Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    80s
  • max time network
    81s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2024, 05:09

General

  • Target

    test.exe

  • Size

    3.2MB

  • MD5

    b04b6f1b897e829ff58dc99f18be1a8a

  • SHA1

    9a99cc16e540e341655a259650caf58ec14956ac

  • SHA256

    962da1faf888b28b2ec26fd1ea547fecfb2edc1cf30e64328b18309e98448b11

  • SHA512

    7e2f9c691d23288fddad062f4c3e197ab84010c03418088b10060a5c720d34b153937e68b72ba13a6819eefd0d15c8a3e280fb1bbb4771d22566c7fb6838f07b

  • SSDEEP

    24576:4Imw98okVgela0as5CqLVO7XJCjkD3N0HRAjSUpZr3y2amHY6MdefqTXeZty61ky:OL5ljasaUoZat81wua7bUScTLTXO+2N

Malware Config

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

  • Avoslocker family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (8507) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 17 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3680
    • C:\Users\Admin\AppData\Local\Temp\hack.exe
      "C:\Users\Admin\AppData\Local\Temp\hack.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c wmic shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete /nointeractive
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2280
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:35444
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c bcdedit /set {default} recoveryenabled No
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:772
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled No
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:35428
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:5708
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4080
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:35436
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5176
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1808248821.png /f
          4⤵
          • Sets desktop wallpaper using registry
          PID:5432
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
          4⤵
            PID:5692
      • C:\Users\Admin\AppData\Local\Temp\rufus-4.6p.exe
        "C:\Users\Admin\AppData\Local\Temp\rufus-4.6p.exe"
        2⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4552
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1428
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:3092
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:7172
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
        1⤵
          PID:7640
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
          1⤵
            PID:7660
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
            1⤵
            • Opens file in notepad (likely ransom note)
            • Suspicious use of FindShellTrayWindow
            PID:36220

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            6cf293cb4d80be23433eecf74ddb5503

            SHA1

            24fe4752df102c2ef492954d6b046cb5512ad408

            SHA256

            b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

            SHA512

            0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            64B

            MD5

            d8b9a260789a22d72263ef3bb119108c

            SHA1

            376a9bd48726f422679f2cd65003442c0b6f6dd5

            SHA256

            d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

            SHA512

            550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2dx4xkxp.3x0.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\Temp\hack.exe

            Filesize

            807KB

            MD5

            e27b5291c8fb2dfdeb7f16bb6851df5e

            SHA1

            40207f83b601cd60905c1f807ac0889c80dfe33f

            SHA256

            ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f

            SHA512

            2ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a

          • C:\Users\Admin\AppData\Local\Temp\rufus-4.6p.exe

            Filesize

            1.5MB

            MD5

            8fe64da09af371b02a31828415ece8f3

            SHA1

            5b5c90dcd425c814b555a4567405601aa977ee0b

            SHA256

            8279696c1d78b14618500e9135886a3667b9decc65946f3729002e4bfdbb20ab

            SHA512

            e49f9b1c9d33364101ad2fd4f2c5ed030700cc941bb469cf2ce7d5b32c51cab9e62b265e05cbd92435453e7e4008c9990bea532298676f7d81e5d6dcdc2f590b

          • C:\Users\Admin\AppData\Local\Temp\rufus.ini

            Filesize

            41B

            MD5

            279daedcf136cf55a48d4ab419fc7ef2

            SHA1

            8d784bb801e74d97bdaad5846e63f71e973450fb

            SHA256

            949f9a995ae3377d218e0615fc949ce1bc62374c27e6952353f57936b4d8dfdd

            SHA512

            5092923e10254aa9d5f0c50dbd273de9eb85fb8dc9c35094cf61d165b6ae41305d6a3295d9fd5f2a71d42b295206ad6b6e999eeff73566c04019adde60973e15

          • C:\Users\Admin\AppData\Local\Temp\rufus.ini

            Filesize

            70B

            MD5

            2e9733a079a1e3bb2dd0bb2c7e7406a2

            SHA1

            c3e095c521c2fb2eb49c39587b267fc552e386d2

            SHA256

            cd1df5b6d9fd057f36ead46e8536716fef68c2979ce49412f178c7c301311bbb

            SHA512

            f47a2f621cc03d070c8225fb68d676c148dd7f63e6010680dd49a929d39e3aa0283f25e71bf26753b80d1f1f255d3cba411219a44d0883070834cd18ce5e6261

          • C:\Windows\System32\GroupPolicy\gpt.ini

            Filesize

            127B

            MD5

            f9a49a3e2415016fa85ddff0b8b38419

            SHA1

            f8c987119269e58d22a6b17ae2e8eca7744fb385

            SHA256

            14694dbee3897b6bd5aa596ebfd893e727179b67811920c174dc70e6eee8e579

            SHA512

            91ea129a51d2c3b342287c1250f5b0da6ba2a61eff11791d1cfae1f5c6dd2654c935be1452f4a681e794fd723a3c295e9bc9e59b9005aa4d8bd55ed36c9ad91c

          • F:\$RECYCLE.BIN\GET_YOUR_FILES_BACK.txt

            Filesize

            1011B

            MD5

            c92c2b70fb37f84aab38412ad9226aa8

            SHA1

            14f2e9a83285612d0a7b2c83b8f89bccfde6c154

            SHA256

            d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f

            SHA512

            04f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848

          • memory/3680-9-0x00007FF7B5B50000-0x00007FF7B5E80000-memory.dmp

            Filesize

            3.2MB

          • memory/4552-22749-0x00007FF74E890000-0x00007FF74ECFE000-memory.dmp

            Filesize

            4.4MB

          • memory/4552-16670-0x00007FF74E890000-0x00007FF74ECFE000-memory.dmp

            Filesize

            4.4MB

          • memory/4552-7-0x00007FF74E890000-0x00007FF74ECFE000-memory.dmp

            Filesize

            4.4MB

          • memory/4552-22792-0x00007FF74E890000-0x00007FF74ECFE000-memory.dmp

            Filesize

            4.4MB

          • memory/4552-22802-0x00007FF74E890000-0x00007FF74ECFE000-memory.dmp

            Filesize

            4.4MB

          • memory/4552-22817-0x00007FF74E890000-0x00007FF74ECFE000-memory.dmp

            Filesize

            4.4MB

          • memory/4552-22818-0x00007FF74E890000-0x00007FF74ECFE000-memory.dmp

            Filesize

            4.4MB

          • memory/35436-17092-0x000001B322B70000-0x000001B322B92000-memory.dmp

            Filesize

            136KB