Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
80s -
max time network
81s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 05:09
Static task
static1
Behavioral task
behavioral1
Sample
test.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
test.exe
Resource
win10v2004-20241007-en
General
-
Target
test.exe
-
Size
3.2MB
-
MD5
b04b6f1b897e829ff58dc99f18be1a8a
-
SHA1
9a99cc16e540e341655a259650caf58ec14956ac
-
SHA256
962da1faf888b28b2ec26fd1ea547fecfb2edc1cf30e64328b18309e98448b11
-
SHA512
7e2f9c691d23288fddad062f4c3e197ab84010c03418088b10060a5c720d34b153937e68b72ba13a6819eefd0d15c8a3e280fb1bbb4771d22566c7fb6838f07b
-
SSDEEP
24576:4Imw98okVgela0as5CqLVO7XJCjkD3N0HRAjSUpZr3y2amHY6MdefqTXeZty61ky:OL5ljasaUoZat81wua7bUScTLTXO+2N
Malware Config
Signatures
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Avoslocker family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 5708 bcdedit.exe 35428 bcdedit.exe -
Renames multiple (8507) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 4552 rufus-4.6p.exe 4148 hack.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rufus-4.6p.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI hack.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: hack.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy rufus-4.6p.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rufus-4.6p.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol rufus-4.6p.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rufus-4.6p.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1808248821.png" reg.exe -
resource yara_rule behavioral2/files/0x000b000000023b6f-4.dat upx behavioral2/memory/4552-7-0x00007FF74E890000-0x00007FF74ECFE000-memory.dmp upx behavioral2/memory/4552-16670-0x00007FF74E890000-0x00007FF74ECFE000-memory.dmp upx behavioral2/memory/4552-22749-0x00007FF74E890000-0x00007FF74ECFE000-memory.dmp upx behavioral2/memory/4552-22792-0x00007FF74E890000-0x00007FF74ECFE000-memory.dmp upx behavioral2/memory/4552-22802-0x00007FF74E890000-0x00007FF74ECFE000-memory.dmp upx behavioral2/memory/4552-22817-0x00007FF74E890000-0x00007FF74ECFE000-memory.dmp upx behavioral2/memory/4552-22818-0x00007FF74E890000-0x00007FF74ECFE000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_icons_retina.png hack.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-125.png hack.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL hack.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms hack.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\GET_YOUR_FILES_BACK.txt hack.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\GET_YOUR_FILES_BACK.txt hack.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\PREVIEW.GIF hack.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms hack.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml hack.exe File opened for modification C:\Program Files (x86)\Internet Explorer\fr-FR\iexplore.exe.mui hack.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-150.png hack.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\ui-strings.js hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif hack.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-150.png hack.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\THMBNAIL.PNG hack.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML hack.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\db2v0801.xsl hack.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui hack.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nl-nl\ui-strings.js hack.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\AppxMetadata\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\TableTextService.dll.mui hack.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.ELM hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\ui-strings.js hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\move.svg hack.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-200.png hack.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-256.png hack.exe File opened for modification C:\Program Files (x86)\Internet Explorer\it-IT\iexplore.exe.mui hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp hack.exe File created C:\Program Files\Microsoft Office\root\vfs\SystemX86\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\ui-strings.js hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\improved-office-to-pdf-2x.png hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\ui-strings.js hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\ui-strings.js hack.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSJH.TTC hack.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\ui-strings.js hack.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\FetchingMail.scale-200.png hack.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms hack.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\GET_YOUR_FILES_BACK.txt hack.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png hack.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png hack.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\ui-strings.js hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\sample-thumb.png hack.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-16_altform-unplated.png hack.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] hack.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png hack.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms hack.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js hack.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-cn\ui-strings.js hack.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js hack.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui hack.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui hack.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list hack.exe -
pid Process 35436 powershell.exe 5176 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hack.exe -
Checks SCSI registry key(s) 3 TTPs 17 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service rufus-4.6p.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters rufus-4.6p.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters rufus-4.6p.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters rufus-4.6p.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID rufus-4.6p.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName rufus-4.6p.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 rufus-4.6p.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters rufus-4.6p.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 rufus-4.6p.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service rufus-4.6p.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 rufus-4.6p.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters rufus-4.6p.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters rufus-4.6p.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 35444 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 36220 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4148 hack.exe 4148 hack.exe 35436 powershell.exe 35436 powershell.exe 35436 powershell.exe 5176 powershell.exe 5176 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4148 hack.exe Token: SeIncreaseQuotaPrivilege 2280 WMIC.exe Token: SeSecurityPrivilege 2280 WMIC.exe Token: SeTakeOwnershipPrivilege 2280 WMIC.exe Token: SeLoadDriverPrivilege 2280 WMIC.exe Token: SeSystemProfilePrivilege 2280 WMIC.exe Token: SeSystemtimePrivilege 2280 WMIC.exe Token: SeProfSingleProcessPrivilege 2280 WMIC.exe Token: SeIncBasePriorityPrivilege 2280 WMIC.exe Token: SeCreatePagefilePrivilege 2280 WMIC.exe Token: SeBackupPrivilege 2280 WMIC.exe Token: SeRestorePrivilege 2280 WMIC.exe Token: SeShutdownPrivilege 2280 WMIC.exe Token: SeDebugPrivilege 2280 WMIC.exe Token: SeSystemEnvironmentPrivilege 2280 WMIC.exe Token: SeRemoteShutdownPrivilege 2280 WMIC.exe Token: SeUndockPrivilege 2280 WMIC.exe Token: SeManageVolumePrivilege 2280 WMIC.exe Token: 33 2280 WMIC.exe Token: 34 2280 WMIC.exe Token: 35 2280 WMIC.exe Token: 36 2280 WMIC.exe Token: SeDebugPrivilege 4552 rufus-4.6p.exe Token: SeIncreaseQuotaPrivilege 2280 WMIC.exe Token: SeSecurityPrivilege 2280 WMIC.exe Token: SeTakeOwnershipPrivilege 2280 WMIC.exe Token: SeLoadDriverPrivilege 2280 WMIC.exe Token: SeSystemProfilePrivilege 2280 WMIC.exe Token: SeSystemtimePrivilege 2280 WMIC.exe Token: SeProfSingleProcessPrivilege 2280 WMIC.exe Token: SeIncBasePriorityPrivilege 2280 WMIC.exe Token: SeCreatePagefilePrivilege 2280 WMIC.exe Token: SeBackupPrivilege 2280 WMIC.exe Token: SeRestorePrivilege 2280 WMIC.exe Token: SeShutdownPrivilege 2280 WMIC.exe Token: SeDebugPrivilege 2280 WMIC.exe Token: SeSystemEnvironmentPrivilege 2280 WMIC.exe Token: SeRemoteShutdownPrivilege 2280 WMIC.exe Token: SeUndockPrivilege 2280 WMIC.exe Token: SeManageVolumePrivilege 2280 WMIC.exe Token: 33 2280 WMIC.exe Token: 34 2280 WMIC.exe Token: 35 2280 WMIC.exe Token: 36 2280 WMIC.exe Token: SeDebugPrivilege 35436 powershell.exe Token: SeBackupPrivilege 7172 vssvc.exe Token: SeRestorePrivilege 7172 vssvc.exe Token: SeAuditPrivilege 7172 vssvc.exe Token: SeBackupPrivilege 35436 powershell.exe Token: SeBackupPrivilege 35436 powershell.exe Token: SeBackupPrivilege 35436 powershell.exe Token: SeBackupPrivilege 35436 powershell.exe Token: SeBackupPrivilege 35436 powershell.exe Token: SeBackupPrivilege 35436 powershell.exe Token: SeSecurityPrivilege 35436 powershell.exe Token: SeBackupPrivilege 35436 powershell.exe Token: SeBackupPrivilege 35436 powershell.exe Token: SeBackupPrivilege 35436 powershell.exe Token: SeBackupPrivilege 35436 powershell.exe Token: SeBackupPrivilege 35436 powershell.exe Token: SeSecurityPrivilege 35436 powershell.exe Token: SeBackupPrivilege 35436 powershell.exe Token: SeBackupPrivilege 35436 powershell.exe Token: SeSecurityPrivilege 35436 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4552 rufus-4.6p.exe 36220 NOTEPAD.EXE 4552 rufus-4.6p.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 3680 wrote to memory of 4552 3680 test.exe 83 PID 3680 wrote to memory of 4552 3680 test.exe 83 PID 3680 wrote to memory of 4148 3680 test.exe 82 PID 3680 wrote to memory of 4148 3680 test.exe 82 PID 3680 wrote to memory of 4148 3680 test.exe 82 PID 4148 wrote to memory of 2716 4148 hack.exe 87 PID 4148 wrote to memory of 2716 4148 hack.exe 87 PID 4148 wrote to memory of 2756 4148 hack.exe 88 PID 4148 wrote to memory of 2756 4148 hack.exe 88 PID 4148 wrote to memory of 772 4148 hack.exe 89 PID 4148 wrote to memory of 772 4148 hack.exe 89 PID 4148 wrote to memory of 2736 4148 hack.exe 90 PID 4148 wrote to memory of 2736 4148 hack.exe 90 PID 4148 wrote to memory of 4080 4148 hack.exe 91 PID 4148 wrote to memory of 4080 4148 hack.exe 91 PID 2716 wrote to memory of 2280 2716 cmd.exe 92 PID 2716 wrote to memory of 2280 2716 cmd.exe 92 PID 772 wrote to memory of 35428 772 cmd.exe 93 PID 772 wrote to memory of 35428 772 cmd.exe 93 PID 2756 wrote to memory of 35444 2756 cmd.exe 95 PID 2756 wrote to memory of 35444 2756 cmd.exe 95 PID 4080 wrote to memory of 35436 4080 cmd.exe 94 PID 4080 wrote to memory of 35436 4080 cmd.exe 94 PID 2736 wrote to memory of 5708 2736 cmd.exe 98 PID 2736 wrote to memory of 5708 2736 cmd.exe 98 PID 4148 wrote to memory of 5176 4148 hack.exe 103 PID 4148 wrote to memory of 5176 4148 hack.exe 103 PID 5176 wrote to memory of 5432 5176 powershell.exe 105 PID 5176 wrote to memory of 5432 5176 powershell.exe 105 PID 5176 wrote to memory of 5692 5176 powershell.exe 106 PID 5176 wrote to memory of 5692 5176 powershell.exe 106 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\hack.exe"C:\Users\Admin\AppData\Local\Temp\hack.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SYSTEM32\cmd.execmd /c wmic shadowcopy delete /nointeractive3⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin.exe Delete Shadows /All /Quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:35444
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c bcdedit /set {default} recoveryenabled No3⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No4⤵
- Modifies boot configuration data using bcdedit
PID:35428
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:5708
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"3⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:35436
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5176 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1808248821.png /f4⤵
- Sets desktop wallpaper using registry
PID:5432
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False4⤵PID:5692
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\rufus-4.6p.exe"C:\Users\Admin\AppData\Local\Temp\rufus-4.6p.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4552
-
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1428
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3092
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:7640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:7660
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:36220
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
807KB
MD5e27b5291c8fb2dfdeb7f16bb6851df5e
SHA140207f83b601cd60905c1f807ac0889c80dfe33f
SHA256ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f
SHA5122ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a
-
Filesize
1.5MB
MD58fe64da09af371b02a31828415ece8f3
SHA15b5c90dcd425c814b555a4567405601aa977ee0b
SHA2568279696c1d78b14618500e9135886a3667b9decc65946f3729002e4bfdbb20ab
SHA512e49f9b1c9d33364101ad2fd4f2c5ed030700cc941bb469cf2ce7d5b32c51cab9e62b265e05cbd92435453e7e4008c9990bea532298676f7d81e5d6dcdc2f590b
-
Filesize
41B
MD5279daedcf136cf55a48d4ab419fc7ef2
SHA18d784bb801e74d97bdaad5846e63f71e973450fb
SHA256949f9a995ae3377d218e0615fc949ce1bc62374c27e6952353f57936b4d8dfdd
SHA5125092923e10254aa9d5f0c50dbd273de9eb85fb8dc9c35094cf61d165b6ae41305d6a3295d9fd5f2a71d42b295206ad6b6e999eeff73566c04019adde60973e15
-
Filesize
70B
MD52e9733a079a1e3bb2dd0bb2c7e7406a2
SHA1c3e095c521c2fb2eb49c39587b267fc552e386d2
SHA256cd1df5b6d9fd057f36ead46e8536716fef68c2979ce49412f178c7c301311bbb
SHA512f47a2f621cc03d070c8225fb68d676c148dd7f63e6010680dd49a929d39e3aa0283f25e71bf26753b80d1f1f255d3cba411219a44d0883070834cd18ce5e6261
-
Filesize
127B
MD5f9a49a3e2415016fa85ddff0b8b38419
SHA1f8c987119269e58d22a6b17ae2e8eca7744fb385
SHA25614694dbee3897b6bd5aa596ebfd893e727179b67811920c174dc70e6eee8e579
SHA51291ea129a51d2c3b342287c1250f5b0da6ba2a61eff11791d1cfae1f5c6dd2654c935be1452f4a681e794fd723a3c295e9bc9e59b9005aa4d8bd55ed36c9ad91c
-
Filesize
1011B
MD5c92c2b70fb37f84aab38412ad9226aa8
SHA114f2e9a83285612d0a7b2c83b8f89bccfde6c154
SHA256d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f
SHA51204f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848