2Kb7.scr	89
PID 1432 wrote to memory of 552	1432	cmd.exe	90
PID 1432 wrote to memory of 552	1432	cmd.exe	90
PID 116 wrote to memory of 3380	116	cmd.exe	91
PID 116 wrote to memory of 3380	116	cmd.exe	91
PID 1404 wrote to memory of 4948	1404	cmd.exe	92
PID 1404 wrote to memory of 4948	1404	cmd.exe	92
PID 1880 wrote to memory of 1124	1880	cmd.exe	93
PID 1880 wrote to memory of 1124	1880	cmd.exe	93
PID 4160 wrote to memory of 4748	4160	cmd.exe	94
PID 4160 wrote to memory of 4748	4160	cmd.exe	94
PID 4660 wrote to memory of 20636	4660	P1kAlMiG2Kb7.scr	101
PID 4660 wrote to memory of 20636	4660	P1kAlMiG2Kb7.scr	101
PID 20636 wrote to memory of 20128	20636	powershell.exe	103
PID 20636 wrote to memory of 20128	20636	powershell.exe	103
PID 20636 wrote to memory of 19672	20636	powershell.exe	106
PID 20636 wrote to memory of 19672	20636	powershell.exe	106
PID 18180 wrote to memory of 17876	18180	chrome.exe	119
PID 18180 wrote to memory of 17876	18180	chrome.exe	119
PID 17600 wrote to memory of 17588	17600	chrome.exe	121
PID 17600 wrote to memory of 17588	17600	chrome.exe	121
PID 16316 wrote to memory of 16292	16316	chrome.exe	128
PID 16316 wrote to memory of 16292	16316	chrome.exe	128
PID 16020 wrote to memory of 15980	16020	firefox.exe	130
PID 16020 wrote to memory of 15980	16020	firefox.exe	130
PID 16020 wrote to memory of 15980	16020	firefox.exe	130
PID 16020 wrote to memory of 15980	16020	firefox.exe	130
PID 16020 wrote to memory of 15980	16020	firefox.exe	130
PID 16020 wrote to memory of 15980	16020	firefox.exe	130
PID 16020 wrote to memory of 15980	16020	firefox.exe	130
PID 16020 wrote to memory of 15980	16020	firefox.exe	130
PID 16020 wrote to memory of 15980	16020	firefox.exe	130
PID 16020 wrote to memory of 15980	16020	firefox.exe	130
PID 16020 wrote to memory of 15980	16020	firefox.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sex.exe
"C:\Users\Admin\AppData\Local\Temp\sex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr
  "C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c wmic shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:552
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:3380
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c bcdedit /set {default} recoveryenabled No
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1124
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4948
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:20636
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1966767074.png /f
      4⤵
      Sets desktop wallpaper using registry
      PID:20128
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
      4⤵
      PID:19672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:43772

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:19596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:18180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff15f3cc40,0x7fff15f3cc4c,0x7fff15f3cc58
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:17876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:17600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff15f3cc40,0x7fff15f3cc4c,0x7fff15f3cc58
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:17588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:16316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff15f3cc40,0x7fff15f3cc4c,0x7fff15f3cc58
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:16292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:16020
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:15980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
c92c2b70fb37f84aab38412ad9226aa8

SHA1
14f2e9a83285612d0a7b2c83b8f89bccfde6c154

SHA256
d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f

SHA512
04f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848

Download Submit
C:\Program Files\Google\Chrome\Application\debug.log

Filesize
174B

MD5
6a484274a849c4b1231525e44b6a3af2

SHA1
795a62d8a5e807a6c90335d30d414134ab13103b

SHA256
eb125cf17d3e33a789051939c5f3765354e33074dc6fab3849ee5230a94347e8

SHA512
34225f1d1d52a421e7dbec10bbe2d21653054813cb5bf0bd304c411426c30c7aea546ddf802732dc09e761a7bb4849d94f8cbe6285c75b8530f35eecb8cb519c

Download Submit
C:\Program Files\Google\Chrome\Application\debug.log

Filesize
261B

MD5
dd0f4e6644e79ee7f43a07e06fe01ab0

SHA1
9865cb35704a7eb70c4f3d661830c6049fb0705c

SHA256
6f26e9a50be1f98fc4e4dd60712facc61757623d661cdc3663c7002a3c14a605

SHA512
6b9f468fa1b56691d5a5681f002e32cbf9ed4a53b770a87fda4c281695ee3e56309a9d2bd08ff96c4baff8eeefacd37ecd8016ecde188c577c5a4613f904afab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

Filesize
114B

MD5
768c9848465dd849711ba175e0144cc4

SHA1
5fd77917122772937ddcba18ee82dd95cb53e27a

SHA256
f4b2139e7d814fb246b7a73c88801c6f1b57adec2a531d27e181e66e4b1b6c39

SHA512
cc61faf45cef271ebb6438c1328b04cba2b721d5ccdcd0d569d09543c0ca083e182ca2142f1b748216ff3a0d025579545375c013acc318de2f131ed10a9df57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

Filesize
212B

MD5
2f60b20f6e484b17f66d76e20b55abef

SHA1
c488d0e3a69bb506b25ea14e7955b6a3af2a2d14

SHA256
5f6bcd98baf91f67af7dcf9d7b784ecb96abca4fde1fb4c9430b9491f7ade68d

SHA512
80653ef70d511dd1715e352f00000bdb3040f42054e91796c07b6ed17b768b305da76a5c17dbba8fd465d5bbfdfa34afe0e0cc032cba63f3596cec963ae38a04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\92ad9d1d-8b78-4c1f-bd9b-f81bddda6d98.dmp

Filesize
142KB

MD5
343250bbc86664dedf8a6814f9619f14

SHA1
065b4a3a3354fa5f3c7b978b8f55cb5f283c943d

SHA256
f9c7bf5571d7e6bd3d6f36bb0acf4f461579f0dda2955a0c4c8813f05fa6f14c

SHA512
778ecc2fe80b1c423ed5624db5f7faf7942eb969b9a779a8016605af81129f7e22df313f731f1e88372d947ffe3bfb4f43ce8d212530830869c4ad1cbc602a27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\fcfac577-a710-418c-9326-23fc286298e4.dmp

Filesize
130KB

MD5
60e5b9806d453f445fad59225a0f55f9

SHA1
f3cc2d44a67ce8e8caacd18832b11bf9c061beee

SHA256
a4048171db571f6fdffa8c56fb42b6e1fd2e2bf1a8bf1f33b2479c65926ab691

SHA512
b673eac4007fd1b7f9c587b6d17943464cfbbd2e45cc65b11b243ead765605e4d52844fe1541b5e09ea26cc2d0945999333f3cae65ff4371e9ee9e06af435a6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
186ccc6761714f7e88de1fff069b95fb

SHA1
c7dec1fff5e2f359cccf94875265f96757865b34

SHA256
abb5c7113a03fa5d3a4d6d25007f875d5189c85054252a03a3c9d2cc64a5f59e

SHA512
5f346abd0068d56df1bc7236a8f8ae6e0397cd35c7e8a6554f90724bc4936ed6a1f127aef797391d34ab458ba9ff3337bade05334155aae7473e6c463b0499c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr

Filesize
807KB

MD5
e27b5291c8fb2dfdeb7f16bb6851df5e

SHA1
40207f83b601cd60905c1f807ac0889c80dfe33f

SHA256
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f

SHA512
2ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q4eydiuq.3ew.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2040-4-0x00007FF6EA0D0000-0x00007FF6EA1EE000-memory.dmp

Filesize
1.1MB

Download
memory/4748-9875-0x000001D144120000-0x000001D144142000-memory.dmp

Filesize
136KB

Download